File name:	87a5c4a72db0365f8b6999f3752f9e485cc0968367488d847a04c551bdc65770.msi
Full analysis:	https://app.any.run/tasks/7cb28b68-03d4-485c-91cc-12fbb7dab186
Verdict:	Malicious activity
Threats:	Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	July 21, 2024, 08:56:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc remote rat gh0st
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 936, Title: Installation Database, Subject: My Product Installer, Author: My Company, Keywords: Installer, Comments: Package Comments, Template: x64;0, Revision Number: {89C20E63-A82C-4033-B557-4079D717B484}, Create Time/Date: Fri Jul 19 17:26:32 2024, Last Saved Time/Date: Fri Jul 19 17:26:32 2024, Number of Pages: 500, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.9.1208.0), Security: 2
MD5:	AEE434CCFA9AAB767C1B275F48C8246C
SHA1:	250C1FF726C88B0D5F4EB0C3516A79CC5B81380F
SHA256:	87A5C4A72DB0365F8B6999F3752F9E485CC0968367488D847A04C551BDC65770
SSDEEP:	98304:u8ISUyo3C6213mQOkCbKoHvGrPGF/YoNVcm6GKEaLxLf0RT1Q3TTycMp2xP1U+Hz:Udi7T0MzzW

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

CodePage:	Windows Simplified Chinese (PRC, Singapore)
Title:	Installation Database
Subject:	My Product Installer
Author:	My Company
Keywords:	Installer
Comments:	Package Comments
Template:	x64;0
RevisionNumber:	{89C20E63-A82C-4033-B557-4079D717B484}
CreateDate:	2024:07:19 17:26:32
ModifyDate:	2024:07:19 17:26:32
Pages:	500
Words:	10
Software:	Windows Installer XML Toolset (3.9.1208.0)
Security:	Read-only recommended


(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000001B2BC4EF4BDBDA01F41F000060180000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000004E8EC6EF4BDBDA01F41F000060180000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 48000000000000008E080EF04BDBDA01F41F000060180000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 48000000000000008E080EF04BDBDA01F41F000060180000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 48000000000000009B6C10F04BDBDA01F41F000060180000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000843315F04BDBDA01F41F000060180000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000F85279F04BDBDA01F41F000060180000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8180) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 48000000000000009BB77BF04BDBDA01F41F0000FC0B0000E803000001000000000000000000000052D42CC25A4C084B958F763EFA7DADBD00000000000000000000000000000000
(PID) Process:	(6976) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000151C7EF04BDBDA01401B0000CC080000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
8180	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
8180	msiexec.exe	C:\WINDOWS\Installer\42cc76.msi		—
		MD5:—	SHA256:—
8180	msiexec.exe	C:\WINDOWS\Installer\42cc77.msi		—
		MD5:—	SHA256:—
8180	msiexec.exe	C:\ProgramData\Microsoft\EdgeUpdate\Log\log.log		—
		MD5:—	SHA256:—
8180	msiexec.exe	C:\WINDOWS\Installer\42cc79.msi		—
		MD5:—	SHA256:—
8180	msiexec.exe	C:\WINDOWS\Installer\MSICCE4.tmp		executable
		MD5:B9FF2DD6924711531E59E90581CDA548	SHA256:AD564D4D64BB74EA6819E081534131F6F78E3C019D37ABBC3EEF8E09DFED96D7
8180	msiexec.exe	C:\WINDOWS\Installer\MSIEBC7.tmp		executable
		MD5:B9FF2DD6924711531E59E90581CDA548	SHA256:AD564D4D64BB74EA6819E081534131F6F78E3C019D37ABBC3EEF8E09DFED96D7
8180	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{c22cd452-4c5a-4b08-958f-763efa7dadbd}_OnDiskSnapshotProp		binary
		MD5:3F9A7654773007A55BED38C829D8977E	SHA256:F2B7B732CCB82026007786009CBC3A33DE4688831E83A9A1138E0C743118EF8A
8180	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{f5d8a1af-4d49-41ea-8099-8454d00738f8}_OnDiskSnapshotProp		binary
		MD5:378B9776AB2D9252327A4DDFA9F91854	SHA256:C3DB40D62DE48F781F12B28D8D4228093AF4C2E22C866E89B9B373AB167B2B94
8180	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:3F9A7654773007A55BED38C829D8977E	SHA256:F2B7B732CCB82026007786009CBC3A33DE4688831E83A9A1138E0C743118EF8A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	40.68.123.157:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	GET	200	52.165.164.15:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	unknown
—	—	GET	200	40.68.123.157:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	unknown
—	—	GET	304	40.68.123.157:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	GET	304	40.68.123.157:443	https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	unknown
—	—	GET	200	184.86.251.28:443	https://www.bing.com/client/config?cc=US&setlang=en-US	unknown	binary	2.15 Kb	unknown
—	—	POST	403	95.101.149.131:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	95.101.149.131:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	unknown
—	—	POST	403	95.101.149.131:443	https://go.microsoft.com/fwlink/?LinkID=2257403&clcid=0x409	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4716	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5620	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2760	svchost.exe	40.115.3.253:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7552	backgroundTaskHost.exe	20.199.58.43:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	unknown
1888	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6944	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
login.live.com	20.190.159.23 40.126.31.69 20.190.159.75 20.190.159.71 40.126.31.67 20.190.159.68 20.190.159.4 40.126.31.73	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	142.250.181.238	whitelisted
arc.msn.com	20.199.58.43	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
www.bing.com	184.86.251.4 184.86.251.16 184.86.251.25 184.86.251.24 184.86.251.26 184.86.251.28 184.86.251.27 184.86.251.22 184.86.251.5	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

General Info

87a5c4a72db0365f8b6999f3752f9e485cc0968367488d847a04c551bdc65770.msi

AEE434CCFA9AAB767C1B275F48C8246C

250C1FF726C88B0D5F4EB0C3516A79CC5B81380F

87A5C4A72DB0365F8B6999F3752F9E485CC0968367488D847A04C551BDC65770

98304:u8ISUyo3C6213mQOkCbKoHvGrPGF/YoNVcm6GKEaLxLf0RT1Q3TTycMp2xP1U+Hz:Udi7T0MzzW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Reads security settings of Internet Explorer

Executes as Windows Service

Reads the Windows owner or organization settings

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Application launched itself

Uses TASKKILL.EXE to kill process

Using 'findstr.exe' to search for text patterns in files and output

Uses WMIC.EXE to obtain data on processes

Runs shell command (SCRIPT)

Starts POWERSHELL.EXE for commands execution

Suspicious use of asymmetric encryption in PowerShell

Executable content was dropped or overwritten

Creates file in the systems drive root

Reads the BIOS version

The process bypasses the loading of PowerShell profile settings

Base64-obfuscated command line is found

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Executable content was dropped or overwritten

Create files in a temporary directory

Reads Internet Explorer settings

Checks proxy server information

Creates a software uninstall entry

Reads the machine GUID from the registry

Creates files in the program directory

Reads security settings of Internet Explorer

Reads CPU info

Script raised an exception (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity