ioc[.]one - OSINT Cyber Threat Intelligence Database

Abuse of Custom Actions in Windows Installer MSI

Tags

country:	Brazil Portugal
attack-pattern:	Data Dll Side-Loading - T1574.002 Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Msiexec - T1218.007 Powershell - T1059.001 Software - T1592.002 Visual Basic - T1059.005 Tool - T1588.002 Vulnerabilities - T1588.006 Dll Side-Loading - T1073 Powershell - T1086 Scripting - T1064 Scripting

Show in Graph

Common Information

Type	Value
UUID	cf936fe7-df75-4472-9d7e-0c9c34794a6b
Fingerprint	a461a90a8d7726c5
Analysis status	DONE
Considered CTI value	0
Text language
Published	April 23, 2019, midnight
Added to db	Jan. 18, 2023, 9:01 p.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Abuse of Custom Actions in Windows Installer MSI
Title	Abuse of Custom Actions in Windows Installer MSI
Detected Hints/Tags/Attributes	70/2/25

Source URLs

	Redirection	Url
Details	Source	https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts/
Details	Source	https://www.trendmicro.com/en_dk/research/19/d/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts.html
Details	Source	https://www.trendmicro.com/en_in/research/19/d/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts.html
Details	Source	https://www.trendmicro.com/en_my/research/19/d/analysis-abuse-of-custom-actions-in-windows-installer-msi-to-run-malicious-javascript-vbscript-and-powershell-scripts.html

URL Provider

Details	Provider	Source level domain
Details	trendmicro.com	www.trendmicro.com
Details	trendmicro.com	blog.trendmicro.com

Attributes

Details	Type	#Events	Value
Details	Domain	13	s3-eu-west-1.amazonaws.com
Details	Domain	80	www.adobe.com
Details	Domain	1	fatur432952-532-674.zip
Details	Domain	2	www.localizaip.com.br
Details	File	376	wscript.exe
Details	File	269	msiexec.exe
Details	File	52	trojan.js
Details	File	6	desktop.txt
Details	File	196	desktop.ini
Details	File	38	trojan.ps1
Details	File	1	context_snapshot.exe
Details	File	1	ilua.inf
Details	File	10	msvcr120.dll
Details	File	8	msvcp120.dll
Details	File	1	jlib.dll
Details	File	11	avira.sys
Details	File	1	traystarttrigger.exe
Details	File	1	fatur432952-532-674.zip
Details	File	5	image2.png
Details	File	1	dump.msi
Details	File	9	dump.exe
Details	File	2	ssleay64.dll
Details	File	4	powershellscriptlauncher.dll
Details	Url	1	https://s3-eu-west-1.amazonaws.com
Details	Url	2	https://www.localizaip.com.br/api/iplocation.php