File name:

formulario_citas.msi

Full analysis: https://app.any.run/tasks/086c0d82-5b00-43e1-aac9-73737dc03a64
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: June 25, 2024, 20:07:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
hijackloader
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Wee, Author: Doubt Sennight, Keywords: Installer, Comments: This installer database contains the logic and data required to install Wee., Template: Intel;1033, Revision Number: {6C39AFC0-5FA4-4729-826A-978503D51777}, Create Time/Date: Fri Jun 21 22:50:30 2024, Last Saved Time/Date: Fri Jun 21 22:50:30 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.3.0), Security: 2
MD5:

311ECD4933057667F4A36A1E9B3F6E12

SHA1:

3C2603EB9712FBFAC470FC1ABFCC0A2E0DC16131

SHA256:

3CCFCF45336EA87A7215A6B8B3023444161933ED73A57F6942C855294D3929A0

SSDEEP:

98304:z7b/+Nnis3lR3lTh+MO2nMFbkXGhhqZinpWkbBaSKIsgRr1ltneuZs5KxPM6Tfcp:Qjsw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3532)
      • msiexec.exe (PID: 3396)

    • HIJACKLOADER has been detected (YARA)

      • MediaInfo.exe (PID: 3364)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3396)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3708)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 3396)
      • MediaInfo.exe (PID: 3364)

    • Reads the computer name

      • msiexec.exe (PID: 3396)
      • MediaInfo.exe (PID: 3364)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 3396)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3396)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3396)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3396)
      • MediaInfo.exe (PID: 3364)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3396)

    • Manual execution by a user

      • explorer.exe (PID: 764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Wee
Author: Doubt Sennight
Keywords: Installer
Comments: This installer database contains the logic and data required to install Wee.
Template: Intel;1033
RevisionNumber: {6C39AFC0-5FA4-4729-826A-978503D51777}
CreateDate: 2024:06:21 22:50:30
ModifyDate: 2024:06:21 22:50:30
Pages: 500
Words: 10
Software: WiX Toolset (4.0.3.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs #HIJACKLOADER mediainfo.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3364"C:\Users\admin\AppData\Local\Misbelief\MediaInfo.exe"C:\Users\admin\AppData\Local\Misbelief\MediaInfo.exe
msiexec.exe
User:
admin
Company:
MediaArea.net
Integrity Level:
MEDIUM
Description:
MediaInfo
Exit code:
3221225502
Version:
24.03.0.0
Modules
Images
c:\users\admin\appdata\local\misbelief\mediainfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3396C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3532"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\formulario_citas.msiC:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3708C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
4 933
Read events
4 556
Write events
365
Delete events
12

Modification events

(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000007894EA603BC7DA01440D0000940C0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000007894EA603BC7DA01440D0000940C0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000F2B2AB613BC7DA01440D0000940C0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004C15AE613BC7DA01440D00001C080000E80300000100000000000000000000003D27FB185C2FC340A8CC4F67D37CBA840000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005A3CB5613BC7DA017C0E0000880C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005A3CB5613BC7DA017C0E00008C0C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005A3CB5613BC7DA017C0E0000340C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005A3CB5613BC7DA017C0E0000880B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
40000000000000000E01BA613BC7DA017C0E00008C0C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
2
Suspicious files
11
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3396msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3396msiexec.exeC:\Windows\Installer\5075a.msi
MD5:
SHA256:
3396msiexec.exeC:\Windows\Installer\5075d.msi
MD5:
SHA256:
3364MediaInfo.exeC:\Users\admin\AppData\Local\Misbelief\Plugin\Tree\Example.csv
MD5:
SHA256:
3396msiexec.exeC:\Users\admin\AppData\Local\Misbelief\eriophorum.odpbinary
MD5:1AD4981D29102D9C2BFAD9E55343434A
SHA256:46998C944D0F65A0EF40C6FC60D099B633A413CE62F56791978BAF6C97567001
3396msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFBA2504A6E040F8FD.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
3396msiexec.exeC:\Config.Msi\5075c.rbsbinary
MD5:5D36BE3E780ABB3F6DA567B7BA5E1443
SHA256:FA53E82F8D4CB70FE588214359ED2910B9737E3BA6504440C163CD0712CCD660
3396msiexec.exeC:\Windows\Installer\5075b.ipibinary
MD5:2DAA08F1AAE2C1BF554D9C6B1A0064AE
SHA256:917EE781E330E00D3EE6A32E743B903BF121854F44F03B7ECD8B71B783676A81
3396msiexec.exeC:\Windows\Installer\MSIC9A.tmpbinary
MD5:53336492262C33C2DAC16FD5D7D2B535
SHA256:DFD11F090DBEFAD2EC4A86D3FF3287F194B0A35AD818611C173D2A3A7FBBFC11
3396msiexec.exeC:\Users\admin\AppData\Local\Misbelief\MediaInfo_i386.dllexecutable
MD5:0A575896DE405389DD815FA7E8B88D0B
SHA256:FBAFD779494EC0213FF14D3C757A383DC3757C70D98B68DA8B674ACFAC9D1472
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
formulario_citas.msi