analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

скf4cqstgm5qsfr7jp2k.msi

Full analysis: https://app.any.run/tasks/d776ece9-185b-41a9-88e0-adfa91ef84ff
Verdict: Malicious activity
Analysis date: June 27, 2022, 12:56:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {535E6490-309C-4BDE-8C83-07C1972D6C81}, Number of Words: 10, Subject: Adobe Reader PDF, Author: Adobe Reader PDF, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Adobe Reader PDF.
MD5:

8304394E8BDEC3C0C0D14437FCBE2785

SHA1:

E2DA9897A55990B372CA98E30B531368C23F6E96

SHA256:

150BAC3B488270DB479D96FDED7FA91F3B044F17AC197A0C06F8E3C08C3E7587

SSDEEP:

98304:EYMAO5NyrV8fCeyPP6LzLTFpXckbaRr1GJX/0HVAQUofmQ+Hb6:eT7fCDSFpsqaRr1GJPPQUa2H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msiexec.exe (PID: 1664)

    • Application was dropped or rewritten from another process

      • SpotifyConverter.exe (PID: 2304)

    • Loads dropped or rewritten executable

      • SpotifyConverter.exe (PID: 2304)
      • SearchProtocolHost.exe (PID: 2492)

  • SUSPICIOUS

    • Checks supported languages

      • msiexec.exe (PID: 1664)
      • SpotifyConverter.exe (PID: 2304)
      • MsiExec.exe (PID: 4064)

    • Reads the computer name

      • msiexec.exe (PID: 1664)
      • MsiExec.exe (PID: 4064)
      • SpotifyConverter.exe (PID: 2304)

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 1664)
      • msiexec.exe (PID: 2220)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 2220)
      • msiexec.exe (PID: 1664)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1664)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 1664)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 2220)

    • Reads the computer name

      • msiexec.exe (PID: 2220)

    • Application launched itself

      • msiexec.exe (PID: 1664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Comments: This installer database contains the logic and data required to install Adobe Reader PDF.
Template: ;1033
Software: Advanced Installer 12.2.1 build 64247
LastModifiedBy: -
Author: Adobe Reader PDF
Subject: Adobe Reader PDF
Words: 10
RevisionNumber: {535E6490-309C-4BDE-8C83-07C1972D6C81}
CodePage: Windows Latin 1 (Western European)
Security: None
Pages: 200
ModifyDate: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
LastPrinted: 2009:12:11 11:47:44
Keywords: Installer, MSI, Database
Title: Installation Database
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe no specs spotifyconverter.exe no specs searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2220"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\скf4cqstgm5qsfr7jp2k.msi"C:\Windows\System32\msiexec.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1664C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
4064C:\Windows\system32\MsiExec.exe -Embedding AA6E8963A5B2B696A05A030E298CD024C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2304"C:\Users\admin\Documents\Spotify.pdf\SpotifyConverter.exe"C:\Users\admin\Documents\Spotify.pdf\SpotifyConverter.exemsiexec.exe
User:
admin
Company:
TunesKit
Integrity Level:
MEDIUM
Description:
TunesKit Application
Version:
2, 1, 0, 700
2492"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Total events
2 889
Read events
2 854
Write events
33
Delete events
2

Modification events

(PID) Process:(1664) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
800600005C995558258AD801
(PID) Process:(1664) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
9367D015C4441F47B222D8674B73A1FCE64E66EA0F274A9133B3B097A3934328
(PID) Process:(1664) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
Operation:writeName:(default)
Value:
C:\Windows\Installer\f9da0.ipi
(PID) Process:(1664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(1664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\f9da1.rbs
Value:
30968365
(PID) Process:(1664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\f9da1.rbsLow
Value:
(PID) Process:(1664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\4887ACFEDFBACFF46B07A2E9816759A1
Operation:writeName:A93F6BF2BDE113E46823D7368B5EABB9
Value:
C:\Users\admin\Documents\Spotify.pdf\ConvertLibrary.dll
(PID) Process:(1664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\948AAF0721E76CC4E89986D6C35E2F03
Operation:writeName:A93F6BF2BDE113E46823D7368B5EABB9
Value:
C:\Users\admin\Documents\Spotify.pdf\skin\en\about.xml
(PID) Process:(1664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\8664763B42A1CCC41AB5AE594F51D04E
Operation:writeName:A93F6BF2BDE113E46823D7368B5EABB9
Value:
C:\Users\admin\Documents\Spotify.pdf\skin\de\about.xml
Executable files
10
Suspicious files
4
Text files
67
Unknown types
2

Dropped files

PID
Process
Filename
Type
1664msiexec.exeC:\Windows\Installer\f9d9e.msiexecutable
MD5:8304394E8BDEC3C0C0D14437FCBE2785
SHA256:150BAC3B488270DB479D96FDED7FA91F3B044F17AC197A0C06F8E3C08C3E7587
1664msiexec.exeC:\Users\admin\Documents\Spotify.pdf\WebStream.dllexecutable
MD5:2B5475534B9A47B486F49453E5967762
SHA256:4BE8EE865D72F1EB64F1D08EED7335375D577A0A35C6D525BF120527DB43A869
1664msiexec.exeC:\Users\admin\Documents\Spotify.pdf\sparkle_init.pdfbinary
MD5:80920553D57D4C32DBCBBA3C8E08C7D9
SHA256:A4C88AD5E16EF98EACE78A817175564FBCEFC1DEC80E43E22056D8A64BDAFB13
1664msiexec.exeC:\Users\admin\Documents\Spotify.pdf\skin\de\about.xmlxml
MD5:B82DE60B989AD38363360BDB7BCFA255
SHA256:E4ED5C8A9FF9CF203AEE759F5765425EC83661CD6BBE5B2B8E4828A02E931294
1664msiexec.exeC:\Users\admin\Documents\Spotify.pdf\unins000.datdat
MD5:F7880A41E5A8804A973D6B41DFD313CE
SHA256:E63E7200578E5690BBB3318770113C4527FCD4DF17A4AF6B2AF6B0FDB927896B
1664msiexec.exeC:\Users\admin\Documents\Spotify.pdf\ConvertLibrary.dllexecutable
MD5:878702A2B0D436095F67E5346ADCCEEE
SHA256:70AF458E2B578DF75361B8ED16E3D1CC14F25EABBC67096F6DA2A1D41F9F2108
1664msiexec.exeC:\Users\admin\Documents\Spotify.pdf\WinSparkle.dllexecutable
MD5:22D50A28FCCFE8A2BF73C38A3BC12646
SHA256:841495F5726D4931AC4546245AE4584EE850195B0379715A3AF8C1DB58008195
1664msiexec.exeC:\Users\admin\Documents\Spotify.pdf\skin\de\main.xmlxml
MD5:DB91D7A612CE41278A3B6A35105FE3C0
SHA256:DC21D77B0E10B8F9DBACAAC342BBDB2C9B18018D9118F341684CA9EE9E3C854C
1664msiexec.exeC:\Users\admin\Documents\Spotify.pdf\SpotifyConverter.exeexecutable
MD5:B96D9C8AD0720FCFCB44FD094A7D1218
SHA256:F535E29578829B0E0B0559AA839AC39110209721EFCF5047DFD81E056F1597AC
1664msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFC19458C238490616.TMPgmc
MD5:453CA04D6270F8574FBB196956546E73
SHA256:39C64B3C57CD6BBFB19D7F10628B6F6EA770FECA204793299BE794B2240C58B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
скf4cqstgm5qsfr7jp2k.msi