| URL: | http://fs1.minitab.com/prodinstalls/minitab/minitab18/18.1.0.0/commercial/minitab18.1.0.0setup.exe |
| Full analysis: | https://app.any.run/tasks/0251370f-88a6-4ceb-8603-b358e24be543 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 15, 2020, 14:52:27 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 584D69786B707B232516660DCBDC124B |
| SHA1: | FD8AD887B191B65CC619E4FB648CAB4C1FD5ECF5 |
| SHA256: | 5751871CC559833322F1EB7201F0F5EDE822D4B362BA37E0DCCFE37DF93731B3 |
| SSDEEP: | 3:N1KYoKEKIKVXaMLqKxN58gdKXLI4hL87kA:CYo1TK8A0dnhL1A |
MALICIOUS
Loads the Task Scheduler DLL interface
- minitab18.1.0.0setup.exe (PID: 2852)
Application was dropped or rewritten from another process
- SilentHelper.exe (PID: 2284)
- minitab18.1.0.0setup.exe (PID: 2852)
- minitab18.1.0.0setup.exe (PID: 3292)
- vcredist_x86.exe (PID: 2128)
- minitab18.1.0.0setup.exe (PID: 256)
- nlssrv32.exe (PID: 3024)
- Mtb.exe (PID: 3020)
- Mtb.exe (PID: 1028)
- vcredist_x86.exe (PID: 1172)
Downloads executable files from the Internet
- iexplore.exe (PID: 2868)
Changes the autorun value in the registry
- vcredist_x86.exe (PID: 1172)
Loads dropped or rewritten executable
- vcredist_x86.exe (PID: 2128)
- Mtb.exe (PID: 3020)
- Mtb.exe (PID: 1028)
Low-level write access rights to disk partition
- nlssrv32.exe (PID: 3024)
Changes settings of System certificates
- minitab18.1.0.0setup.exe (PID: 2852)
SUSPICIOUS
Executable content was dropped or overwritten
- minitab18.1.0.0setup.exe (PID: 2852)
- vcredist_x86.exe (PID: 2128)
- minitab18.1.0.0setup.exe (PID: 256)
Reads Environment values
- minitab18.1.0.0setup.exe (PID: 2852)
- minitab18.1.0.0setup.exe (PID: 256)
- MsiExec.exe (PID: 2168)
Creates files in the program directory
- minitab18.1.0.0setup.exe (PID: 2852)
- minitab18.1.0.0setup.exe (PID: 256)
- Mtb.exe (PID: 3020)
Creates files in the Windows directory
- minitab18.1.0.0setup.exe (PID: 2852)
- nlssrv32.exe (PID: 3024)
Reads internet explorer settings
- minitab18.1.0.0setup.exe (PID: 2852)
Creates a software uninstall entry
- vcredist_x86.exe (PID: 1172)
Application launched itself
- minitab18.1.0.0setup.exe (PID: 2852)
- Mtb.exe (PID: 3020)
Searches for installed software
- vcredist_x86.exe (PID: 1172)
Executed as Windows Service
- vssvc.exe (PID: 2740)
- nlssrv32.exe (PID: 3024)
Uses ICACLS.EXE to modify access control list
- cmd.exe (PID: 2556)
Starts CMD.EXE for commands execution
- MSI3A2C.tmp (PID: 2840)
- MsiExec.exe (PID: 2168)
Removes files from Windows directory
- minitab18.1.0.0setup.exe (PID: 2852)
Reads Windows owner or organization settings
- Mtb.exe (PID: 3020)
Reads the Windows organization settings
- Mtb.exe (PID: 3020)
Low-level read access rights to disk partition
- nlssrv32.exe (PID: 3024)
Adds / modifies Windows certificates
- minitab18.1.0.0setup.exe (PID: 2852)
INFO
Reads Internet Cache Settings
- iexplore.exe (PID: 3980)
- iexplore.exe (PID: 2868)
Creates files in the user directory
- iexplore.exe (PID: 3980)
Loads dropped or rewritten executable
- MsiExec.exe (PID: 2076)
- MsiExec.exe (PID: 1712)
- MsiExec.exe (PID: 2168)
Reads settings of System Certificates
- minitab18.1.0.0setup.exe (PID: 2852)
- iexplore.exe (PID: 3980)
Low-level read access rights to disk partition
- vssvc.exe (PID: 2740)
Application was dropped or rewritten from another process
- MSI3A2C.tmp (PID: 2840)
Manual execution by user
- Mtb.exe (PID: 3020)
Changes internet zones settings
- iexplore.exe (PID: 3980)
Creates files in the program directory
- MsiExec.exe (PID: 2168)
Reads the hosts file
- Mtb.exe (PID: 3020)
Modifies the phishing filter of IE
- iexplore.exe (PID: 3980)
Adds / modifies Windows certificates
- iexplore.exe (PID: 3980)
Changes settings of System certificates
- iexplore.exe (PID: 3980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
70
Monitored processes
20
Malicious processes
7
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 256 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\minitab18.1.0.0setup.exe" /i C:\ProgramData\Minitab\Minitab18.1.0.0\installer\minitab18.1.0.0setup.msi CLIENTPROCESSID="2852" AI_MORE_CMD_LINE=1 | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\minitab18.1.0.0setup.exe | minitab18.1.0.0setup.exe | ||||||||||||
User: admin Company: Minitab, Inc. Integrity Level: HIGH Description: Minitab 18 Setup Exit code: 0 Version: 18.1.0.0 Modules
| |||||||||||||||
| 1028 | "C:\Program Files\Minitab\Minitab 18\Mtb.exe" --type=renderer --no-sandbox --disable-databases --lang=en-US --lang=en-US --log-file="C:\Program Files\Minitab\Minitab 18\debug.log" --log-severity=disable --disable-extensions --disable-spell-checking --device-scale-factor=1 --num-raster-threads=2 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3020.0.855082979\705181195" /prefetch:1 | C:\Program Files\Minitab\Minitab 18\Mtb.exe | — | Mtb.exe | |||||||||||
User: admin Company: Minitab Inc. Integrity Level: MEDIUM Description: Minitab 18 Exit code: 0 Version: 18.1.0.0 Modules
| |||||||||||||||
| 1172 | "C:\ProgramData\Minitab\Minitab18.1.0.0\prerequisites\vcredist_x86.exe" /quiet /norestart | C:\ProgramData\Minitab\Minitab18.1.0.0\prerequisites\vcredist_x86.exe | MsiExec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 Exit code: 0 Version: 12.0.30501.0 Modules
| |||||||||||||||
| 1712 | C:\Windows\system32\MsiExec.exe -Embedding F14615C45F5E8E176E4EDC037A03C191 | C:\Windows\system32\MsiExec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2076 | C:\Windows\system32\MsiExec.exe -Embedding 4785E1D4DF2257434224D01C8151AA56 C | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2128 | "C:\ProgramData\Minitab\Minitab18.1.0.0\prerequisites\vcredist_x86.exe" /quiet /norestart -burn.unelevated BurnPipe.{A4CCD4CD-381C-4ADF-AC0B-27EEE08652FF} {7AECBBAD-AD34-4191-A225-842C40DCB23F} 1172 | C:\ProgramData\Minitab\Minitab18.1.0.0\prerequisites\vcredist_x86.exe | vcredist_x86.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 Exit code: 0 Version: 12.0.30501.0 Modules
| |||||||||||||||
| 2168 | C:\Windows\system32\MsiExec.exe -Embedding 8EC4C7D0DBBBA032B243CFC1DCBA7952 M Global\MSI0000 | C:\Windows\system32\MsiExec.exe | msiexec.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2284 | "C:\ProgramData\Minitab\Minitab18.1.0.0\prerequisites\SilentHelper.exe" | C:\ProgramData\Minitab\Minitab18.1.0.0\prerequisites\SilentHelper.exe | — | minitab18.1.0.0setup.exe | |||||||||||
User: admin Company: Minitab, Inc. Integrity Level: HIGH Description: Minitab 18 Silent Helper Exit code: 1 Version: 18.1.0.0 Modules
| |||||||||||||||
| 2548 | ICACLS C:\ProgramData\Minitab\MultiUserLicense.ini /grant:r Everyone:F | C:\Windows\system32\icacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2556 | cmd /c ""C:\Users\admin\AppData\Local\Temp\SetLicensingFilePermissions.bat" "C:\ProgramData\Minitab\"" | C:\Windows\system32\cmd.exe | — | MSI3A2C.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
12 754
Read events
2 533
Write events
7 934
Delete events
2 287
Modification events
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 2402394638 | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30812872 | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 46000000A1000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3980) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
Executable files
18
Suspicious files
25
Text files
141
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\minitab18.1.0.0setup[1].exe | — | |
MD5:— | SHA256:— | |||
| 3980 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\CabB699.tmp | — | |
MD5:— | SHA256:— | |||
| 3980 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\TarB69A.tmp | — | |
MD5:— | SHA256:— | |||
| 3980 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verB6E9.tmp | — | |
MD5:— | SHA256:— | |||
| 3980 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\J1TUH6AF.txt | — | |
MD5:— | SHA256:— | |||
| 3980 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5RJTB8JN.txt | — | |
MD5:— | SHA256:— | |||
| 2868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\minitab18.1.0.0setup.exe.kt1tw6v.partial | — | |
MD5:— | SHA256:— | |||
| 3980 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF3C3C74583FD3003C.TMP | — | |
MD5:— | SHA256:— | |||
| 3980 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\minitab18.1.0.0setup.exe.kt1tw6v.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
| 3980 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\minitab18.1.0.0setup.exe | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
6
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2868 | iexplore.exe | GET | 200 | 93.184.221.133:80 | http://fs1.minitab.com/prodinstalls/minitab/minitab18/18.1.0.0/commercial/minitab18.1.0.0setup.exe | US | executable | 137 Mb | malicious |
3980 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3980 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3980 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2868 | iexplore.exe | 93.184.221.133:80 | fs1.minitab.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3980 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3020 | Mtb.exe | 152.195.34.187:443 | cdn-aicfd.minitabapps.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
3980 | iexplore.exe | 204.79.197.200:443 | ieonline.microsoft.com | Microsoft Corporation | US | whitelisted |
3980 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
fs1.minitab.com |
| malicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
cdn-aicfd.minitabapps.com |
| suspicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2868 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3020 | Mtb.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
Process | Message |
|---|---|
MsiExec.exe | # 2020-05-15 @15:55:22 [PID=1712|Thread=2676] | SELECT Join Query: [SELECT * FROM `RemoveFile`, `AI_RemoveFile` WHERE `RemoveFile`.`FileKey` = `AI_RemoveFile`.`RemoveFile`].
|
MsiExec.exe | # 2020-05-15 @15:55:22 [PID=1712|Thread=2676] | ProductCode: {8D24BFA4-1266-436F-9EBF-F83F5CFADD2E}. OnAiRemoveFileImmediate start.
|
MsiExec.exe | # 2020-05-15 @15:55:22 [PID=1712|Thread=2676] | MsiTableReader::ExecuteQuery [DELETE FROM `RemoveFile` WHERE `RemoveFile`.`FileKey`='_']...
|
MsiExec.exe | # 2020-05-15 @15:55:22 [PID=1712|Thread=2676] | MsiTableReader: Getting the active MSI database for this installation session...
|
MsiExec.exe | # 2020-05-15 @15:55:22 [PID=1712|Thread=2676] | Build JOINed tables CustomActionData string...
|
MsiExec.exe | # 2020-05-15 @15:55:22 [PID=1712|Thread=2676] | Deffered with rollback scheduled.
|
MsiExec.exe | # 2020-05-15 @15:55:22 [PID=1712|Thread=2676] | MsiTableReader::ExecuteQuery [SELECT * FROM `RemoveFile`, `AI_RemoveFile` WHERE `RemoveFile`.`FileKey` = `AI_RemoveFile`.`RemoveFile`]...
|
MsiExec.exe | # 2020-05-15 @15:55:22 [PID=1712|Thread=2676] | ProductCode: {8D24BFA4-1266-436F-9EBF-F83F5CFADD2E}. OnAiRemoveFileImmediate end.
|
MsiExec.exe | # 2020-05-15 @15:55:24 [PID=2168|Thread=792] | CollectRemoveFileData start.
|
MsiExec.exe | # 2020-05-15 @15:55:24 [PID=2168|Thread=792] | ProductCode: {8D24BFA4-1266-436F-9EBF-F83F5CFADD2E}. OnAiRemoveFiles end.
|