File name:

formulario_citas.msi

Full analysis: https://app.any.run/tasks/086c0d82-5b00-43e1-aac9-73737dc03a64
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Malware Trends Tracker     >>>
Analysis date: June 25, 2024, 20:07:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
hijackloader
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Wee, Author: Doubt Sennight, Keywords: Installer, Comments: This installer database contains the logic and data required to install Wee., Template: Intel;1033, Revision Number: {6C39AFC0-5FA4-4729-826A-978503D51777}, Create Time/Date: Fri Jun 21 22:50:30 2024, Last Saved Time/Date: Fri Jun 21 22:50:30 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.3.0), Security: 2
MD5:

311ECD4933057667F4A36A1E9B3F6E12

SHA1:

3C2603EB9712FBFAC470FC1ABFCC0A2E0DC16131

SHA256:

3CCFCF45336EA87A7215A6B8B3023444161933ED73A57F6942C855294D3929A0

SSDEEP:

98304:z7b/+Nnis3lR3lTh+MO2nMFbkXGhhqZinpWkbBaSKIsgRr1ltneuZs5KxPM6Tfcp:Qjsw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3532)
      • msiexec.exe (PID: 3396)

    • HIJACKLOADER has been detected (YARA)

      • MediaInfo.exe (PID: 3364)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3396)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3708)

  • INFO

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 3396)

    • Reads the computer name

      • msiexec.exe (PID: 3396)
      • MediaInfo.exe (PID: 3364)

    • Checks supported languages

      • msiexec.exe (PID: 3396)
      • MediaInfo.exe (PID: 3364)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3396)
      • MediaInfo.exe (PID: 3364)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3396)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3396)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3396)

    • Manual execution by a user

      • explorer.exe (PID: 764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Wee
Author: Doubt Sennight
Keywords: Installer
Comments: This installer database contains the logic and data required to install Wee.
Template: Intel;1033
RevisionNumber: {6C39AFC0-5FA4-4729-826A-978503D51777}
CreateDate: 2024:06:21 22:50:30
ModifyDate: 2024:06:21 22:50:30
Pages: 500
Words: 10
Software: WiX Toolset (4.0.3.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs #HIJACKLOADER mediainfo.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3364"C:\Users\admin\AppData\Local\Misbelief\MediaInfo.exe"C:\Users\admin\AppData\Local\Misbelief\MediaInfo.exe
msiexec.exe
User:
admin
Company:
MediaArea.net
Integrity Level:
MEDIUM
Description:
MediaInfo
Exit code:
3221225502
Version:
24.03.0.0
Modules
Images
c:\users\admin\appdata\local\misbelief\mediainfo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
3396C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3532"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\formulario_citas.msiC:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3708C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
4 933
Read events
4 556
Write events
365
Delete events
12

Modification events

(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000007894EA603BC7DA01440D0000940C0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000007894EA603BC7DA01440D0000940C0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000F2B2AB613BC7DA01440D0000940C0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3396) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000004C15AE613BC7DA01440D00001C080000E80300000100000000000000000000003D27FB185C2FC340A8CC4F67D37CBA840000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005A3CB5613BC7DA017C0E0000880C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005A3CB5613BC7DA017C0E00008C0C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005A3CB5613BC7DA017C0E0000340C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005A3CB5613BC7DA017C0E0000880B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3708) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
40000000000000000E01BA613BC7DA017C0E00008C0C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
2
Suspicious files
11
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3396msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3396msiexec.exeC:\Windows\Installer\5075a.msi
MD5:
SHA256:
3396msiexec.exeC:\Windows\Installer\5075d.msi
MD5:
SHA256:
3364MediaInfo.exeC:\Users\admin\AppData\Local\Misbelief\Plugin\Tree\Example.csv
MD5:
SHA256:
3396msiexec.exeC:\Windows\Installer\MSIC9A.tmpbinary
MD5:53336492262C33C2DAC16FD5D7D2B535
SHA256:DFD11F090DBEFAD2EC4A86D3FF3287F194B0A35AD818611C173D2A3A7FBBFC11
3396msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF60325F8EFE13C12B.TMPbinary
MD5:E3A4F753C3B431ABFA4B65ECE24BB3EB
SHA256:9919A6AACD926FBA53E96E7A4C55B1713535CFD44B4B5197FC190EAE4D8EAB98
3396msiexec.exeC:\Users\admin\AppData\Local\Misbelief\MediaInfo_i386.dllexecutable
MD5:0A575896DE405389DD815FA7E8B88D0B
SHA256:FBAFD779494EC0213FF14D3C757A383DC3757C70D98B68DA8B674ACFAC9D1472
3396msiexec.exeC:\Config.Msi\5075c.rbsbinary
MD5:5D36BE3E780ABB3F6DA567B7BA5E1443
SHA256:FA53E82F8D4CB70FE588214359ED2910B9737E3BA6504440C163CD0712CCD660
3396msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:3A6A805B5EB5FE8240EAA08E49FFAD02
SHA256:83FB8F68F4FF92730FFA74BAF03FAEEA3CE8EAED4B27280C2468135EF5BD077D
3396msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFBA2504A6E040F8FD.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
1372
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1060
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
formulario_citas.msi