File name:

Dogusign Reader 1.26g.msi

Full analysis: https://app.any.run/tasks/a1531798-9771-4adb-ad8a-d2acd581a0a7
Verdict: Malicious activity
Threats:

HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses.

Analysis date: January 10, 2025, 22:37:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
stealer
lumma
hijackloader
loader
golang
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Palsgravine, Author: Chaplainry Strudel, Keywords: Installer, Comments: This installer database contains the logic and data required to install Palsgravine., Template: Intel;1033, Revision Number: {823F9B91-5B1C-4363-89EB-5E534851E2CD}, Create Time/Date: Fri Jan 10 04:07:28 2025, Last Saved Time/Date: Fri Jan 10 04:07:28 2025, Number of Pages: 500, Number of Words: 10, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2
MD5:

35F774E65E57F419FFF8D8F74945EA51

SHA1:

C3E1D2D50A9BBCA445576E0D71C6984CC1DC60BB

SHA256:

D00A3E22E53210ACBD5C3E39B85332E3D47C8EC001D2BBF7A13ABB07427BBBA2

SSDEEP:

98304:u6Q1TY/CdEG26wjPcEU9Z3eWXCiifD9sjT9abLW1WwqsZydr4oor437Ae5AKqSK3:UK/+bHYenoRPGg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • HIJACKLOADER has been detected (YARA)

      • cmd.exe (PID: 4980)
    • Actions looks like stealing of personal data

      • explorer.exe (PID: 6732)
    • Connects to the CnC server

      • explorer.exe (PID: 6764)
    • LUMMA mutex has been found

      • explorer.exe (PID: 6732)
  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6496)
    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6444)
    • Starts itself from another location

      • RttHlp.exe (PID: 2800)
      • RttHlp.exe (PID: 3988)
    • Executable content was dropped or overwritten

      • RttHlp.exe (PID: 2800)
      • RttHlp.exe (PID: 3988)
    • Starts CMD.EXE for commands execution

      • RttHlp.exe (PID: 1804)
      • RttHlp.exe (PID: 3988)
    • Connects to unusual port

      • explorer.exe (PID: 6764)
    • Connects to the server without a host name

      • explorer.exe (PID: 6764)
  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 6444)
      • RttHlp.exe (PID: 2800)
      • RttHlp.exe (PID: 1804)
      • RttHlp.exe (PID: 3988)
    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6444)
      • RttHlp.exe (PID: 2800)
    • The sample compiled with english language support

      • msiexec.exe (PID: 6248)
      • RttHlp.exe (PID: 2800)
      • msiexec.exe (PID: 6444)
      • RttHlp.exe (PID: 3988)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6444)
    • Manages system restore points

      • SrTasks.exe (PID: 7096)
    • Checks supported languages

      • msiexec.exe (PID: 6444)
      • RttHlp.exe (PID: 3988)
      • RttHlp.exe (PID: 2800)
      • RttHlp.exe (PID: 1804)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 6444)
    • Create files in a temporary directory

      • RttHlp.exe (PID: 3988)
    • Application based on Golang

      • explorer.exe (PID: 6764)
    • Reads the software policy settings

      • explorer.exe (PID: 6732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: Read-only recommended
Software: WiX Toolset (4.0.0.0)
Words: 10
Pages: 500
ModifyDate: 2025:01:10 04:07:28
CreateDate: 2025:01:10 04:07:28
RevisionNumber: {823F9B91-5B1C-4363-89EB-5E534851E2CD}
Template: Intel;1033
Comments: This installer database contains the logic and data required to install Palsgravine.
Keywords: Installer
Author: Chaplainry Strudel
Subject: Palsgravine
Title: Installation Database
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
14
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs rtthlp.exe rtthlp.exe rtthlp.exe no specs #HIJACKLOADER cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #LUMMA explorer.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
6248"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Dogusign Reader 1.26g.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6444C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6496C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7096C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7104\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2800"C:\Users\admin\AppData\Local\Yarrow\RttHlp.exe"C:\Users\admin\AppData\Local\Yarrow\RttHlp.exe
msiexec.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
0
Version:
11.0.0.0
Modules
Images
c:\users\admin\appdata\local\yarrow\rtthlp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
3988C:\Users\admin\AppData\Roaming\configRemote_PZ4\RttHlp.exeC:\Users\admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
RttHlp.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
1
Version:
11.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\configremote_pz4\rtthlp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
1804C:\Users\admin\AppData\Roaming\configRemote_PZ4\YEGPXJGHGKZZAQPHDPP\RttHlp.exeC:\Users\admin\AppData\Roaming\configRemote_PZ4\YEGPXJGHGKZZAQPHDPP\RttHlp.exeRttHlp.exe
User:
admin
Company:
IObit
Integrity Level:
MEDIUM
Description:
IObit RttHlp
Exit code:
1
Version:
11.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\configremote_pz4\yegpxjghgkzzaqphdpp\rtthlp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
4980C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
RttHlp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 495
Read events
3 230
Write events
247
Delete events
18

Modification events

(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000313CDE46B063DB012C19000050190000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000313CDE46B063DB012C19000050190000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000006CB35047B063DB012C19000050190000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000006CB35047B063DB012C19000050190000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000FE7C5547B063DB012C19000050190000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000064465A47B063DB012C19000050190000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000005813BB48B063DB012C19000050190000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6444) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000A2DCBF48B063DB012C190000D0190000E8030000010000000000000000000000725F8F6B41B98E4C997F1841560FB57F00000000000000000000000000000000
(PID) Process:(6496) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C16CC948B063DB016019000080190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
9
Suspicious files
19
Text files
0
Unknown types
8

Dropped files

PID
Process
Filename
Type
6444msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6444msiexec.exeC:\Windows\Installer\13aaf9.msi
MD5:
SHA256:
6444msiexec.exeC:\Users\admin\AppData\Local\Yarrow\burro.ini
MD5:
SHA256:
6444msiexec.exeC:\Windows\Installer\13aafb.msi
MD5:
SHA256:
6444msiexec.exeC:\Windows\Installer\MSIB067.tmpbinary
MD5:DC699E8EC9AFD95A6B3F434B5E026984
SHA256:56D2E566384CA46D2FAFA0F072DE509078B5DE0946267CA68CB2C4BC60B04B35
6444msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:2DDC7016E0E89CA33AE92FD6962E52BE
SHA256:93FF8A1CB0B00D92E8AF51099459BA71A317D5330891028FEB03962C8FBE3060
6444msiexec.exeC:\Config.Msi\13aafa.rbsbinary
MD5:B7BADC318AF8B369A43A3C30D213C1D2
SHA256:06EDE0DB620A38BDCA1A2A74E1A1C27FECF217EE51800AA17A7AEB84DAB49691
6444msiexec.exeC:\Users\admin\AppData\Local\Yarrow\magnesium.csvbinary
MD5:038C02B1CDCE1B2738C09D9D2B8BBD74
SHA256:FF5F5110CA6CA5D57DB34EC4EA566D28D4B2535D71540331448711A25A89B3F4
6444msiexec.exeC:\Windows\Temp\~DF9DDB5524D2397C8D.TMPbinary
MD5:2DDC7016E0E89CA33AE92FD6962E52BE
SHA256:93FF8A1CB0B00D92E8AF51099459BA71A317D5330891028FEB03962C8FBE3060
6444msiexec.exeC:\Users\admin\AppData\Local\Yarrow\rtl120.bplexecutable
MD5:ADF82ED333FB5567F8097C7235B0E17F
SHA256:D6DD7A4F46F2CFDE9C4EB9463B79D5FF90FC690DA14672BA1DA39708EE1B9B50
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
42
DNS requests
21
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3040
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3688
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6764
explorer.exe
POST
200
46.8.232.106:80
http://46.8.232.106/
unknown
malicious
4672
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4672
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3040
svchost.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3040
svchost.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3040
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
40.126.32.133:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.131
  • 104.126.37.176
  • 104.126.37.170
  • 104.126.37.155
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.129
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.133
  • 40.126.32.140
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.72
  • 40.126.32.134
  • 20.190.160.20
  • 40.126.32.76
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
4 ETPRO signatures available at the full report
No debug info