| File name: | Setup.msi |
| Full analysis: | https://app.any.run/tasks/fb60dcb6-c51e-4442-8f79-b34a23f69808 |
| Verdict: | Malicious activity |
| Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
| Analysis date: | December 19, 2023, 11:37:07 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Tue Dec 19 09:12:31 2023, Create Time/Date: Tue Dec 19 09:12:31 2023, Last Printed: Tue Dec 19 09:12:31 2023, Revision Number: {796E4F2E-86C3-4B0C-A3DF-D4C9DF16D768}, Code page: 1252, Template: Intel;1033 |
| MD5: | A4ACC2A21685E87A7E2982BF68888A3F |
| SHA1: | 2F9A90ADE151FBCEB0FF7252092FE36166E643B2 |
| SHA256: | 321BC6FE49A553EA3C62BFC31AE5630EB93B6A68D9E267F8634EE73663DE68FF |
| SSDEEP: | 98304:+Vn50SrAdm+lQlAw6HSLlhqK2zT0FzLh2CUxGQa4H5QSztG1Ep4SO3SloFVUnLgF:/D0m6b9X/VYS/wzG |
MALICIOUS
HIJACKLOADER has been detected (YARA)
- RttHlp.exe (PID: 2024)
Drops the executable file immediately after the start
- msiexec.exe (PID: 2068)
SUSPICIOUS
Reads the BIOS version
- RttHlp.exe (PID: 2024)
INFO
Checks supported languages
- msiexec.exe (PID: 1356)
- msiexec.exe (PID: 2068)
- RttHlp.exe (PID: 2024)
Reads the computer name
- msiexec.exe (PID: 2068)
- RttHlp.exe (PID: 2024)
- msiexec.exe (PID: 1356)
Application launched itself
- msiexec.exe (PID: 1356)
Drops the executable file immediately after the start
- msiexec.exe (PID: 116)
Reads the machine GUID from the registry
- msiexec.exe (PID: 2068)
- msiexec.exe (PID: 1356)
Creates files in the program directory
- RttHlp.exe (PID: 2024)
Create files in a temporary directory
- msiexec.exe (PID: 2068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .mst | | | Windows SDK Setup Transform Script (46.8) |
|---|---|---|
| .xls | | | Microsoft Excel sheet (22.3) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| Characters: | - |
|---|---|
| LastModifiedBy: | InstallShield |
| Words: | - |
| Title: | Installation Database |
| Comments: | Contact: Your local administrator |
| Keywords: | Installer,MSI,Database |
| Subject: | Blank Project Template |
| Author: | InstallShield |
| Security: | Password protected |
| Pages: | 200 |
| Software: | InstallShield? 2021 - Premier Edition with Virtualization Pack 27 |
| ModifyDate: | 2023:12:19 09:12:31 |
| CreateDate: | 2023:12:19 09:12:31 |
| LastPrinted: | 2023:12:19 09:12:31 |
| RevisionNumber: | {796E4F2E-86C3-4B0C-A3DF-D4C9DF16D768} |
| CodePage: | Windows Latin 1 (Western European) |
| Template: | Intel;1033 |
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Setup.msi.mst" | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1603 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1356 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2024 | C:\Users\admin\AppData\Local\Temp\{ED1B393D-34CD-4731-A498-47C48E1BEB0B}\RttHlp.exe | C:\Users\admin\AppData\Local\Temp\{ED1B393D-34CD-4731-A498-47C48E1BEB0B}\RttHlp.exe | msiexec.exe | ||||||||||||
User: admin Company: IObit Integrity Level: MEDIUM Description: IObit RttHlp Exit code: 3221225477 Version: 11.0.0.0 Modules
| |||||||||||||||
| 2068 | C:\Windows\system32\MsiExec.exe -Embedding B6D01CA4B256A0DFA5F5A7404D7DCEDD C | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
787
Read events
787
Write events
0
Delete events
0
Modification events
Executable files
8
Suspicious files
3
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{ED1B393D-34CD-4731-A498-47C48E1BEB0B}\abigail.json | — | |
MD5:— | SHA256:— | |||
| 2068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{ED1B393D-34CD-4731-A498-47C48E1BEB0B}\rtl120.bpl | executable | |
MD5:ADF82ED333FB5567F8097C7235B0E17F | SHA256:D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50 | |||
| 2068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{ED1B393D-34CD-4731-A498-47C48E1BEB0B}\vcl120.bpl | binary | |
MD5:C594D746FF6C99D140B5E8DA97F12FD4 | SHA256:572EDB7D630E9B03F93BD15135D2CA360176C1232051293663EC5B75C2428AEC | |||
| 116 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI4FE.tmp | executable | |
MD5:B7F57C02F00E4EF9698E8198F279B75A | SHA256:D8D08C2FE91E27E7D4D1476F452EE055994A534F9AFF7C5B0752D24E0E750931 | |||
| 2068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{ED1B393D-34CD-4731-A498-47C48E1BEB0B}\Register.dll | executable | |
MD5:26D6CBA2988A196A85C1CA1C98BBC8B4 | SHA256:747448C1440351EEB694651BD893D0284F84CF80278D3A9CA57CEC65775859CC | |||
| 116 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI2EA.tmp | executable | |
MD5:A0E940A3D3C1523416675125E3B0C07E | SHA256:B8FA7AA425E4084EA3721780A13D11E08B8D53D1C5414B73F22FAECA1BFD314F | |||
| 2024 | RttHlp.exe | C:\ProgramData\IObit\IObitRtt\DBRtt.ept | binary | |
MD5:0D99B7BFB41127C45BD72117CD1D6E62 | SHA256:483BC8BB54BA240AE356B16A67A1892EBC4BC764DB6422C7E862FF90607E1E77 | |||
| 2068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{DAC42772-A001-49CC-871E-33A7779AEDF6}\String1033.txt | text | |
MD5:033901C62B74D93CD76B479B1D5682D1 | SHA256:FEFC8BAB5760401F0E46FE6CFF3E62BCA90CD8B66F8FD0576FF8C843E542D08E | |||
| 2068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{DAC42772-A001-49CC-871E-33A7779AEDF6}\IsConfig.ini | text | |
MD5:8F5D3F5F40AD6D3FDEC4F2C53CCB2F1C | SHA256:70F7757E3B968F147B655886F5B4ACECDEBC7036354AD4B6AD02DE5E432A9958 | |||
| 2068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{ED1B393D-34CD-4731-A498-47C48E1BEB0B}\RttHlp.exe | executable | |
MD5:A2D70FBAB5181A509369D96B682FC641 | SHA256:8AED681AD8D660257C10D2F0E85AE673184055A341901643F27AFC38E5EF8473 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |