analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1SCX7734769589574545.msi

Full analysis: https://app.any.run/tasks/1e827fb0-5064-47f0-acc8-af9e5f11838a
Verdict: Malicious activity
Analysis date: October 09, 2019, 19:49:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
autoit
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {BB0E8E78-DEDE-4650-9987-BBDA435E617D}, Number of Words: 10, Subject: SCUFhHngaDCD4NEL15, Author: SCUFhHngaDCD4NEL15, Name of Creating Application: Advanced Installer 16.2 build 436ecd62, Template: ;3082, Comments: Esta base de datos del instalador contiene la lgica y los datos necesarios para instalar SCUFhHngaDCD4NEL15., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

F9654AD045C8B0BE904D68A0D81510AB

SHA1:

BFECCB1C3A5A1418E5EB74817EE40396F28FA527

SHA256:

0B7C0103EB9C3839C667720CE469318E9A2809186AE6C1DD1A65A3916935B15C

SSDEEP:

12288:N9fYTFIWlAJPlP41dpd5e6mBLUVEVWE72W8wrkAyJ:NJYTFId/5IqVXCWJrkAy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • msiexec.exe (PID: 3152)

    • Writes to a start menu file

      • MsiExec.exe (PID: 3372)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3152)
      • msiexec.exe (PID: 2180)
      • MsiExec.exe (PID: 3372)

    • Executed as Windows Service

      • vssvc.exe (PID: 2372)

    • Executed via COM

      • DrvInst.exe (PID: 3296)

    • Drop AutoIt3 executable file

      • MsiExec.exe (PID: 3372)

    • Creates files in the user directory

      • MsiExec.exe (PID: 3372)

  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2576)
      • MsiExec.exe (PID: 3372)

    • Searches for installed software

      • msiexec.exe (PID: 2180)

    • Creates files in the program directory

      • MsiExec.exe (PID: 3372)

    • Application launched itself

      • msiexec.exe (PID: 2180)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Pages: 200
Keywords: Installer, MSI, Database
Title: Installation Database
Comments: Esta base de datos del instalador contiene la lógica y los datos necesarios para instalar SCUFhHngaDCD4NEL15.
Template: ;3082
Software: Advanced Installer 16.2 build 436ecd62
LastModifiedBy: -
Author: SCUFhHngaDCD4NEL15
Subject: SCUFhHngaDCD4NEL15
Words: 10
RevisionNumber: {BB0E8E78-DEDE-4650-9987-BBDA435E617D}
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
LastPrinted: 2009:12:11 11:47:44
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3152"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\1SCX7734769589574545.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2180C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2576C:\Windows\system32\MsiExec.exe -Embedding 432ECE1BAD2281F4DF46B2C7240381A8 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2372C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3296DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005CC" "000005B8"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3372C:\Windows\system32\MsiExec.exe -Embedding C100D041423C9104D8294976AD521224C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
797
Read events
593
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
7
Text files
33
Unknown types
5

Dropped files

PID
Process
Filename
Type
3152msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE2C.tmp
MD5:
SHA256:
3152msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE5C.tmp
MD5:
SHA256:
3152msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEAB.tmp
MD5:
SHA256:
2180msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2180msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF7773D250BF8EB386.TMP
MD5:
SHA256:
2372vssvc.exeC:
MD5:
SHA256:
2180msiexec.exeC:\Windows\Installer\MSI5806.tmp
MD5:
SHA256:
3152msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CDder
MD5:DB78CBD190952735D940BC80AC2432C0
SHA256:1A5174980A294A528A110726D5855650266C48D9883BEA692B67B6D726DA98C5
3296DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:43F003911809CC73E06FB33DF886FEC1
SHA256:1B4BC91DAD6D2B8C22EA67C9C100A184997137F5089CD6ABB86FB4DE0259AB2C
2180msiexec.exeC:\Config.Msi\10524a.rbs
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3372
MsiExec.exe
GET
200
69.42.49.155:80
http://www.leonloard.com/LLCP/wawst4ts1.zip
US
compressed
2.46 Mb
unknown
3152
msiexec.exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3152
msiexec.exe
91.199.212.52:80
crt.usertrust.com
Comodo CA Ltd
GB
suspicious
3372
MsiExec.exe
69.42.49.155:80
www.leonloard.com
DataBank Holdings, Ltd.
US
unknown

DNS requests

Domain
IP
Reputation
crt.usertrust.com
  • 91.199.212.52
whitelisted
www.leonloard.com
  • 69.42.49.155
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1SCX7734769589574545.msi