Malware analysis BluetraitAgent381.msi Malicious activity

Add for printing

File name:	BluetraitAgent381.msi
Full analysis:	https://app.any.run/tasks/66a67ccf-36bc-46d8-bff1-cb8305b94501
Verdict:	Malicious activity
Analysis date:	October 22, 2024, 09:09:11
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Bluetrait Agent, Author: Dalegroup Pty Ltd, Keywords: Installer, Comments: This installer database contains the logic and data required to install Bluetrait Agent., Template: Intel;1033, Revision Number: {BCFAFD79-BEB0-48F6-A358-DB0915FB06C8}, Create Time/Date: Thu Oct 17 17:19:30 2024, Last Saved Time/Date: Thu Oct 17 17:19:30 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:	03259B8571BBD157354D1CD6E2771E34
SHA1:	93BE79F79651BFA55B6EB0082153D455157C08F6
SHA256:	62446E7258B20B64C058AE723B5F38B82F0B6214C5E8B9F015BF971BE061EEB0
SSDEEP:	98304:BXqSlxGf1BYOp/BS0E30q173bpS+CKLujmlSUOx6AW4p1Z3fmqRPfPAA2rNPcFYc:caenF9zW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executes as Windows Service
  - Bluetrait MSP Agent.exe (PID: 7076)
  - WmiApSrv.exe (PID: 4556)
  - VSSVC.exe (PID: 3828)
  - level.exe (PID: 5604)
  - WmiApSrv.exe (PID: 7004)
- Starts POWERSHELL.EXE for commands execution
  - install_windows.exe (PID: 3912)
  - level.exe (PID: 5604)
  - winpty-agent.exe (PID: 2088)
- Executable content was dropped or overwritten
  - Bluetrait MSP Agent.exe (PID: 7076)
  - install_windows.exe (PID: 3912)
  - level-windows-amd64.exe (PID: 2088)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 1028)
- Hides errors and continues executing the command without stopping
  - powershell.exe (PID: 4700)
- Starts CMD.EXE for commands execution
  - level-windows-amd64.exe (PID: 2088)
- Uses NETSH.EXE to delete a firewall rule or allowed programs
  - cmd.exe (PID: 6216)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 3700)
- Starts SC.EXE for service management
  - level-windows-amd64.exe (PID: 2088)
  - level.exe (PID: 5604)
INFO
- An automatically generated document
  - msiexec.exe (PID: 6368)
- Manages system restore points
  - SrTasks.exe (PID: 6408)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 5196)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Bluetrait Agent
Author:	Dalegroup Pty Ltd
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install Bluetrait Agent.
Template:	Intel;1033
RevisionNumber:	{BCFAFD79-BEB0-48F6-A358-DB0915FB06C8}
CreateDate:	2024:10:17 17:19:30
ModifyDate:	2024:10:17 17:19:30
Pages:	200
Words:	2
Software:	Windows Installer XML Toolset (3.11.2.4516)
Security:	Read-only recommended

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

190

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
300	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	SrTasks.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
540	powershell -Command "Get-WmiObject win32_operatingsystem \| Select-Object -Expand osarchitecture"	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	—	install_windows.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
612	netsh advfirewall firewall delete rule name=\"Level Agent\" dir=in	C:\Windows\System32\netsh.exe	—	cmd.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800)
1028	schtasks /Delete /F /TN "Level\Level Watchdog"	C:\Windows\System32\schtasks.exe	—	level-windows-amd64.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800)
1336	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	osqueryi.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
1376	"C:\Program Files\Level\osqueryi.exe" -S --verbose --alarm_timeout 10 --disable_carver --disable_enrollment --disable_extensions --disable_reenrollment --disable_watchdog --disable_caching --disable_database --disable_events --disable_hash_cache --ephemeral --config_path "C:\Program Files\Level\osquery_config.conf" --json " SELECT type, hardware_model, serial, disk_size FROM disk_info "	C:\Program Files\Level\osqueryi.exe	—	level.exe
User: SYSTEM Company: Osquery Foundation Integrity Level: SYSTEM Description: osquery daemon and shell Exit code: 0 Version: 5.9.1.0
2056	C:\windows\system32\sc.exe failureflag Level 1	C:\Windows\System32\sc.exe	—	level.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Service Control Manager Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
2088	C:\WINDOWS\TEMP\level-windows-amd64.exe /action install /key W8NnBRE2fRfLJgb21PkPDMMc	C:\Windows\Temp\level-windows-amd64.exe		install_windows.exe
User: SYSTEM Integrity Level: SYSTEM Exit code: 0
2088	\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1	C:\Windows\System32\conhost.exe	—	osqueryi.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800)
2088	"C:\Program Files\Level\winpty-agent.exe" \\.\pipe\winpty-control-5604-1-1db24627e51ceb0-31a1631cbcf84a4c5186da0e5df1c369 0 1 40 40	C:\Program Files\Level\winpty-agent.exe	—	level.exe
User: SYSTEM Integrity Level: SYSTEM

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5196	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
5196	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:E0A6DB382AF975518CC6B3B0443C1F56	SHA256:71CD228904008E2DAC5D311176B59A5FEC19CC1A6314A6E8737C0D2D79B914BE
6368	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F		binary
		MD5:B6E614F1E0D58BE9AF6270A36EC7F586	SHA256:4A65584AA82B7B4380456314120DA15DA44BD85C8B8E89C3941A23EE75DEAB10
5196	msiexec.exe	C:\Windows\Installer\MSI3734.tmp		executable
		MD5:A3AE5D86ECF38DB9427359EA37A5F646	SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
5196	msiexec.exe	C:\Windows\Temp\~DF3ECD88BAC67F33D1.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6368	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_5001C7BC78598D0B752119C0FACA0CDE		binary
		MD5:75E35FE66AE1787C0CA88A199DE5B6FA	SHA256:B181BD75DE29DCC050B27612427AE32A23581E50E1615686D915D780C3D3954C
5196	msiexec.exe	C:\Program Files (x86)\Bluetrait Agent\BluetraitUserAgent.exe		executable
		MD5:CA8DCB7C71FE31AF9F4A99667428702B	SHA256:1A00E50CB1086CBE4C2F0E65A290FDA8FCFAC1A56C5DBFA2248E4D7BED44939F
6368	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_5001C7BC78598D0B752119C0FACA0CDE		binary
		MD5:ABF9AFCF058DE46FAF4C50A812C9F96E	SHA256:B82096BF7A911D843023A1AC4F35F799FF03C8A1DB4E627FF9BC144ED1E7EBE1
6368	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB		der
		MD5:9DC8D530072E5640974D0DCCD1CC0275	SHA256:50EC44E88EC292BCB1480B28CC773F0BDCDEBC9A78138578B213E8CC3C43CC8D
6368	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F		der
		MD5:C58609BF40685CB5C34DAB4979C2E0D0	SHA256:FD8AC52BCC75885BA10ED1F25FD03B63A00C2BBCA34F606A62E01C35396D7DAE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

159

DNS requests

Threats

252

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D	unknown	—	—	whitelisted
—	—	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D	unknown	—	—	whitelisted
—	—	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEHJ8a%2B5Vb7xQ27FZY20Vhh4%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	172.64.149.23:80	ocsp.comodoca.com	CLOUDFLARENET	US	whitelisted
—	—	2.23.209.135:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	40.126.31.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
google.com	142.250.185.142	whitelisted
ocsp.comodoca.com	172.64.149.23 104.18.38.233	whitelisted
ocsp.sectigo.com	172.64.149.23 104.18.38.233	whitelisted
www.bing.com	2.23.209.135 2.23.209.142 2.23.209.143 2.23.209.133 2.23.209.130 2.23.209.136 2.23.209.149 2.23.209.140 2.23.209.139 2.23.209.187 2.23.209.183 2.23.209.178 2.23.209.186 2.23.209.185 2.23.209.182 2.23.209.181 2.23.209.180 2.23.209.179	whitelisted
login.live.com	40.126.31.71 20.190.159.23 40.126.31.67 20.190.159.71 20.190.159.75 20.190.159.64 20.190.159.2 20.190.159.0	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	184.28.89.167	whitelisted

Threats

PID	Process	Class	Message
—	—	Misc activity	ET INFO Level.io Download Agent Domain in DNS Lookup (downloads .level .io)
—	—	Misc activity	ET INFO Level.io Agent Update Domain in DNS Lookup (builds .level .io)
—	—	Misc activity	ET INFO Level.io Check Connectivity Status in DNS Lookup (online .level .io)
—	—	Misc activity	ET INFO Level.io Agent Domain in DNS Lookup (agents .level .io)
—	—	Misc activity	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
—	—	Misc activity	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
—	—	Misc activity	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
—	—	Misc activity	ET INFO Session Traversal Utilities for NAT (STUN Binding Response)
—	—	Misc activity	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)
—	—	Misc activity	ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)

Add for printing

No debug info

General Info

BluetraitAgent381.msi

03259B8571BBD157354D1CD6E2771E34

93BE79F79651BFA55B6EB0082153D455157C08F6

62446E7258B20B64C058AE723B5F38B82F0B6214C5E8B9F015BF971BE061EEB0

98304:BXqSlxGf1BYOp/BS0E30q173bpS+CKLujmlSUOx6AW4p1Z3fmqRPfPAA2rNPcFYc:caenF9zW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executes as Windows Service

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Deletes scheduled task without confirmation

Hides errors and continues executing the command without stopping

Starts CMD.EXE for commands execution

Uses NETSH.EXE to delete a firewall rule or allowed programs

Uses NETSH.EXE to add a firewall rule or allowed programs

Starts SC.EXE for service management

INFO

An automatically generated document

Manages system restore points

Executable content was dropped or overwritten

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings