Malware analysis Marco-FTA-657687HD99O.msi Malicious activity

Add for printing

File name:	Marco-FTA-657687HD99O.msi
Full analysis:	https://app.any.run/tasks/568eabcd-c871-470b-afc2-6a503be17e20
Verdict:	Malicious activity
Analysis date:	March 22, 2019, 06:22:58
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Wed Nov 21 14:59:58 2007, Create Time/Date: Wed Nov 21 14:59:58 2007, Title: Installation Database, Keywords: Installer, MSI, Database, Last Saved Time/Date: Wed Nov 21 15:17:57 2007, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {4CF3826D-6E93-44B0-8871-C42428D99422}, Number of Words: 10, Subject: Adobe Acrobat Reader, Author: Adobe Acrobat Reader, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Adobe Acrobat Reader.
MD5:	3908ED0D44A2AF2764B8846FABC384CD
SHA1:	AC51000E66B2BADEBE6C2753B13F07E4BF76F1F1
SHA256:	4F7E5495F48B2188D536E965067748863CE63681409B9BEB11A39CC2FB84C85D
SSDEEP:	3072:SrV4kCO7zXWBwgz88ereWn/7w05g059xt7v3D7YQA8PMcB3RUN46ILJ9+ZB5yOaI:SrLCOHXb8er1nzTHR3D7YQAVrp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Writes to a start menu file
  - MsiExec.exe (PID: 2572)
- Changes the autorun value in the registry
  - reg.exe (PID: 944)
SUSPICIOUS
- Starts Internet Explorer
  - cmd.exe (PID: 1552)
- Starts CMD.EXE for commands execution
  - MsiExec.exe (PID: 2572)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 4040)
  - MsiExec.exe (PID: 2572)
- Creates files in the user directory
  - MsiExec.exe (PID: 2572)
- Uses REG.EXE to modify Windows registry
  - cmd.exe (PID: 2044)
INFO
- Creates files in the user directory
  - iexplore.exe (PID: 3056)
- Application launched itself
  - msiexec.exe (PID: 4040)
  - iexplore.exe (PID: 2576)
- Changes internet zones settings
  - iexplore.exe (PID: 2576)
- Reads internet explorer settings
  - iexplore.exe (PID: 3056)
- Starts application with an unusual extension
  - MsiExec.exe (PID: 2572)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3056)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (88.6)
.mst	\|	Windows SDK Setup Transform Script (10)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

Comments:	This installer database contains the logic and data required to install Adobe Acrobat Reader.
Template:	;1033
Software:	Advanced Installer 12.2.1 build 64247
LastModifiedBy:	-
Author:	Adobe Acrobat Reader
Subject:	Adobe Acrobat Reader
Words:	10
RevisionNumber:	{4CF3826D-6E93-44B0-8871-C42428D99422}
CodePage:	Windows Latin 1 (Western European)
Security:	None
Pages:	200
ModifyDate:	2007:11:21 15:17:57
Keywords:	Installer, MSI, Database
Title:	Installation Database
CreateDate:	2007:11:21 14:59:58
LastPrinted:	2007:11:21 14:59:58

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1336	"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Marco-FTA-657687HD99O.msi"	C:\Windows\System32\msiexec.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1073807364 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
4040	C:\Windows\system32\msiexec.exe /V	C:\Windows\system32\msiexec.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2572	C:\Windows\system32\MsiExec.exe -Embedding AA6EDB8E275F1799A3DE7D9F084329CE	C:\Windows\system32\MsiExec.exe		msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1073807364 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
1552	"C:\Windows\System32\cmd.exe" /C start /MAX https://www.adobe.com/br/legal/terms.html	C:\Windows\System32\cmd.exe	—	MsiExec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225547 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2576	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1073807364 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3056	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2576 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2044	"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RTPkot /t reg_sz /d "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RTPkot.exe"	C:\Windows\System32\cmd.exe	—	MsiExec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2676	"C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 0	C:\Windows\System32\cmd.exe	—	MsiExec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2940	"C:\Windows\system32\cmd.exe" /c shutdown /r /t 1 /f	C:\Windows\system32\cmd.exe	—	MsiExec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1115 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
944	reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v RTPkot /t reg_sz /d "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RTPkot.exe"	C:\Windows\system32\reg.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

1 054

Read events

970

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2576	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico		—
		MD5:—	SHA256:—
2576	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3056	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\84VJWZ6O\adobe-head.min.fp-49c976728c560175ef3915d2bbcaa219[1].js		text
		MD5:E89D4A4F71AC0A90E8BE1F2446E01DC3	SHA256:66BFD06574039BECB7B87D41600B5FD34A6C476B3AB54271C6A9A74C7440B656
3056	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:6578675A15E8F7130E552AAD191766C7	SHA256:51DEC14AC3D505935207088064B742BF891ACC40653ED670DD8ED9D37BB6EF2B
3056	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\37TCL1KE\adobe.min.fp-9f089e57989ec2e6fb36add7a91cbd7b[1].css		text
		MD5:E128187D03C3440C7C4F881BDDFD5075	SHA256:0AF569746751282665C23B2BD8CFF33477EDAA223DBA31C38891A256973334A7
3056	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\84VJWZ6O\liveperson.min.fp-0232b34deadc0421a8b6a57415f16562[1].css		text
		MD5:1E426576474B356877191024EF5DF065	SHA256:7DEAAE6889260AB6ABE16C1DCFC485E2DDDD44726F65BA3884D3571966CE88B3
3056	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FAEZ3O82\terms[1].html		html
		MD5:30EF0F9E9D47645FD15C5CDA23E54AB8	SHA256:04B9201DD2C661D99772BFFEDB757235808A3BDEC220369DD2EAF83E88DDA020
3056	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WTEAWQEF\thirdparty-new.min.fp-82c94a7b28ebafb87f108e6611d49a7c[1].css		text
		MD5:3F9C9B1F235EC170EF2D1F03B1EF8086	SHA256:85EC7522C5A3682307CDC7BB150D06BAC22A995C030BB1DE0FA1BDD3F9647D18
4040	msiexec.exe	C:\Windows\Installer\fa000.msi		executable
		MD5:3908ED0D44A2AF2764B8846FABC384CD	SHA256:4F7E5495F48B2188D536E965067748863CE63681409B9BEB11A39CC2FB84C85D
3056	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:81C0CC46CAE1B114C91C6CCB63E73679	SHA256:EB05C70FA19402E559992C102C2B820BE992169521D7D26B6B30B2F3F0285F1D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2576	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2576	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3056	iexplore.exe	23.34.185.248:443	www.adobe.com	Akamai Technologies, Inc.	NL	whitelisted
2572	MsiExec.exe	216.58.207.36:80	www.google.com	Google Inc.	US	whitelisted
3056	iexplore.exe	23.45.98.72:443	use.typekit.com	Akamai International B.V.	NL	whitelisted
2572	MsiExec.exe	52.218.97.18:443	s3-eu-west-1.amazonaws.com	Amazon.com, Inc.	IE	unknown

DNS requests

Domain	IP	Reputation
s3-eu-west-1.amazonaws.com	52.218.97.18	shared
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
www.adobe.com	23.34.185.248	whitelisted
use.typekit.com	23.45.98.72	whitelisted
p.typekit.net	23.45.98.72	shared
www.google.com	216.58.207.36	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Marco-FTA-657687HD99O.msi

3908ED0D44A2AF2764B8846FABC384CD

AC51000E66B2BADEBE6C2753B13F07E4BF76F1F1

4F7E5495F48B2188D536E965067748863CE63681409B9BEB11A39CC2FB84C85D

3072:SrV4kCO7zXWBwgz88ereWn/7w05g059xt7v3D7YQA8PMcB3RUN46ILJ9+ZB5yOaI:SrLCOHXb8er1nzTHR3D7YQAVrp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Writes to a start menu file

Changes the autorun value in the registry

SUSPICIOUS

Starts Internet Explorer

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Creates files in the user directory

Uses REG.EXE to modify Windows registry

INFO

Creates files in the user directory

Application launched itself

Changes internet zones settings

Reads internet explorer settings

Starts application with an unusual extension

Reads Internet Cache Settings

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings