IOC Report
avp.msi

Files

File Path

Type

Category

Malicious

avp.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {117CFEB2-6376-4FA5-ACE4-CD1494F2E3DD}, Number of Words: 10, Subject: GeoTdata, Author: Since Flawer, Name of Creating Application: GeoTdata, Template: ;1033, Comments: This installer database contains the logic and data required to install GeoTdata., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200

initial sample

C:\Users\user\AppData\Local\Temp\MSI1B7B.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\MSI1C09.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\MSI1C29.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\MSI1C4A.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\MSI1C6A.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\MSI1C9A.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\sharepoint\forcedelctl.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI1DEC.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI1E99.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Config.Msi\651cf3.rbs

data

modified

C:\Windows\Installer\651cf2.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {117CFEB2-6376-4FA5-ACE4-CD1494F2E3DD}, Number of Words: 10, Subject: GeoTdata, Author: Since Flawer, Name of Creating Application: GeoTdata, Template: ;1033, Comments: This installer database contains the logic and data required to install GeoTdata., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200

dropped

C:\Windows\Installer\MSI1F37.tmp

data

dropped

C:\Windows\Installer\SourceHash{52EF198D-0C6C-406A-803F-F86D93DD7930}

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Installer\inprogressinstallinfo.ipi

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

C:\Windows\Temp\~DF341066AD21468A34.TMP

data

dropped

C:\Windows\Temp\~DF8D5330CF8902C66C.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DFEC7D49F85E5735A0.TMP

data

dropped

C:\Windows\Temp\~DFED361DB57782FD8E.TMP

data

dropped

There are 10 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\avp.msi"

Details

Is windows:	true
Is dropped:	false
PID:	7012
Target ID:	0
Parent PID:	2580
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\avp.msi"
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	06:14:42
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff735060000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	7084
Target ID:	1
Parent PID:	620
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	06:14:42
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff735060000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C10F74E54A153762865D83F4FD97627E C

Details

Is windows:	true
Is dropped:	false
PID:	6408
Target ID:	2
Parent PID:	7084
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding C10F74E54A153762865D83F4FD97627E C
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	06:14:42
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x170000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E8F250EF0BB0858F7D9FA6A616305218

Details

Is windows:	true
Is dropped:	false
PID:	5088
Target ID:	3
Parent PID:	7084
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding E8F250EF0BB0858F7D9FA6A616305218
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	06:14:43
Date:	19/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x170000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

IP

Malicious

http://85.239.53.219/api/gateway

85.239.53.219

Details

Name:	http://85.239.53.219/api/gateway
IP:	85.239.53.219
TargetID:	3
From Memory:	false
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

http://85.239.53.219/api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks

85.239.53.219

Details

Name:	http://85.239.53.219/api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks
IP:	85.239.53.219
TargetID:	3
From Memory:	false
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Source:	network

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
IP address seen in connection with other malware	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

https://api.ipify.org/

104.26.12.205

Details

Name:	https://api.ipify.org/
IP:	104.26.12.205
TargetID:	3
From Memory:	false
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Source:	network
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
IP address seen in connection with other malware	Networking
Sigma detected: Msiexec Initiated Connection	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://www.advancedinstaller.com

unknown

https://www.thawte.com/cps0/

unknown

https://www.thawte.com/repository0W

unknown

Domains

Name

IP

Malicious

api.ipify.org

104.26.12.205

Details

Name:	api.ipify.org
IP:	104.26.12.205
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Sigma detected: Msiexec Initiated Connection	System Summary
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

IP

Domain

Country

Malicious

85.239.53.219

unknown

Russian Federation

Details

IP:	85.239.53.219
TargetID:	3
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	134121
ASN name:	RAINBOW-HKRainbownetworklimitedHK
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol

104.26.12.205

api.ipify.org

United States

Details

IP:	104.26.12.205
TargetID:	3
Current Path:	C:\Windows\SysWOW64\msiexec.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	api.ipify.org

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Msiexec Initiated Connection	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Config.Msi\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts

C:\Config.Msi\651cf3.rbs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts

C:\Config.Msi\651cf3.rbsLow

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Microsoft\Installer\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\C72CC84B32896524285338B4DFD2D0BB

D891FE25C6C0A60408F38FD639DD9703

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\F5D323A437D662C4E893EB9882AD31BE

D891FE25C6C0A60408F38FD639DD9703

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\9C6DE896D6026BB4FBD3C80F282F6992

D891FE25C6C0A60408F38FD639DD9703

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\5B54D661D32DB764BBEDE95F3A9BC10B

D891FE25C6C0A60408F38FD639DD9703

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Since Flawer\GeoTdata\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Since Flawer\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Local\New Folder\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Local\sharepoint\

HKEY_CURRENT_USER\SOFTWARE\Since Flawer\GeoTdata

Version

HKEY_CURRENT_USER\SOFTWARE\Since Flawer\GeoTdata

Path

There are 7 hidden registries, click here to show them.