analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1SCX7734769589574545.msi

Full analysis: https://app.any.run/tasks/08a8d09a-9d54-4164-bd00-40eb4bee148f
Verdict: Malicious activity
Analysis date: October 09, 2019, 19:33:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {BB0E8E78-DEDE-4650-9987-BBDA435E617D}, Number of Words: 10, Subject: SCUFhHngaDCD4NEL15, Author: SCUFhHngaDCD4NEL15, Name of Creating Application: Advanced Installer 16.2 build 436ecd62, Template: ;3082, Comments: Esta base de datos del instalador contiene la lgica y los datos necesarios para instalar SCUFhHngaDCD4NEL15., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

F9654AD045C8B0BE904D68A0D81510AB

SHA1:

BFECCB1C3A5A1418E5EB74817EE40396F28FA527

SHA256:

0B7C0103EB9C3839C667720CE469318E9A2809186AE6C1DD1A65A3916935B15C

SSDEEP:

12288:N9fYTFIWlAJPlP41dpd5e6mBLUVEVWE72W8wrkAyJ:NJYTFId/5IqVXCWJrkAy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • MsiExec.exe (PID: 3664)

    • Changes settings of System certificates

      • msiexec.exe (PID: 2944)

  • SUSPICIOUS

    • Executed via COM

      • DrvInst.exe (PID: 2292)

    • Executed as Windows Service

      • vssvc.exe (PID: 3128)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2936)

    • Creates files in the user directory

      • MsiExec.exe (PID: 3664)

  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 2936)

    • Application launched itself

      • msiexec.exe (PID: 2936)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Pages: 200
Keywords: Installer, MSI, Database
Title: Installation Database
Comments: Esta base de datos del instalador contiene la lógica y los datos necesarios para instalar SCUFhHngaDCD4NEL15.
Template: ;3082
Software: Advanced Installer 16.2 build 436ecd62
LastModifiedBy: -
Author: SCUFhHngaDCD4NEL15
Subject: SCUFhHngaDCD4NEL15
Words: 10
RevisionNumber: {BB0E8E78-DEDE-4650-9987-BBDA435E617D}
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
LastPrinted: 2009:12:11 11:47:44
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\1SCX7734769589574545.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2936C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2588C:\Windows\system32\MsiExec.exe -Embedding 52E9A8F8B2D957FC89A36EE9DF914771 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3128C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2292DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005C4" "000005C8"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3664C:\Windows\system32\MsiExec.exe -Embedding 0E9FDDF4D0AD46B7593305EC9615A7C0C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
759
Read events
561
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
30
Unknown types
2

Dropped files

PID
Process
Filename
Type
2944msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI51C6.tmp
MD5:
SHA256:
2944msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI5235.tmp
MD5:
SHA256:
2944msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI5245.tmp
MD5:
SHA256:
2944msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI5275.tmp
MD5:
SHA256:
2936msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2936msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF03AB6CE517DBFCA4.TMP
MD5:
SHA256:
3128vssvc.exeC:
MD5:
SHA256:
2936msiexec.exeC:\Windows\Installer\MSIA75A.tmp
MD5:
SHA256:
2936msiexec.exeC:\Config.Msi\11a344.rbs
MD5:
SHA256:
2936msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF2FC3A6BCE4F72A09.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3664
MsiExec.exe
GET
69.42.49.155:80
http://www.leonloard.com/LLCP/wawst4ts1.zip
US
unknown
2944
msiexec.exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3664
MsiExec.exe
69.42.49.155:80
www.leonloard.com
DataBank Holdings, Ltd.
US
unknown
2944
msiexec.exe
91.199.212.52:80
crt.usertrust.com
Comodo CA Ltd
GB
suspicious

DNS requests

Domain
IP
Reputation
crt.usertrust.com
  • 91.199.212.52
whitelisted
www.leonloard.com
  • 69.42.49.155
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1SCX7734769589574545.msi