analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

VIRUS.msi

Full analysis: https://app.any.run/tasks/6e6372be-23c4-404d-b5e8-f7c02c8e9eec
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: April 24, 2019, 06:37:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Wed Nov 21 14:59:58 2007, Create Time/Date: Wed Nov 21 14:59:58 2007, Last Saved Time/Date: Wed Nov 21 15:17:57 2007, Code page: 1252, Revision Number: {B12E069D-29A5-4738-9FF0-BD287A025FD1}, Number of Words: 10, Subject: Assistent Install, Author: Assistent Install, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Assistent Install., Title: Installation Database, Keywords: Installer, MSI, Database, Security: 0, Number of Pages: 200
MD5:

D36F6AB72C2FB5117E7D253F4C37ED47

SHA1:

D7C89BF0C0D977BA4C7FD4D05C7C95E50766C335

SHA256:

1467D4A44416127B0D0DEBB3DE4C9AD983C4362A4CE2BA20AE21532B80C6D7FD

SSDEEP:

49152:Nve6PlFoRBIngSGJ65tsgdAzT7rMIDAX3Y:pPlFsa2DAHY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • I5J1Z4k9E6.cmd (PID: 1772)
    • Application was dropped or rewritten from another process

      • I5J1Z4k9E6.cmd (PID: 1772)
    • Connects to CnC server

      • MSI3634.tmp (PID: 3924)
    • Changes the autorun value in the registry

      • I5J1Z4k9E6.cmd (PID: 1772)
  • SUSPICIOUS

    • Creates files in the user directory

      • I5J1Z4k9E6.cmd (PID: 1772)
      • MSI3634.tmp (PID: 3924)
    • Starts application with an unusual extension

      • MSI3634.tmp (PID: 3924)
    • Suspicious files were dropped or overwritten

      • MSI3634.tmp (PID: 3924)
    • Changes the autorun value in the registry

      • msiexec.exe (PID: 1256)
    • Reads Environment values

      • I5J1Z4k9E6.cmd (PID: 1772)
    • Executable content was dropped or overwritten

      • MSI3634.tmp (PID: 3924)
      • msiexec.exe (PID: 1256)
  • INFO

    • Application was dropped or rewritten from another process

      • MSI3634.tmp (PID: 3924)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 1256)
    • Application launched itself

      • msiexec.exe (PID: 1256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Pages: 200
Security: None
Keywords: Installer, MSI, Database
Title: Installation Database
Comments: This installer database contains the logic and data required to install Assistent Install.
Template: ;1033
Software: Advanced Installer 12.2.1 build 64247
LastModifiedBy: -
Author: Assistent Install
Subject: Assistent Install
Words: 10
RevisionNumber: {B12E069D-29A5-4738-9FF0-BD287A025FD1}
CodePage: Windows Latin 1 (Western European)
ModifyDate: 2007:11:21 15:17:57
CreateDate: 2007:11:21 14:59:58
LastPrinted: 2007:11:21 14:59:58
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start msiexec.exe no specs msiexec.exe msiexec.exe no specs msi3634.tmp i5j1z4k9e6.cmd

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Downloads\VIRUS.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1256C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3412C:\Windows\system32\MsiExec.exe -Embedding 74992EFCDCF8A8AA5E8EB2A10315C7B2C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3924"C:\Windows\Installer\MSI3634.tmp"C:\Windows\Installer\MSI3634.tmp
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Description:
AMGZ2
Version:
1.0.0.0
1772"C:\Users\admin\AppData\Roaming\Microsoft\8E7A2C3A72AD425A8137078A79AF77CE\I5J1Z4k9E6.cmd" C:\Users\admin\AppData\Roaming\Microsoft\8E7A2C3A72AD425A8137078A79AF77CE\I5J1Z4k9E6.cmd
MSI3634.tmp
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.1910.12
Total events
624
Read events
602
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1256msiexec.exeC:\Windows\Installer\MSI34C9.tmp
MD5:
SHA256:
1256msiexec.exeC:\Windows\Installer\MSI3537.tmp
MD5:
SHA256:
1256msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF7F26C463CE44C974.TMP
MD5:
SHA256:
1256msiexec.exeC:\Windows\Installer\MSI3596.tmp
MD5:
SHA256:
3924MSI3634.tmpC:\Users\admin\AppData\Roaming\Progrestime.html
MD5:
SHA256:
3924MSI3634.tmpC:\Users\admin\AppData\Roaming\Microsoft\I5J1Z4k9E6.zip
MD5:
SHA256:
3924MSI3634.tmpC:\Users\admin\AppData\Roaming\Microsoft\8E7A2C3A72AD425A8137078A79AF77CE\jli.dll
MD5:
SHA256:
1772I5J1Z4k9E6.cmdC:\Users\admin\AppData\Roaming\Microsoft\8E7A2C3A72AD425A8137078A79AF77CE\Ped
MD5:
SHA256:
1256msiexec.exeC:\Config.Msi\113420.rbsbinary
MD5:ED6E397E0E98A3ACBE4321679D89AD34
SHA256:C116384A1ED95020420D60B2CA0DFC6DFFEA7B196D9636E765C7419484B2C5F4
3924MSI3634.tmpC:\Users\admin\AppData\Roaming\Microsoft\8E7A2C3A72AD425A8137078A79AF77CE\RtkNGUI.exeexecutable
MD5:BA9321813C9246BD263F01D07FE1571D
SHA256:292FAA4845074907CA7F40C084D939F62286E2001E9C0AF405FF9A33338E50D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3924
MSI3634.tmp
POST
200
137.135.111.89:80
http://livekernelreports.duckdns.org/ups/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3924
MSI3634.tmp
137.135.111.89:80
livekernelreports.duckdns.org
Microsoft Corporation
US
malicious
3924
MSI3634.tmp
54.86.90.33:26457
freedow.ml
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
livekernelreports.duckdns.org
  • 137.135.111.89
malicious
freedow.ml
  • 54.86.90.33
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
3924
MSI3634.tmp
A Network Trojan was detected
ET TROJAN [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD)
3924
MSI3634.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Spy.Win32.Delf(Banload) response
3924
MSI3634.tmp
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Spy.Win32.Delf(Banload) request
No debug info