| File name: | MicrosoftEasyFix51044.msi |
| Full analysis: | https://app.any.run/tasks/285ac4f9-bb1f-476a-a4a4-cc12a4f6697f |
| Verdict: | Malicious activity |
| Analysis date: | September 20, 2019, 11:36:53 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 950, Title: Easy fix 51044 v2.1.4.0, Subject: Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows, Author: Microsoft Corporation ?, Keywords: KB3140245, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Template: Intel;1033, Last Saved By: Intel;1028, Revision Number: {244F2DFA-E397-45B0-AEE5-C663CC5C5538}2.1.4.0;{244F2DFA-E397-45B0-AEE5-C663CC5C5538}2.1.4.0;{A8A2D8AF-C65E-4025-B24B-A91E6D138782}, Number of Pages: 200, Number of Characters: 32 |
| MD5: | CE6BFAEF90F6A5365C37B07E65EB9264 |
| SHA1: | 8B11F826932A5444067399C3C48720A91E9FFEB7 |
| SHA256: | F55B3AAB50CE0D22CC3EC504F17A9BDB5A8840263E10209C12B3BEDDB12AB2EB |
| SSDEEP: | 24576:PhjjDNEhWs8qsCHbhsmLkFsghMJhmrosjs4IsoWds/dAsZsD49sysks2s0/stsus:PhjjWQwLKhMJgjAWcdD |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- msiexec.exe (PID: 3320)
Executed as Windows Service
- vssvc.exe (PID: 2936)
Executed via COM
- FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2172)
- DrvInst.exe (PID: 3020)
- explorer.exe (PID: 2868)
Starts Internet Explorer
- explorer.exe (PID: 2868)
INFO
Creates files in the user directory
- iexplore.exe (PID: 3052)
- FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2172)
Changes internet zones settings
- iexplore.exe (PID: 2008)
Searches for installed software
- msiexec.exe (PID: 3320)
Reads internet explorer settings
- iexplore.exe (PID: 3052)
Low-level read access rights to disk partition
- vssvc.exe (PID: 2936)
Application launched itself
- msiexec.exe (PID: 3320)
Reads Internet Cache Settings
- iexplore.exe (PID: 3052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CreateDate: | 1999:06:21 07:00:00 |
|---|---|
| Software: | Windows Installer |
| Security: | Password protected |
| CodePage: | Windows Latin 1 (Western European) |
| Pages: | 200 |
| Comments: | - |
| Words: | 2 |
| ModifyDate: | 2015:06:19 01:34:43 |
| LastPrinted: | 2015:06:19 01:34:43 |
| Title: | Easy fix 51044 v2.1.4.0 |
| Subject: | Update to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows |
| Author: | Microsoft Corporation © |
| Keywords: | KB3140245 |
| RevisionNumber: | {70D613BA-5710-40BC-9538-F53C04F11FB9} |
| Template: | Intel;1033,1025,1026,1029,1030,1031,1032,3082,1061,1035,1036,1037,1081,1050,1038,1057,1040,1041,1042,1063,1062,1043,1044,1045,2070,1046,1048,1049,1051,1060,2074,1053,1054,1055,1058,1066,2052,1028,0 |
| LastModifiedBy: | Intel;1 |
| Characters: | 32 |
Total processes
45
Monitored processes
11
Malicious processes
0
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2172 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 Modules
| |||||||||||||||
| 2232 | C:\Windows\system32\MsiExec.exe -Embedding 62293CAA89DC4E9F8C99C1C735AD1277 M Global\MSI0000 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2860 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\MicrosoftEasyFix51044.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2868 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2936 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3020 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005B8" "000002D4" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3052 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2008 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3120 | C:\Windows\system32\MsiExec.exe -Embedding 0EC034CE86635CDFB92E5FD9A0C971D7 | C:\Windows\system32\MsiExec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3320 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 061
Read events
800
Write events
248
Delete events
13
Modification events
| (PID) Process: | (2860) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3320) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000E8F513CAA76FD501F80C0000980A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3320) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4000000000000000E8F513CAA76FD501F80C0000980A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3320) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 24 | |||
| (PID) Process: | (3320) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4000000000000000BA3F7FCAA76FD501F80C0000980A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3320) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000014A281CAA76FD501F80C000038090000E8030000010000000000000000000000902D4439EDC5E5468EC98C2D5E98B8C50000000000000000 | |||
| (PID) Process: | (2936) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000007C2B8BCAA76FD501780B000098090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2936) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000007C2B8BCAA76FD501780B0000AC090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2936) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000007C2B8BCAA76FD501780B0000A00A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2936) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000007C2B8BCAA76FD501780B0000AC0D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
2
Suspicious files
10
Text files
124
Unknown types
11
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3320 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 3320 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF95C048BB5A3B47E8.TMP | — | |
MD5:— | SHA256:— | |||
| 2936 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
| 3320 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF94A05D83B3AC0AA0.TMP | — | |
MD5:— | SHA256:— | |||
| 2008 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2008 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 3320 | msiexec.exe | C:\Windows\Installer\172da8.ipi | binary | |
MD5:— | SHA256:— | |||
| 3020 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:— | SHA256:— | |||
| 3320 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{39442d90-c5ed-46e5-8ec9-8c2d5e98b8c5}_OnDiskSnapshotProp | binary | |
MD5:— | SHA256:— | |||
| 3020 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
25
DNS requests
11
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3052 | iexplore.exe | GET | 302 | 2.19.38.59:80 | http://go.microsoft.com/fwlink/?LinkID=143357&cid=51044&P2=51044&ct=fxit&P0=fxit&showpage=1 | unknown | — | — | whitelisted |
3052 | iexplore.exe | GET | 301 | 184.31.82.138:80 | http://answers.microsoft.com/?cid=51044&P2=51044&ct=fxit&P0=fxit&showpage=1 | NL | — | — | whitelisted |
2008 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3120 | MsiExec.exe | 2.19.38.59:443 | go.microsoft.com | Akamai International B.V. | — | whitelisted |
3120 | MsiExec.exe | 2.18.233.31:443 | fixit.support.microsoft.com | Akamai International B.V. | — | whitelisted |
3052 | iexplore.exe | 2.19.38.59:80 | go.microsoft.com | Akamai International B.V. | — | whitelisted |
2008 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3052 | iexplore.exe | 184.31.82.138:80 | answers.microsoft.com | Akamai International B.V. | NL | whitelisted |
3052 | iexplore.exe | 184.31.82.138:443 | answers.microsoft.com | Akamai International B.V. | NL | whitelisted |
3052 | iexplore.exe | 2.18.233.62:443 | www.microsoft.com | Akamai International B.V. | — | whitelisted |
3052 | iexplore.exe | 2.18.232.244:443 | uhf.microsoft.com | Akamai International B.V. | — | whitelisted |
3052 | iexplore.exe | 2.16.186.32:443 | answersstaticfilecdn.azureedge.net | Akamai International B.V. | — | whitelisted |
3052 | iexplore.exe | 2.16.186.27:443 | statics-marketingsites-neu-ms-com.akamaized.net | Akamai International B.V. | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
go.microsoft.com |
| whitelisted |
fixit.support.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
answers.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
statics-marketingsites-neu-ms-com.akamaized.net |
| whitelisted |
answersstaticfilecdn.azureedge.net |
| whitelisted |
uhf.microsoft.com |
| whitelisted |
img-prod-cms-rt-microsoft-com.akamaized.net |
| whitelisted |
az725175.vo.msecnd.net |
| whitelisted |
Threats
Process | Message |
|---|---|
MsiExec.exe | Sending Client Message: cid=bd1eed3a-031e-4279-e983-7203b865b7d1&ln=1033&src=msi&sid=51044&data=<client version="1.0"><windows version="6.0.6000" sp="0.0" suite="256" product="1" arch="x86"><msi version="5.0.7601.17514"/><dotnet version="2.0.50727"/><language system="1033" user="1033"/></windows></client>
<client version="1.0"><windows version="6.0.6000" sp="0.0" suite="256" product="1" arch="x86"><msi version="5.0.7601.17514"/><dotnet version="2.0.50727"/><language system="1033" user="1033"/></windows></client>
|
MsiExec.exe | SendInternetMessage returning status 00000000 (3.337249 seconds)
|
MsiExec.exe | Sending Client Log Message: id=0&script=1&eula=1&data=<log version="1.0"><install><environment admin="0" ui="5"/><milestone id="InstallFinalize" action="0" result="0"/></install></log>
<log version="1.0"><install><environment admin="0" ui="5"/><milestone id="InstallFinalize" action="0" result="0"/></install></log>
|
MsiExec.exe | SendInternetMessage returning status 00000000 (2.704549 seconds)
|