analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

скf4cqstgm5qsfr7jp2k.msi

Full analysis: https://app.any.run/tasks/7a9b30db-9b7f-490f-a989-8fe9c4f09642
Verdict: Malicious activity
Analysis date: June 27, 2022, 12:58:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {535E6490-309C-4BDE-8C83-07C1972D6C81}, Number of Words: 10, Subject: Adobe Reader PDF, Author: Adobe Reader PDF, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Adobe Reader PDF.
MD5:

8304394E8BDEC3C0C0D14437FCBE2785

SHA1:

E2DA9897A55990B372CA98E30B531368C23F6E96

SHA256:

150BAC3B488270DB479D96FDED7FA91F3B044F17AC197A0C06F8E3C08C3E7587

SSDEEP:

98304:EYMAO5NyrV8fCeyPP6LzLTFpXckbaRr1GJX/0HVAQUofmQ+Hb6:eT7fCDSFpsqaRr1GJPPQUa2H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SpotifyConverter.exe (PID: 2352)

    • Loads the Task Scheduler COM API

      • SpotifyConverter.exe (PID: 2352)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3488)
      • SpotifyConverter.exe (PID: 2352)

    • Drops executable file immediately after starts

      • msiexec.exe (PID: 3560)

  • SUSPICIOUS

    • Checks supported languages

      • SpotifyConverter.exe (PID: 2352)
      • msiexec.exe (PID: 3560)
      • MsiExec.exe (PID: 2036)

    • Reads the computer name

      • MsiExec.exe (PID: 2036)
      • SpotifyConverter.exe (PID: 2352)
      • msiexec.exe (PID: 3560)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3560)

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 3560)
      • msiexec.exe (PID: 3212)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 3212)
      • msiexec.exe (PID: 3560)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 3560)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 3560)

    • Checks supported languages

      • msiexec.exe (PID: 3212)

    • Reads the computer name

      • msiexec.exe (PID: 3212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Title: Installation Database
Keywords: Installer, MSI, Database
LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Pages: 200
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {535E6490-309C-4BDE-8C83-07C1972D6C81}
Words: 10
Subject: Adobe Reader PDF
Author: Adobe Reader PDF
LastModifiedBy: -
Software: Advanced Installer 12.2.1 build 64247
Template: ;1033
Comments: This installer database contains the logic and data required to install Adobe Reader PDF.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe no specs spotifyconverter.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3212"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\скf4cqstgm5qsfr7jp2k.msi"C:\Windows\System32\msiexec.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3560C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2036C:\Windows\system32\MsiExec.exe -Embedding 810E515E278552D9208676B18D15068FC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2352"C:\Users\admin\Documents\Spotify.pdf\SpotifyConverter.exe"C:\Users\admin\Documents\Spotify.pdf\SpotifyConverter.exe
msiexec.exe
User:
admin
Company:
TunesKit
Integrity Level:
MEDIUM
Description:
TunesKit Application
Version:
2, 1, 0, 700
3488"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Total events
3 211
Read events
3 146
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
4
Text files
67
Unknown types
2

Dropped files

PID
Process
Filename
Type
3560msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF9003740230D2753C.TMPgmc
MD5:47DEDBD8214061993DE36C74EA05822B
SHA256:664AA05C4AE00102B0B651F9E3D19DF6D2D5BC47671E916943363001AEF40E91
3560msiexec.exeC:\Users\admin\Documents\Spotify.pdf\skin\de\about.xmlxml
MD5:B82DE60B989AD38363360BDB7BCFA255
SHA256:E4ED5C8A9FF9CF203AEE759F5765425EC83661CD6BBE5B2B8E4828A02E931294
3560msiexec.exeC:\Users\admin\Documents\Spotify.pdf\unins000.datdat
MD5:F7880A41E5A8804A973D6B41DFD313CE
SHA256:E63E7200578E5690BBB3318770113C4527FCD4DF17A4AF6B2AF6B0FDB927896B
3560msiexec.exeC:\Users\admin\Documents\Spotify.pdf\HelperLibrary.dllexecutable
MD5:A294E2805698BF54308BEF6893E7D5D0
SHA256:282A55622C688E173164EE289C856113D02A2FA032F755D020EA89BF558C0F90
3560msiexec.exeC:\Windows\Installer\MSI4D96.tmpbinary
MD5:A3195B2CD621D35462553FC62928A77B
SHA256:CF8980905A58152293683D6C5A0A12C96DB109C0BCC66734F618AC142D086ED7
3560msiexec.exeC:\Users\admin\Documents\Spotify.pdf\sparkle_init.pdfbinary
MD5:80920553D57D4C32DBCBBA3C8E08C7D9
SHA256:A4C88AD5E16EF98EACE78A817175564FBCEFC1DEC80E43E22056D8A64BDAFB13
3560msiexec.exeC:\Windows\Installer\104c2e.msiexecutable
MD5:8304394E8BDEC3C0C0D14437FCBE2785
SHA256:150BAC3B488270DB479D96FDED7FA91F3B044F17AC197A0C06F8E3C08C3E7587
3560msiexec.exeC:\Users\admin\Documents\Spotify.pdf\WebStream.dllexecutable
MD5:2B5475534B9A47B486F49453E5967762
SHA256:4BE8EE865D72F1EB64F1D08EED7335375D577A0A35C6D525BF120527DB43A869
3560msiexec.exeC:\Windows\Installer\104c30.ipibinary
MD5:45C4166776191CDDB133DA4014302AEE
SHA256:EFF699D1C8929F6FFC168B6872879DB94709E4FB3B69BB7740CF9D29EB913CA3
3560msiexec.exeC:\Users\admin\Documents\Spotify.pdf\unins000.exeexecutable
MD5:7EA29C2AD5B0BC09B5B8BF66DFDF2941
SHA256:A8EB5C14EE3D5100CA93C31EC6FA161347BC67F3D6B6A3CD84164FB2246218FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2352
SpotifyConverter.exe
5.252.177.234:443
cvcimagensoilinexxxp21.com
unknown

DNS requests

Domain
IP
Reputation
cvcimagensoilinexxxp21.com
  • 5.252.177.234
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
скf4cqstgm5qsfr7jp2k.msi