Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

notifica2104.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {3191CFA1-AA45-460E-9697-93F9CFDE492F}, Number of Words: 10, Subject: Windows update, Author: Windows update, Name of Creating Application: Advanced Installer 16.2 build 436ecd62, Template: ;1040, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200

initial sample

Details

Filetype:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {3191CFA1-AA45-460E-9697-93F9CFDE492F}, Number of Words: 10, Subject: Windows update, Author: Windows update, Name of Creating Application: Advanced Installer 16.2 build 436ecd62, Template: ;1040, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy:	6.5591101160185925
Filename:	notifica2104.msi
Filesize:	1040384
MD5:	37261a4c059499f3d379f539834b8990
SHA1:	1c06fb8a5bf94db2782bf49e080eacc25e740d7c
SHA256:	f3316d7cef4978eb334264f709301d6616089abd6272c675228614a6407ed629
SHA512:	79a543a730e9e4f6e2393210d548b54ef20af0b2fbcc79ef0fc95a893531407f701b9f2862fd5975f65747caaa057543d2f4633603c047ab35f257386c486b98
SSDEEP:	24576:ZGnFId/5IqVXCWJr6Awb2DRMIHBPHofTl6VQU1YHYlo:ZG85IqVXCWJr6AwbuLBPHKTl6VQU1YHD
Preview:	........................>.......................................................\|.......................x...y...z...{...\|...}...~..............................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Sample is a Windows installer	System Summary

C:\Users\user\AppData\Local\Temp\MSIe9f32.LOG

data

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\MSIe9f32.LOG
Category:	dropped
Dump:	MSIe9f32.LOG.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Windows\System32\msiexec.exe
Type:	data
Entropy:	3.750914117199054
Encrypted:	false
Ssdeep:	768:Wc2+wE8XjcRxMLzsU6Ij0ZMPyu56MQWKfuMwpp4:lw3XjcRxMLzsUHMmA9
Size:	72030
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Windows\System32\msiexec.exe

'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\notifica2104.msi'

Details

Is windows:	true
Is dropped:	false
PID:	6560
Target ID:	0
Parent PID:	5640
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\notifica2104.msi'
Size:	66048
MD5:	4767B71A318E201188A0D0A420C8B608
Time:	10:18:02
Date:	22/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff664ee0000
Modulesize:	90112
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 62996ADAF98AEA6C3E76201DA1491D0F

Details

Is windows:	true
Is dropped:	false
PID:	6616
Target ID:	1
Parent PID:	992
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 62996ADAF98AEA6C3E76201DA1491D0F
Size:	59904
MD5:	12C17B5A5C2A7B97342C362CA467E9A2
Time:	10:18:04
Date:	22/04/2021
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xfb0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://www.advancedinstaller.com

unknown

Details

Name:	https://www.advancedinstaller.com
TargetID:	-1
From Memory:	true
Source:	notifica2104.msi
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.winimage.com/zLibDll

unknown

Details

Name:	http://www.winimage.com/zLibDll
TargetID:	-1
From Memory:	true
Source:	notifica2104.msi
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.thawte.com/cps0/

unknown

Details

Name:	https://www.thawte.com/cps0/
TargetID:	-1
From Memory:	true
Source:	notifica2104.msi
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.winimage.com/zLibDll1.2.7rbr

unknown

Details

Name:	http://www.winimage.com/zLibDll1.2.7rbr
TargetID:	-1
From Memory:	true
Source:	notifica2104.msi
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://www.thawte.com/repository0W

unknown

Details

Name:	https://www.thawte.com/repository0W
TargetID:	-1
From Memory:	true
Source:	notifica2104.msi
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF51B10F000

unkown

page readonly

7FF57093F000

unkown

page readonly

14658A2C000

unkown

page read and write

1BC85B71000

unkown

page read and write

7FF50E31C000

unkown

page readonly

225CDAB4000

unkown

page read and write

26D7FB000

unkown

page read and write

7FF5A339A000

unkown

page readonly

1993F110000

unkown

page read and write

A2F000

stack

page read and write

1BC85C15000

unkown

page read and write

187EE629000

unkown

page read and write

459000

unkown

page read and write

690000

heap default

page read and write

7FF51B049000

unkown

page readonly

225C9960000

unkown

page read and write

7FF4FBB1B000

unkown

page readonly

421FDFE000

unkown

page read and write

7FF512587000

unkown

page readonly

7FF554695000

unkown

page readonly

26DBFB000

unkown

page read and write

7FF5CB043000

unkown

page readonly

7FF56B0AD000

unkown

page readonly

7FF4ECEED000

unkown

page readonly

276DFB10000

unkown

page readonly

184FCA91000

unkown

page read and write

7FF4ED0CB000

unkown

page readonly

20F95229000

unkown

page read and write

7FF5D5CBB000

unkown

page readonly

7FF52843F000

unkown

page readonly

7FF5271AD000

unkown

page readonly

1993D7D8000

unkown

page read and write

225CDE00000

unkown

page read and write

C04047D000

unkown

page read and write

7FF527264000

unkown

page readonly

7FF5A2C18000

unkown

page readonly

7FF59BFCD000

unkown

page readonly

14B41A29000

unkown

page read and write

1BC85B79000

unkown

page read and write

C9EE47F000

unkown

page read and write

7FF5A321C000

unkown

page readonly

7FF512656000

unkown

page readonly

7FF4EFDB6000

unkown

page readonly

7FF57084C000

unkown

page readonly

7FF59C1DC000

unkown

page readonly

7FF52846E000

unkown

page readonly

187EE68D000

unkown

page read and write

7FF56AFB2000

unkown

page readonly

7FF526F33000

unkown

page readonly

2898EE02000

unkown

page read and write

4850000

heap private

page read and write

184FE920000

unkown

page read and write

7FF58862B000

unkown

page readonly

7FF4FBB3B000

unkown

page readonly

7FF5CB09F000

unkown

page readonly

2898E64A000

unkown

page read and write

7FF4FBB0F000

unkown

page readonly

1993D5C0000

unkown

page read and write

8C50D7B000

unkown

page read and write

B7107FE000

unkown

page read and write

14B42060000

unkown

page readonly

7FF4EFC8F000

unkown

page readonly

1BC85BBE000

unkown

page read and write

281E66D0000

unkown

page readonly

14B42070000

unkown

page read and write

7FF56ACBA000

unkown

page readonly

1993D0E0000

unkown

page read and write

225CDDB0000

unkown

page write copy

225CDE10000

unkown

page read and write

184FE920000

unkown

page read and write

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Memdumps