File name: | run.msi |
Full analysis: | https://app.any.run/tasks/64515381-f596-408a-96ac-a6bb8b9c9b3d |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 21, 2019, 11:52:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {2622B2D2-0293-4E19-A4BE-590CF4C9B544}, Number of Words: 10, Subject: Caff, Author: Caff, Name of Creating Application: Advanced Installer 14.4 build 82383, Template: ;1033, Comments: This installer database contains the logic and data required to install Caff., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200 |
MD5: | 1D7B8B1FBF676329A7A9A2D03DBB5877 |
SHA1: | 446B6527EC4F1E145579A10B6DDE973CAC0137FB |
SHA256: | 7200D5C19A1F4110E45D5E5588F3952355059AC73D8826509511B0E042771619 |
SSDEEP: | 24576:fCcYknjfVAsskAjBlAU0tPV9qbvU6GE+QZK/pcZXyqz91mbWWBaG:fCcYkjfVvskAjTAU0FVMNnhKyZ3yjBaG |
.msi | | | Microsoft Windows Installer (81.9) |
---|---|---|
.mst | | | Windows SDK Setup Transform Script (9.2) |
.msp | | | Windows Installer Patch (7.6) |
.msi | | | Microsoft Installer (100) |
LastPrinted: | 2009:12:11 11:47:44 |
---|---|
CreateDate: | 2009:12:11 11:47:44 |
ModifyDate: | 2009:12:11 11:47:44 |
Security: | None |
CodePage: | Windows Latin 1 (Western European) |
RevisionNumber: | {2622B2D2-0293-4E19-A4BE-590CF4C9B544} |
Words: | 10 |
Subject: | Caff |
Author: | Caff |
LastModifiedBy: | - |
Software: | Advanced Installer 14.4 build 82383 |
Template: | ;1033 |
Comments: | This installer database contains the logic and data required to install Caff. |
Title: | Installation Database |
Keywords: | Installer, MSI, Database |
Pages: | 200 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3464 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\run.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2672 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3940 | C:\Windows\system32\MsiExec.exe -Embedding A47D9F0F9EAD51C9C1A4DC0E24170805 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2816 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 73.0.3683.75 | ||||
3516 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f150f18,0x6f150f28,0x6f150f34 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 | ||||
856 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2832 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 | ||||
3748 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=960,3323325876109207577,9460580090475254303,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16779339042617556181 --mojo-platform-channel-handle=952 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 | ||||
4084 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=960,3323325876109207577,9460580090475254303,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=15351000550379488359 --mojo-platform-channel-handle=1516 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 | ||||
2268 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,3323325876109207577,9460580090475254303,131072 --enable-features=PasswordImport --service-pipe-token=7661315324452360898 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7661315324452360898 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 | ||||
2644 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,3323325876109207577,9460580090475254303,131072 --enable-features=PasswordImport --service-pipe-token=3662909965808991373 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3662909965808991373 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2672 | msiexec.exe | C:\Windows\Installer\MSIAB1.tmp | — | |
MD5:— | SHA256:— | |||
2672 | msiexec.exe | C:\Windows\Installer\MSIAE1.tmp | — | |
MD5:— | SHA256:— | |||
2672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFA3B688CFCB423F97.TMP | — | |
MD5:— | SHA256:— | |||
2672 | msiexec.exe | C:\Windows\Installer\10094b.ipi | — | |
MD5:— | SHA256:— | |||
2672 | msiexec.exe | C:\Windows\Installer\MSIB7F.tmp | — | |
MD5:— | SHA256:— | |||
2672 | msiexec.exe | C:\Windows\Installer\MSIB9F.tmp | — | |
MD5:— | SHA256:— | |||
2672 | msiexec.exe | C:\Windows\Installer\MSIB5F.tmp | — | |
MD5:— | SHA256:— | |||
2672 | msiexec.exe | C:\Config.Msi\10094c.rbs | — | |
MD5:— | SHA256:— | |||
2672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF4A11990AD40D6834.TMP | — | |
MD5:— | SHA256:— | |||
2816 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4084 | chrome.exe | GET | 200 | 87.247.155.64:80 | http://87.247.155.64/nc.msi | GB | executable | 835 Kb | suspicious |
4084 | chrome.exe | GET | 200 | 87.247.155.64:80 | http://87.247.155.64/ | GB | html | 1.21 Kb | suspicious |
4084 | chrome.exe | GET | 302 | 172.217.23.174:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 506 b | whitelisted |
4084 | chrome.exe | GET | 200 | 173.194.183.103:80 | http://r2---sn-aigl6nek.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=194.187.251.125&mm=28&mn=sn-aigl6nek&ms=nvh&mt=1553169143&mv=m&pl=24&shardbypass=yes | US | crx | 842 Kb | whitelisted |
4084 | chrome.exe | GET | 200 | 87.247.155.64:80 | http://87.247.155.64/ReservationFlight233212.hta | GB | html | 1.61 Mb | suspicious |
4084 | chrome.exe | GET | 404 | 87.247.155.64:80 | http://87.247.155.64/favicon.ico | GB | xml | 1.16 Kb | suspicious |
4084 | chrome.exe | GET | 200 | 87.247.155.64:80 | http://87.247.155.64/icons/unknown.gif | GB | image | 245 b | suspicious |
4084 | chrome.exe | GET | 200 | 87.247.155.64:80 | http://87.247.155.64/icons/blank.gif | GB | image | 148 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4084 | chrome.exe | 172.217.23.174:80 | redirector.gvt1.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 216.58.208.35:443 | www.gstatic.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 172.217.23.131:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 216.58.210.4:443 | www.google.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 172.217.22.110:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 216.58.207.46:443 | apis.google.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 172.217.18.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 216.58.207.35:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 173.194.183.103:80 | r2---sn-aigl6nek.gvt1.com | Google Inc. | US | whitelisted |
4084 | chrome.exe | 87.247.155.64:80 | — | — | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
clientservices.googleapis.com |
| whitelisted |
www.google.com |
| whitelisted |
accounts.google.com |
| shared |
ssl.gstatic.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
clients2.google.com |
| whitelisted |
redirector.gvt1.com |
| whitelisted |
r2---sn-aigl6nek.gvt1.com |
| whitelisted |
sb-ssl.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4084 | chrome.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |