File name: | 9d4506549b9e4906df8de5604e9f4bfefe84fdccbe996c5cb46877b629306e02 |
Full analysis: | https://app.any.run/tasks/4f15f68a-35a3-4e89-a934-f63f3f17dfc4 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 07:17:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Code page: 1252, Last Printed: Wed Sep 23 11:25:12 2020, Title: Microsoft Contabilidade, Author: Microsoft Contabilidade, Template: Intel;1046, Last Saved By: Padrao, Revision Number: {56728283-E6B2-4B05-921F-F1162CC137B0}, Last Saved Time/Date: Wed Sep 23 11:25:23 2020, Number of Pages: 200, Number of Words: 10, Security: 0 |
MD5: | 158A77B96836DFC383FC959A2FCE3925 |
SHA1: | 6ECC87171886FA82BB663431C5E2893C3D5C1412 |
SHA256: | 9D4506549B9E4906DF8DE5604E9F4BFEFE84FDCCBE996C5CB46877B629306E02 |
SSDEEP: | 6144:7VedjFBYTYQ7eEw8gpemh3+N7f4gsUEEgCtL:7k5FBeeP8uemk7fDsUEE9 |
.msi | | | Microsoft Windows Installer (98.5) |
---|---|---|
.msi | | | Microsoft Installer (100) |
CreateDate: | 1999:06:21 07:00:00 |
---|---|
Software: | Windows Installer |
CodePage: | Windows Latin 1 (Western European) |
LastPrinted: | 2020:09:23 10:25:12 |
Title: | Microsoft Contabilidade |
Subject: | - |
Author: | Microsoft Contabilidade |
Keywords: | - |
Comments: | - |
Template: | Intel;1046 |
LastModifiedBy: | Padrao |
RevisionNumber: | {56728283-E6B2-4B05-921F-F1162CC137B0} |
ModifyDate: | 2020:09:23 10:25:23 |
Pages: | 200 |
Words: | 10 |
Security: | None |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
588 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\9d4506549b9e4906df8de5604e9f4bfefe84fdccbe996c5cb46877b629306e02.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2060 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2772 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3248 | C:\Windows\system32\MsiExec.exe -Embedding 74DC3457C1B7F8A05115D000C117B617 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2136 | "C:\Windows\System32\msiexec.exe" /i Bad, bad boy. No donut for you. /q | C:\Windows\System32\msiexec.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1639 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
948 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2060 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF24CC46FA32A23C86.TMP | — | |
MD5:— | SHA256:— | |||
2772 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
2060 | msiexec.exe | C:\Config.Msi\1ae11d.rbs | — | |
MD5:— | SHA256:— | |||
2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFE47FBB4890B12C3A.TMP | — | |
MD5:— | SHA256:— | |||
2060 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{8d012752-65f5-4bab-8007-85d91f04feb1}_OnDiskSnapshotProp | binary | |
MD5:42A9C93C8865D229C7BC0D1923D59D4D | SHA256:A2CB450A0AE9ED924F255B11CDB3E3783B9573941ED3D7ADE3A7648EAFDA4BC7 | |||
2060 | msiexec.exe | C:\Users\admin\AppData\Roaming\extrato.jpg | image | |
MD5:7AAA84BC45E881911592C9A00BF359BA | SHA256:2E28A308955AA1F2A307CC5400B7A6BC57313DE604C9024A4B929C09A3B3234C | |||
2060 | msiexec.exe | C:\Windows\Installer\1ae11e.msi | executable | |
MD5:158A77B96836DFC383FC959A2FCE3925 | SHA256:9D4506549B9E4906DF8DE5604E9F4BFEFE84FDCCBE996C5CB46877B629306E02 | |||
2060 | msiexec.exe | C:\Windows\Installer\MSIE3E9.tmp | binary | |
MD5:D2B78091C326126E3216F56779E86BD5 | SHA256:13AEF40ACF92874EACB10AFC15875F46B469308E42AB21826A73CE2FC0402332 | |||
2060 | msiexec.exe | C:\Windows\Installer\1ae11a.msi | executable | |
MD5:158A77B96836DFC383FC959A2FCE3925 | SHA256:9D4506549B9E4906DF8DE5604E9F4BFEFE84FDCCBE996C5CB46877B629306E02 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3248 | MsiExec.exe | GET | 200 | 187.45.193.152:80 | http://cecosal.org.br/wp-includes/Requests/Transport/index.php | BR | text | 31 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3248 | MsiExec.exe | 187.45.193.152:80 | cecosal.org.br | Locaweb Serviços de Internet S/A | BR | malicious |
Domain | IP | Reputation |
---|---|---|
cecosal.org.br |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3248 | MsiExec.exe | A Network Trojan was detected | MALWARE [PTsecurity] VBS.Loader.Gen |