| File name: | install-roxplayer.msi |
| Full analysis: | https://app.any.run/tasks/ed982e48-b138-4d2f-8cf2-8c4c5d06dd7b |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | September 08, 2018, 23:04:33 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {AE2EFA33-057A-4EC9-BA4C-5BDE83718529}, Number of Words: 10, Subject: ROX Player, Author: RoxPlayer, Name of Creating Application: Advanced Installer 10.0 build 50412, Template: ;1033, Comments: This installer database contains the logic and data required to install ROX Player. |
| MD5: | E832B5BC5B5EE9131447548C6418DA04 |
| SHA1: | F9E36D0BC85FE2C2C98CC55878804F509F635587 |
| SHA256: | 66CD8D8CBD9D54943BEAFCCEEC3130F12AAC127386AE31C8D679F5CF1275E005 |
| SSDEEP: | 24576:QXZAvkYw32DExtE3epqs1VNDSwEF/H+jK++7y+KT4Cf:QXZAvkYw3g6tC4XNDSwEF/H+jKfm+KUm |
MALICIOUS
Changes the autorun value in the registry
- aipackagechainer.exe (PID: 2704)
Application was dropped or rewritten from another process
- aipackagechainer.exe (PID: 2704)
- install-roxplayer.exe (PID: 3856)
- install-roxplayer.exe (PID: 2280)
- roxplayer.exe (PID: 3588)
- roxplayer.exe (PID: 2488)
Loads dropped or rewritten executable
- roxplayer.exe (PID: 3588)
- roxplayer.exe (PID: 2488)
Downloads executable files from the Internet
- MsiExec.exe (PID: 3704)
SUSPICIOUS
Executable content was dropped or overwritten
- install-roxplayer.exe (PID: 2280)
- msiexec.exe (PID: 424)
- install-roxplayer.exe (PID: 3856)
- MsiExec.exe (PID: 3704)
- install-roxplayer.tmp (PID: 2812)
Reads the Windows organization settings
- install-roxplayer.tmp (PID: 2812)
Creates files in the user directory
- MsiExec.exe (PID: 3704)
- install-roxplayer.tmp (PID: 2812)
- roxplayer.exe (PID: 2488)
Reads Windows owner settings
- install-roxplayer.tmp (PID: 2812)
Modifies the open verb of a shell class
- install-roxplayer.tmp (PID: 2812)
Low-level read access rights to disk partition
- roxplayer.exe (PID: 3588)
Starts CMD.EXE for commands execution
- aipackagechainer.exe (PID: 2704)
- cmd.exe (PID: 3432)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 3432)
Uses NETSH.EXE for network configuration
- install-roxplayer.tmp (PID: 2812)
Starts Internet Explorer
- roxplayer.exe (PID: 3588)
INFO
Application launched itself
- msiexec.exe (PID: 424)
- iexplore.exe (PID: 3696)
Loads dropped or rewritten executable
- install-roxplayer.tmp (PID: 2812)
Application was dropped or rewritten from another process
- install-roxplayer.tmp (PID: 1064)
- install-roxplayer.tmp (PID: 2812)
Dropped object may contain Bitcoin addresses
- install-roxplayer.tmp (PID: 2812)
Creates files in the program directory
- install-roxplayer.tmp (PID: 2812)
Changes internet zones settings
- iexplore.exe (PID: 3696)
Reads internet explorer settings
- iexplore.exe (PID: 2312)
Creates files in the user directory
- iexplore.exe (PID: 2312)
Adds / modifies Windows certificates
- iexplore.exe (PID: 2312)
Reads settings of System Certificates
- iexplore.exe (PID: 2312)
Changes settings of System certificates
- iexplore.exe (PID: 2312)
Creates a software uninstall entry
- install-roxplayer.tmp (PID: 2812)
Reads Internet Cache Settings
- iexplore.exe (PID: 2312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (88.6) |
|---|---|---|
| .mst | | | Windows SDK Setup Transform Script (10) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| Title: | Installation Database |
|---|---|
| Keywords: | Installer, MSI, Database |
| LastPrinted: | 2009:12:11 11:47:44 |
| CreateDate: | 2009:12:11 11:47:44 |
| ModifyDate: | 2009:12:11 11:47:44 |
| Pages: | 200 |
| Security: | None |
| CodePage: | Windows Latin 1 (Western European) |
| RevisionNumber: | {AE2EFA33-057A-4EC9-BA4C-5BDE83718529} |
| Words: | 10 |
| Subject: | ROX Player |
| Author: | RoxPlayer |
| LastModifiedBy: | - |
| Software: | Advanced Installer 10.0 build 50412 |
| Template: | ;1033 |
| Comments: | This installer database contains the logic and data required to install ROX Player. |
Total processes
60
Monitored processes
20
Malicious processes
7
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 424 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1064 | "C:\Users\admin\AppData\Local\Temp\is-JBR6E.tmp\install-roxplayer.tmp" /SL5="$500130,18673267,174080,C:\Users\admin\AppData\Roaming\RoxTemp\RoxPlayer_1\install-roxplayer.exe" -filename "C:\Users\admin\AppData\Local\Temp\install-roxplayer.msi" | C:\Users\admin\AppData\Local\Temp\is-JBR6E.tmp\install-roxplayer.tmp | — | install-roxplayer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2280 | "C:\Users\admin\AppData\Roaming\RoxTemp\RoxPlayer_1\install-roxplayer.exe" -filename "C:\Users\admin\AppData\Local\Temp\install-roxplayer.msi" | C:\Users\admin\AppData\Roaming\RoxTemp\RoxPlayer_1\install-roxplayer.exe | aipackagechainer.exe | ||||||||||||
User: admin Company: Integrity Level: MEDIUM Description: ROX Player Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 2312 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3696 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2404 | "netsh.exe" advfirewall firewall add allowedprogram "C:\Users\admin\AppData\Local\ROX Player\roxplayer.exe" "ROX Player" ENABLE ALL | C:\Windows\system32\netsh.exe | — | install-roxplayer.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2488 | "C:\Users\admin\AppData\Local\ROX Player\roxplayer.exe" | C:\Users\admin\AppData\Local\ROX Player\roxplayer.exe | install-roxplayer.tmp | ||||||||||||
User: admin Company: PS Pay Solutions UG Integrity Level: MEDIUM Description: ROX Player Exit code: 0 Version: 1.4.7.0 Modules
| |||||||||||||||
| 2704 | "C:\Users\admin\AppData\Roaming\RoxTemp\aipackagechainer.exe" | C:\Users\admin\AppData\Roaming\RoxTemp\aipackagechainer.exe | msiexec.exe | ||||||||||||
User: admin Company: RoxPlayer Integrity Level: MEDIUM Description: This installer database contains the logic and data required to install ROX Player. Exit code: 0 Version: 1.000 Modules
| |||||||||||||||
| 2812 | "C:\Users\admin\AppData\Local\Temp\is-IHKNI.tmp\install-roxplayer.tmp" /SL5="$3E010E,18673267,174080,C:\Users\admin\AppData\Roaming\RoxTemp\RoxPlayer_1\install-roxplayer.exe" /SPAWNWND=$1A0212 /NOTIFYWND=$500130 -filename "C:\Users\admin\AppData\Local\Temp\install-roxplayer.msi" | C:\Users\admin\AppData\Local\Temp\is-IHKNI.tmp\install-roxplayer.tmp | install-roxplayer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3124 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\install-roxplayer.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3132 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg | C:\Windows\system32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 532
Read events
2 195
Write events
313
Delete events
24
Modification events
| (PID) Process: | (3124) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\59\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\59\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: A801000000436C5BC847D401 | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 7396E6525533E3C17159E88D9FAF61765B9920027C806F15B5083AA53481144E | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress |
| Operation: | write | Name: | |
Value: C:\Windows\Installer\4c67a3.ipi | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders |
| Operation: | write | Name: | C:\Config.Msi\ |
Value: | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | write | Name: | C:\Config.Msi\4c67a4.rbs |
Value: 30689232 | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | write | Name: | C:\Config.Msi\4c67a4.rbsLow |
Value: 3181423328 | |||
| (PID) Process: | (424) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Caphyon\Advanced Installer\Prereqs\{6C3CA6AB-FAEB-41C9-AEE5-B392FAAB1C16}\1.000 |
| Operation: | write | Name: | RoxPlayer_1 |
Value: 1 | |||
Executable files
315
Suspicious files
10
Text files
140
Unknown types
60
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 424 | msiexec.exe | C:\Windows\Installer\MSI684D.tmp | — | |
MD5:— | SHA256:— | |||
| 424 | msiexec.exe | C:\Windows\Installer\MSI68EA.tmp | — | |
MD5:— | SHA256:— | |||
| 424 | msiexec.exe | C:\Windows\Installer\MSI68FB.tmp | — | |
MD5:— | SHA256:— | |||
| 424 | msiexec.exe | C:\Windows\Installer\MSI690C.tmp | — | |
MD5:— | SHA256:— | |||
| 424 | msiexec.exe | C:\Windows\Installer\MSI691C.tmp | — | |
MD5:— | SHA256:— | |||
| 424 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF0AB58D1AE79591A0.TMP | — | |
MD5:— | SHA256:— | |||
| 424 | msiexec.exe | C:\Windows\Installer\MSI695D.tmp | — | |
MD5:— | SHA256:— | |||
| 424 | msiexec.exe | C:\Windows\Installer\MSI695C.tmp | — | |
MD5:— | SHA256:— | |||
| 424 | msiexec.exe | C:\Windows\Installer\MSI699D.tmp | — | |
MD5:— | SHA256:— | |||
| 3704 | MsiExec.exe | C:\Users\admin\AppData\Local\Temp\{076B9E50-F547-42C0-B15B-B46A8CB54186}.bat | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
16
DNS requests
9
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2312 | iexplore.exe | GET | 301 | 78.46.111.130:80 | http://roxplayer.com/visit/install/ZXlKVGFYUmxWVlZKUkNJNkltWTJZMlE0WVdRMkxXWmlaRE10WmpJeFlTMDJZMlkwTFdaaE5USmlPV0V6Tm1Ka09TSXNJa052YlhCMWRHVnlTVVFpT2lJNU5UVTBOalExWVMxaFpUQmhMVE5rTnpRdE16VmpPQzAwTkRSa1pqVmlaakZpWTJNaUxDSlNaV3hsWVhObElqb2lNUzQwT0RBaUxDSlBjMVJwZEd4bElqb2lWMmx1Wkc5M2N5QTNJaXdpVDNOV1pYSnphVzl1SWpvaU5pNHhJaXdpUTI5dVptbG5TVVFpT2lJaWZRPT0= | DE | — | — | malicious |
3704 | MsiExec.exe | GET | 200 | 78.46.111.130:80 | http://roxplayer.com/install-roxplayer.exe | DE | executable | 18.2 Mb | malicious |
2312 | iexplore.exe | GET | 200 | 78.46.111.130:80 | http://roxplayer.com/visit/install/thanx/ | DE | html | 1.77 Kb | malicious |
2312 | iexplore.exe | GET | 200 | 78.46.111.130:80 | http://static.roxplayer.com/css/style.css?v=0.5.1 | DE | text | 1.99 Kb | suspicious |
2312 | iexplore.exe | GET | 200 | 78.46.111.130:80 | http://static.roxplayer.com/img/icons/google.png | DE | image | 1.81 Kb | suspicious |
2312 | iexplore.exe | GET | 200 | 78.46.111.130:80 | http://static.roxplayer.com/img/icons/facebook.png | DE | image | 1.04 Kb | suspicious |
2312 | iexplore.exe | GET | 200 | 78.46.111.130:80 | http://static.roxplayer.com/img/icons/vk.png | DE | image | 1.85 Kb | suspicious |
2312 | iexplore.exe | GET | 200 | 78.46.111.130:80 | http://static.roxplayer.com/img/logo.gif | DE | image | 4.97 Kb | suspicious |
2312 | iexplore.exe | GET | 200 | 78.46.111.130:80 | http://static.roxplayer.com/img/back.gif | DE | image | 3.87 Kb | suspicious |
2312 | iexplore.exe | GET | 301 | 104.24.114.90:80 | http://movieplay.me/transit/ | US | html | 228 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3704 | MsiExec.exe | 78.46.111.130:80 | roxplayer.com | Hetzner Online GmbH | DE | suspicious |
2312 | iexplore.exe | 78.46.111.130:80 | roxplayer.com | Hetzner Online GmbH | DE | suspicious |
3696 | iexplore.exe | 131.253.33.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2312 | iexplore.exe | 216.58.212.206:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
2312 | iexplore.exe | 104.24.114.90:80 | movieplay.me | Cloudflare Inc | US | shared |
2488 | roxplayer.exe | 78.46.111.130:443 | roxplayer.com | Hetzner Online GmbH | DE | suspicious |
2488 | roxplayer.exe | 78.46.111.130:80 | roxplayer.com | Hetzner Online GmbH | DE | suspicious |
2312 | iexplore.exe | 172.217.19.202:443 | ajax.googleapis.com | Google Inc. | US | whitelisted |
2488 | roxplayer.exe | 13.107.4.50:80 | www.download.windowsupdate.com | Microsoft Corporation | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
roxplayer.com |
| malicious |
www.bing.com |
| whitelisted |
static.roxplayer.com |
| unknown |
movieplay.me |
| malicious |
www.google-analytics.com |
| whitelisted |
api.roxplayer.com |
| unknown |
www.download.windowsupdate.com |
| whitelisted |
ajax.googleapis.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3704 | MsiExec.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3704 | MsiExec.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
Process | Message |
|---|---|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=3532] | MsiTableReader: Getting the active MSI database for this installation session...
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=3532] | MsiTableReader: Getting the active MSI database for this installation session...
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=3532] | Build JOINed tables CustomActionData string...
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=3532] | SELECT Join Query: [SELECT * FROM `RemoveFile`, `AI_RemoveFile` WHERE `RemoveFile`.`FileKey` = `AI_RemoveFile`.`RemoveFile`].
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=3532] | MsiTableReader::ExecuteQuery [SELECT * FROM `RemoveFile`, `AI_RemoveFile` WHERE `RemoveFile`.`FileKey` = `AI_RemoveFile`.`RemoveFile`]...
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=3532] | MsiTableReader::ExecuteQuery [DELETE FROM `RemoveFile` WHERE `RemoveFile`.`FileKey`='__1']...
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=3532] | Deffered with rollback scheduled.
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=3532] | OnAiRemoveFileImmediate end.
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=2468] | OnAiRemoveFiles start.
|
MsiExec.exe | # 2018-09-09 @00:04:56 [PID=3704|Thread=2468] | CollectRemoveFileData start.
|