Suspicious
Unsigned MSI installer exhibits process-injection and direct-IP contact behaviours despite zero AV detections.
d60041d15a1294a6fb…35dc7f5dddThe verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero malicious detections across 74 engines rules out strong tier-1 consensus, yet the sandbox recorded two offensive MITRE techniques and a direct-IP connection without DNS resolution. The MSI is unsigned and writes files into protected directories, behaviours atypical for commodity installers. Medium prevalence and installer filename hint provide some benign context, but the combination of injection, credential-store access, and C2 indicators outweighs that context. The absence of similar-hash RAG hits and external-intel corroboration leaves the classification borderline.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines: 0 malicious out of 74 total (tier1Malicious=0)
behaviour.offensiveTechniques: T1055 and T1548 observed in sandbox
signing.verified=false and signing.signerStats.found=false
prevalence.classification=medium with 3622 unique sources
triggeredHeuristics: MalwareTips.Synth.ProcessInjection (high), MalwareTips.Synth.DirectIpC2 (medium)
- Zero engine detections
- Medium prevalence (3622 sources)
- No malicious dropped children
- Process injection (T1055) observed
- Direct-IP C2 without DNS
- Unsigned installer
- LSASS memory access pattern
Treat as suspicious; isolate and analyse the dropped executables before allowing execution.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 162.159.36.2
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
- C:\Windows\Temp\~DFC65580B1642A5101.TMP
- C:\Windows\Temp\~DFA7A96012E517404F.TMP
- C:\Windows\Temp\~DFE6052E8CFCD9E0CD.TMP
- C:\Windows\Temp\~DF0C0B47AA640E6805.TMP
- C:\Config.Msi\CMP5B8.tmp
- C:\Config.Msi
- C:\Windows\Installer\ff71.msi
- C:\Config.Msi\CMPB36.tmp
- C:\Config.Msi\ff70.rbs
- Global\_MSIExecute
- \BaseNamedObjects\Local\SM0:6728:304:WilStaging_02
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- e81510eb4ee69a72d908…26e435Never scannednever seen before
- 6bb434b3b5fa296babab…353846Never scannednever seen before
- efd5e7407c3fc6933823…f6112aNever scannednever seen before
- a477ffe6d4c769e2e859…462f31Never scannednever seen before
- 02bdf1c9cface7c7f710…0535b4Never scannednever seen before
- 7e7579ac512265fc6508…c28761Never scannednever seen before
- 17bdad5a7e4910982519…8ca60cNever scannednever seen before
- 4f4098a0ccad434e7cf4…575a47Never scannednever seen before
- e319dbe0926ef8db1854…0b22e8Never scannednever seen before
- 7d4ca7b02c90b0b21d64…186721Never scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\System32\svchost.exe -k NetworkService -pSandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence162.159.36.2
0 detections across 74 engines
How often this file shows up in the wild
Moderate prevalence — neither rare nor common. No strong prior applies.
Forensic fingerprint
- File name
- jjsploit_8.17.9_x64_en-US.msi
- Size
- 6.05 MB
- MIME type
- (unknown)
- Detected type
- Windows Installer
- SHA-256
- d60041d15a1294a6fb436d20bff8e2cfaffd6b61aeddd504aadd1a35dc7f5ddd
- MD5
- 11554209ebea8dd6a79759b131da131f
- SHA-1
- 5a9a794e5b18389c31b00ce714111d0107061055
- First seen (VT)
- 4/4/2026, 1:28:59 AM
- Last analysis (VT)
- 7/3/2026, 8:33:18 AM
- First scan (MalwareTips)
- 7/3/2026, 1:05:38 PM
- Last scan (MalwareTips)
- 7/3/2026, 1:05:38 PM
- Community reputation
- -12flagged
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.