File name:	8355bd295c468007f6700cd1f969dc90c794f733158ef8f858a1180a2ee2cbaa.msi
Full analysis:	https://app.any.run/tasks/d16b38a8-52a7-4b25-b085-8e02aa778976
Verdict:	Malicious activity
Analysis date:	December 27, 2024, 23:50:09
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {1CD1875B-5E87-42CE-9389-9C216C5C1759}, Number of Words: 10, Subject: Cave App, Author: Weqos Apps Industries, Name of Creating Application: Cave App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Cave App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 27 06:19:13 2024, Last Saved Time/Date: Fri Dec 27 06:19:13 2024, Last Printed: Fri Dec 27 06:19:13 2024, Number of Pages: 450
MD5:	492132729EB10B285B0D97E5E73ECEFB
SHA1:	6A6EB7FF3C801766A868DDD1F32D3EB6A9C7844C
SHA256:	8355BD295C468007F6700CD1F969DC90C794F733158EF8F858A1180A2EE2CBAA
SSDEEP:	196608:Vv/ccT79lV46BmuSBEK8B7DhVG4QH6KovmePQszNBeC8RL:R0d6BmC7DhsB6DuePQwU

.msi	\|	Microsoft Windows Installer (88.6)
.mst	\|	Windows SDK Setup Transform Script (10)
.msi	\|	Microsoft Installer (100)

Security:	None
CodePage:	Windows Latin 1 (Western European)
RevisionNumber:	{1CD1875B-5E87-42CE-9389-9C216C5C1759}
Words:	10
Subject:	Cave App
Author:	Weqos Apps Industries
LastModifiedBy:	-
Software:	Cave App
Template:	x64;2057
Comments:	This installer database contains the logic and data required to install Cave App.
Title:	Installation Database
Keywords:	Installer, MSI, Database
CreateDate:	2024:12:27 06:19:13
ModifyDate:	2024:12:27 06:19:13
LastPrinted:	2024:12:27 06:19:13
Pages:	450


(PID) Process:	(396) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 8C01000057F46C1BBA58DB01
(PID) Process:	(396) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: 6ECBAA8B484200A13440DC06C23820187951AA7793A5E7404C29C37D7860764A
(PID) Process:	(396) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(396) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Users\admin\AppData\Roaming\Microsoft\Installer\
Value:
(PID) Process:	(396) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\E443C93FE38A0674D88A2F672090B5F4
Operation:	write	Name:	1D4F3572304C4D44CA2A03CD40F72228
Value: C:\Users\admin\AppData\Roaming\Weqos Apps Industries\Cave App\
(PID) Process:	(396) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\187E38CB2ED78A74793CE2C69CCBDA28
Operation:	write	Name:	1D4F3572304C4D44CA2A03CD40F72228
Value: 21:\Software\Weqos Apps Industries\Cave App\Version
(PID) Process:	(396) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\E7EE285D6BCFBB0488FD8D57166FADAC
Operation:	write	Name:	1D4F3572304C4D44CA2A03CD40F72228
Value: C:\Users\admin\AppData\Roaming\Weqos Apps Industries\Cave App\dvacore.dll
(PID) Process:	(396) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\51125544FAB230246BBFE149506FE373
Operation:	write	Name:	1D4F3572304C4D44CA2A03CD40F72228
Value: C:\Users\admin\AppData\Roaming\Weqos Apps Industries\Cave App\dvaunittesting.dll
(PID) Process:	(396) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\065A82ED1E5E5304C83A443964682A94
Operation:	write	Name:	1D4F3572304C4D44CA2A03CD40F72228
Value: C:\Users\admin\AppData\Roaming\Weqos Apps Industries\Cave App\ImporterREDServer.exe
(PID) Process:	(396) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\89B93D30BB7E2604DB2903D746A2C51F
Operation:	write	Name:	1D4F3572304C4D44CA2A03CD40F72228
Value: C:\Users\admin\AppData\Roaming\Weqos Apps Industries\Cave App\ghiuoqfj.rar

PID	Process	Filename		Type
396	msiexec.exe	C:\Windows\Installer\137d80.msi		—
		MD5:—	SHA256:—
2928	msiexec.exe	C:\Users\admin\AppData\Local\Temp\msi96C5.txt		—
		MD5:—	SHA256:—
2928	msiexec.exe	C:\Users\admin\AppData\Local\Temp\scr96C6.ps1		—
		MD5:—	SHA256:—
2928	msiexec.exe	C:\Users\admin\AppData\Local\Temp\scr96C7.txt		—
		MD5:—	SHA256:—
2928	msiexec.exe	C:\Users\admin\AppData\Local\Temp\pss96C8.ps1		—
		MD5:—	SHA256:—
396	msiexec.exe	C:\Windows\Installer\MSI8297.tmp		executable
		MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2	SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
396	msiexec.exe	C:\Windows\Installer\MSI7FF2.tmp		executable
		MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2	SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
396	msiexec.exe	C:\Windows\Installer\MSI95F2.tmp		binary
		MD5:3792C63C9BBE7259F81237DE25D9F720	SHA256:468A1A5D4C2E7FE748ACFE4917E280317F007F0D6DA97B10C7CA4657E4743954
396	msiexec.exe	C:\Windows\Installer\MSI80DE.tmp		executable
		MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2	SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
396	msiexec.exe	C:\Windows\Installer\MSI8238.tmp		executable
		MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2	SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5208	svchost.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5208	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	403	188.114.97.3:443	https://ksarcftp.com/updater.php	unknown	html	4.41 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5208	svchost.exe	2.16.241.19:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5208	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
2928	msiexec.exe	188.114.97.3:443	ksarcftp.com	CLOUDFLARENET	NL	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
ksarcftp.com	188.114.97.3 188.114.96.3	unknown
self.events.data.microsoft.com	20.42.73.27	whitelisted

General Info

8355bd295c468007f6700cd1f969dc90c794f733158ef8f858a1180a2ee2cbaa.msi

492132729EB10B285B0D97E5E73ECEFB

6A6EB7FF3C801766A868DDD1F32D3EB6A9C7844C

8355BD295C468007F6700CD1F969DC90C794F733158EF8F858A1180A2EE2CBAA

196608:Vv/ccT79lV46BmuSBEK8B7DhVG4QH6KovmePQszNBeC8RL:R0d6BmC7DhsB6DuePQwU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

SUSPICIOUS

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Checks Windows Trust Settings

The process executes Powershell scripts

The process creates files with name similar to system file names

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

The process hide an interactive prompt from the user

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Reverses array data (POWERSHELL)

The process drops C-runtime libraries

Executing commands from a ".bat" file

The executable file from the user directory is run by the CMD process

INFO

Reads the computer name

An automatically generated document

Checks supported languages

Executable content was dropped or overwritten

The sample compiled with english language support

Reads Environment values

Checks proxy server information

Reads the machine GUID from the registry

Reads the software policy settings

Create files in a temporary directory

Reads security settings of Internet Explorer

Creates a software uninstall entry

Creates files or folders in the user directory

Uses string replace method (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests