analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FA09102016AT.msi

Full analysis: https://app.any.run/tasks/1b4107b9-4451-4367-a97b-291ebccd2fd4
Verdict: Malicious activity
Analysis date: June 16, 2019, 23:02:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {D923683E-FF5A-4019-BCF9-906DB2753899}, Number of Words: 10, Subject: Adobe Acrobat Reader, Author: Adobe Acrobat Reader, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Adobe Acrobat Reader., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

024B95D32B9F75F1D13BE644E722D008

SHA1:

0805684144F8AC6BED77A5C90B2B9B76624306F9

SHA256:

07440783C3F441D061C698EAF744B1C0FBEED279D5DB2492090F14C6CA265DEE

SSDEEP:

3072:zc97NIA+/WQx5TYD9yOePnMzYMTxHwgz88ereWn/7w05g0d9bY5Alt7k3DxAkQ8B:zbRMN28er1nzT1Y5AlK3DeQ2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2476)

    • Application was dropped or rewritten from another process

      • lc8FD4.tmp (PID: 2692)

  • SUSPICIOUS

    • Creates files in the user directory

      • cmd.exe (PID: 3628)
      • MsiExec.exe (PID: 2428)

    • Starts Internet Explorer

      • cmd.exe (PID: 3628)

    • Starts CMD.EXE for commands execution

      • MsiExec.exe (PID: 2428)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 324)
      • MsiExec.exe (PID: 2428)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2236)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3824)

    • Reads Internet Cache Settings

      • MsiExec.exe (PID: 2428)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 324)
      • iexplore.exe (PID: 2796)

    • Changes internet zones settings

      • iexplore.exe (PID: 2796)

    • Reads internet explorer settings

      • iexplore.exe (PID: 4084)

    • Creates files in the user directory

      • iexplore.exe (PID: 4084)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3824)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4084)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 4084)

    • Starts application with an unusual extension

      • MsiExec.exe (PID: 2428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {D923683E-FF5A-4019-BCF9-906DB2753899}
Words: 10
Subject: Adobe Acrobat Reader
Author: Adobe Acrobat Reader
LastModifiedBy: -
Software: Advanced Installer 12.2.1 build 64247
Template: ;1033
Comments: This installer database contains the logic and data required to install Adobe Acrobat Reader.
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
14
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe cmd.exe no specs iexplore.exe iexplore.exe cmd.exe no specs reg.exe flashutil32_26_0_0_131_activex.exe no specs cmd.exe no specs cmd.exe no specs shutdown.exe no specs shutdown.exe no specs lc8fd4.tmp no specs

Process information

PID
CMD
Path
Indicators
Parent process
3372"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\FA09102016AT.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1073807364
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
324C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2428C:\Windows\system32\MsiExec.exe -Embedding E1032938515459BAA3DF15DCAAA727CFC:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1073807364
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3628"C:\Windows\System32\cmd.exe" /C start /MAX http://bit.ly/2HJogDwC:\Windows\System32\cmd.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2796"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1073807364
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4084"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2796 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2236"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v jMTAlO /t reg_sz /d "C:\jMTAlO\jMTAlO.exe"C:\Windows\System32\cmd.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2476reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v jMTAlO /t reg_sz /d "C:\jMTAlO\jMTAlO.exe"C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3824C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
1073807364
Version:
26,0,0,131
864"C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 0C:\Windows\System32\cmd.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
968
Read events
813
Write events
149
Delete events
6

Modification events

(PID) Process:(324) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
44010000EE8E05959724D501
(PID) Process:(324) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
92CDAADC1DBD0A7EC4EB42A56A934C9998E42D7BB2C83E93BE47DBAE9BF031F7
(PID) Process:(324) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2428) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2428) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2796) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
9
Suspicious files
4
Text files
112
Unknown types
16

Dropped files

PID
Process
Filename
Type
2796iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2796iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
4084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:27C3F9660BCF86EA570341FF2465AF2A
SHA256:54E2A04683F392910AC116FA618ABA1DAA96105F63A90C378B3A304E0ECA1AED
324msiexec.exeC:\Windows\Installer\11fae7.msiexecutable
MD5:024B95D32B9F75F1D13BE644E722D008
SHA256:07440783C3F441D061C698EAF744B1C0FBEED279D5DB2492090F14C6CA265DEE
4084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:022D800FADC31209DB96834EBD01A88F
SHA256:4CE5F0EBA95353E4CFD78233A0084C0B65A5D9245759646545AF243D6035D3BF
4084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1ZTQDB9Q\in[1].jstext
MD5:C67373C9FBD33E33154F269EFCF88D62
SHA256:23076A916E23AF64C4FC82EAE6B839E27303DCE5644B460D18A6610028D3FE76
4084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J5AIYZAU\barra[1].jshtml
MD5:D9D76A6844E02FAEF76BF3E3A3ED7AB1
SHA256:42380046A0EA86FCA187591F6E5574E9C144D57B1D30210DFC4C726AA6E6BF2D
3628cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
4084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HKQ1B5J3\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
4084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J5AIYZAU\scribe_endpoint[1].png
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
94
TCP/UDP connections
26
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4084
iexplore.exe
GET
200
161.148.231.170:80
http://receita.economia.gov.br/portal_css/Sunburst%20Theme/reset-cachekey-060d597ce52d12b79b1f594f28beab9e.css
BR
text
477 b
suspicious
4084
iexplore.exe
GET
200
31.13.92.14:80
http://connect.facebook.net/pt_BR/all.js
IE
text
1.74 Kb
whitelisted
4084
iexplore.exe
GET
200
161.148.231.170:80
http://receita.economia.gov.br/portal_css/Sunburst%20Theme/base-cachekey-c84ce7f8fe671ebbd511749d7e5cd027.css
BR
text
72.0 Kb
suspicious
4084
iexplore.exe
GET
301
67.199.248.10:80
http://bit.ly/2HJogDw
US
html
118 b
shared
4084
iexplore.exe
GET
200
161.148.231.170:80
http://receita.economia.gov.br/portal_css/Sunburst%20Theme/resourceplone.formwidget.autocompletejquery.autocomplete-cachekey-69ee8461f3f7222226ebccfd17f0d947.css
BR
text
2.63 Kb
suspicious
4084
iexplore.exe
GET
200
161.148.231.170:80
http://receita.economia.gov.br/portal_css/Sunburst%20Theme/resourcecalendar_stylescalendar-cachekey-c147cf23d03b6b93340d24c8ea3f13cc.css
BR
text
1.34 Kb
suspicious
4084
iexplore.exe
GET
200
152.195.34.77:80
http://barra.brasil.gov.br/barra.js
US
html
7.62 Kb
suspicious
4084
iexplore.exe
GET
200
161.148.231.170:80
http://receita.economia.gov.br/portal_css/Sunburst%20Theme/resourcebrasil.gov.agendaagenda-cachekey-b6e5462502673583537f3967a00a2797.css
BR
text
11.3 Kb
suspicious
4084
iexplore.exe
GET
200
161.148.231.170:80
http://receita.economia.gov.br/portal_css/Sunburst%20Theme/resourceProducts.Doormat.stylesheetsdoormat-cachekey-e5df783ce1f1d670942753018c4fe3a8.css
BR
text
945 b
suspicious
4084
iexplore.exe
GET
200
161.148.231.170:80
http://receita.economia.gov.br/portal_css/Sunburst%20Theme/jquery.autocomplete-cachekey-36181f8c4e0504ac0193a1d08a5b868e.css
BR
text
748 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2796
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4084
iexplore.exe
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
4084
iexplore.exe
161.148.231.170:80
receita.economia.gov.br
SERVICO FEDERAL DE PROCESSAMENTO DE DADOS - SERPRO
BR
suspicious
4084
iexplore.exe
152.195.34.77:80
barra.brasil.gov.br
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4084
iexplore.exe
192.229.133.150:443
platform.linkedin.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2428
MsiExec.exe
52.218.104.234:443
s3-eu-west-1.amazonaws.com
Amazon.com, Inc.
IE
unknown
4084
iexplore.exe
31.13.92.14:80
connect.facebook.net
Facebook, Inc.
IE
whitelisted
4084
iexplore.exe
185.60.216.35:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
4084
iexplore.exe
31.13.92.14:443
connect.facebook.net
Facebook, Inc.
IE
whitelisted
4084
iexplore.exe
161.148.231.100:80
www.receita.fazenda.gov.br
SERVICO FEDERAL DE PROCESSAMENTO DE DADOS - SERPRO
BR
suspicious

DNS requests

Domain
IP
Reputation
s3-eu-west-1.amazonaws.com
  • 52.218.104.234
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared
receita.economia.gov.br
  • 161.148.231.170
suspicious
connect.facebook.net
  • 31.13.92.14
whitelisted
platform.linkedin.com
  • 192.229.133.150
whitelisted
barra.brasil.gov.br
  • 152.195.34.77
suspicious
www.facebook.com
  • 185.60.216.35
whitelisted
www.receita.fazenda.gov.br
  • 161.148.231.100
suspicious
www.youtube.com
  • 172.217.21.238
  • 172.217.22.14
  • 172.217.18.174
  • 172.217.23.142
  • 216.58.206.14
  • 216.58.207.78
  • 172.217.16.174
  • 216.58.208.46
  • 172.217.16.142
  • 172.217.22.46
  • 172.217.22.78
  • 216.58.210.14
  • 172.217.16.206
  • 172.217.18.110
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FA09102016AT.msi