Automated Malware Analysis IOC Report for

Files

File Path

Type

Processes

Path

Cmdline

Malicious

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36

Details

Is windows:	true
Is dropped:	false
PID:	2316
Target ID:	2
Parent PID:	1700
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	14:43:59
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xed0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Suspicious Execution of Shutdown	System Summary
Sigma detected: Suspicious MsiExec Embedding Parent	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\shutdown.exe

"C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15

Details

Is windows:	true
Is dropped:	false
PID:	2640
Target ID:	8
Parent PID:	2316
Name:	shutdown.exe
Path:	C:\Windows\SysWOW64\shutdown.exe
Commandline:	"C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15
Size:	23552
MD5:	FCDE5AF99B82AE6137FB90C7571D40C3
Time:	14:44:16
Date:	15/01/2025
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0xf50000
Modulesize:	40960
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses shutdown.exe to shutdown or reboot the system	System Summary	System Shutdown/Reboot
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Suspicious Execution of Shutdown	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\g6lWBM64S4.msi"

Details

Is windows:	true
Is dropped:	false
PID:	3320
Target ID:	0
Parent PID:	2580
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\g6lWBM64S4.msi"
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	14:43:58
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d2f00000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Suspicious Execution of Shutdown	System Summary
Sigma detected: Suspicious MsiExec Embedding Parent	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	1700
Target ID:	1
Parent PID:	620
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	14:43:58
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d2f00000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE	System Summary
Sigma detected: Startup Folder File Write	System Summary
Sigma detected: Suspicious Execution of Shutdown	System Summary
Sigma detected: Suspicious MsiExec Embedding Parent	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"

Details

Is windows:	true
Is dropped:	false
PID:	6812
Target ID:	3
Parent PID:	2316
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Size:	236544
MD5:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Time:	14:44:12
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x240000
Modulesize:	368640
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Direct Autorun Keys Modification	System Summary
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE	System Summary
Sigma detected: Suspicious MsiExec Embedding Parent	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6984
Target ID:	4
Parent PID:	6812
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:44:12
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\reg.exe

reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3336
Target ID:	5
Parent PID:	6812
Name:	reg.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\reg.exe
Commandline:	reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Size:	59392
MD5:	CDD462E86EC0F20DE2A1D781928B1B0C
Time:	14:44:12
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xa0000
Modulesize:	335872
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Sigma detected: Direct Autorun Keys Modification	System Summary
Uses reg.exe to modify the Windows registry	System Summary	Modify Registry
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	1880
Target ID:	6
Parent PID:	3336
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:44:12
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	3336
Target ID:	9
Parent PID:	2640
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:44:16
Date:	15/01/2025
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.advancedinstaller.com

unknown

https://situacaonssprj.com/molde/arvore.png

104.21.16.1

Details

Name:	https://situacaonssprj.com/molde/arvore.png
IP:	104.21.16.1
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Sigma detected: Msiexec Initiated Connection	System Summary
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

http://collect.installeranalytics.com

unknown

https://www.thawte.com/cps0/

unknown

https://www.thawte.com/repository0W

unknown

https://collect.installeranalytics.com

unknown

https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

https://situacaonssprj.com/molde/calvao1.png

104.21.16.1

Details

Name:	https://situacaonssprj.com/molde/calvao1.png
IP:	104.21.16.1
TargetID:	2
From Memory:	false
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Sigma detected: Msiexec Initiated Connection	System Summary
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Domains

Name

Malicious

situacaonssprj.com

104.21.16.1

Details

Name:	situacaonssprj.com
IP:	104.21.16.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

bg.microsoft.map.fastly.net

199.232.210.172

s-part-0017.t-0009.t-msedge.net

13.107.246.45

IPs

Domain

Country

Malicious

104.21.16.1

situacaonssprj.com

United States

Details

IP:	104.21.16.1
TargetID:	2
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	situacaonssprj.com

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings

JITDebug

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe

JScriptSetScriptStateStarted

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

kBiTrog

Details

TargetID:	5
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	kBiTrog
Value data:	C:\Users\user\EGvKWow\kBiTrog.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

D70000

heap

page read and write

2B5E000

stack

page read and write

9D7000

heap

page read and write

86C000

stack

page read and write

28CE000

stack

page read and write

9D0000

heap

page read and write

8AC000

stack

page read and write

2A28000

heap

page read and write

9BF000

stack

page read and write

2910000

heap

page read and write

25DD000

stack

page read and write

910000

heap

page read and write

290F000

stack

page read and write

9EB000

heap

page read and write

2880000

heap

page read and write

2C10000

heap

page read and write

BDE000

stack

page read and write

C1F000

stack

page read and write

2B9F000

stack

page read and write

95E000

stack

page read and write

2A20000

heap

page read and write

970000

heap

page read and write

960000

heap

page read and write

283D000

stack

page read and write

2920000

heap

page read and write

There are 15 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
g6lWBM64S4.msi

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportg6lWBM64S4.msi

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
g6lWBM64S4.msi