analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Phoenix_Protector.msi

Full analysis: https://app.any.run/tasks/e91071e3-e159-4334-a948-7a4eeaff484b
Verdict: Malicious activity
Analysis date: March 31, 2020, 11:01:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {39F77FE7-23B4-4BE0-A22F-F6E198906FB4}, Title: Phoenix Protector, Author: Daniel Pistelli, Number of Words: 2, Last Saved Time/Date: Wed Jul 7 11:59:20 2010, Last Printed: Wed Jul 7 11:59:20 2010
MD5:

DB824D8FD76EA44E79CC900656C32AC1

SHA1:

E3A2E889E157122872523D2DC2ADEFABACF29935

SHA256:

15A7DBBF90CE66FB302A322C6809FAFD897808096069DFECEDEDF78E51B16369

SSDEEP:

24576:4gAG1n9AGybBDnrCXYtNmvP9s0Iv3FHaZ42Yr:4gAG19uB/uYtE8v8+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Phoenix Protector.exe (PID: 2536)
  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 1748)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2936)
    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 2936)
    • Creates files in the user directory

      • msiexec.exe (PID: 2936)
  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1748)
    • Creates files in the program directory

      • msiexec.exe (PID: 2936)
    • Application launched itself

      • msiexec.exe (PID: 2936)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 2936)
    • Manual execution by user

      • Phoenix Protector.exe (PID: 2536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (95.3)
.doc | Microsoft Word document (old ver.) (3.2)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2010:07:07 10:59:20
ModifyDate: 2010:07:07 10:59:20
Words: 2
Comments: -
Keywords: -
Author: Daniel Pistelli
Subject: -
Title: Phoenix Protector
RevisionNumber: {39F77FE7-23B4-4BE0-A22F-F6E198906FB4}
Pages: 200
Template: Intel;1033
CodePage: Windows Latin 1 (Western European)
Security: Password protected
Software: Windows Installer
CreateDate: 1999:06:21 07:00:00
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs phoenix protector.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3028"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Phoenix_Protector.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2936C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2896C:\Windows\system32\MsiExec.exe -Embedding A84DBA035E716B8985E1A47DC41DB6B2 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1748C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
536C:\Windows\system32\MsiExec.exe -Embedding E0DCDCB7CEDC3F3385F35C29A0D7A820C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2536"C:\Program Files\NTCore\Phoenix Protector\Phoenix Protector.exe" C:\Program Files\NTCore\Phoenix Protector\Phoenix Protector.exeexplorer.exe
User:
admin
Company:
NTCore
Integrity Level:
MEDIUM
Description:
Phoenix Protector
Version:
1.9.0.1
Total events
1 331
Read events
1 027
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
4
Text files
8
Unknown types
4

Dropped files

PID
Process
Filename
Type
3028msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI6D1A.tmp
MD5:
SHA256:
3028msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI6DA7.tmp
MD5:
SHA256:
2936msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2936msiexec.exeC:\Windows\Installer\MSIC665.tmp
MD5:
SHA256:
2936msiexec.exeC:\Windows\Installer\MSIC751.tmp
MD5:
SHA256:
2936msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFBBCF6E1210188D6A.TMP
MD5:
SHA256:
1748vssvc.exeC:
MD5:
SHA256:
2936msiexec.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Phoenix Protector\Phoenix Protector Help.lnklnk
MD5:CA6E0DB722EF0902277B79F5D779136A
SHA256:5697162917D1400D3712C3A639C9F7D262C25D144EBE61FDB479AEDD188B1F3A
2936msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{8629c54f-5f60-4933-83e9-1e66f057e7b8}_OnDiskSnapshotPropbinary
MD5:CC2F1A056700B02DB9E585E35B728A70
SHA256:3F929B65E627FC19F7A4C8DE50D236F084FCD7CB5BC9B578347DF399C82B8664
2936msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:CC2F1A056700B02DB9E585E35B728A70
SHA256:3F929B65E627FC19F7A4C8DE50D236F084FCD7CB5BC9B578347DF399C82B8664
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info