File name:

anyconnect-win-4.9.01095-core-vpn-predeploy-k9.msi

Full analysis: https://app.any.run/tasks/51c9cb63-5e20-426a-a51f-ac58bb57d0b1
Verdict: Malicious activity
Analysis date: November 18, 2024, 14:26:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {98BB4D3F-1FAE-44FB-BA79-BFCCD04278DE}, Number of Words: 2, Subject: Cisco AnyConnect Secure Mobility Client, Author: Cisco Systems, Inc., Name of Creating Application: Advanced Installer 15.6 build 0c40bd432e, Template: ;1033, Comments: A SmartNET contract is required for support - Cisco AnyConnect Secure Mobility Client., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

AC37D288757434A5B2647D50664F8BBF

SHA1:

1E03766BCC1B143D1531B1EF82AFCB94743ABDF8

SHA256:

29448F083B2283F0093723FC3B994C6C3C2CF60A12293C1A46789EEDB34A6215

SSDEEP:

98304:SdY3qX9BYxJjVCVeUtVhwXqeiXS2OEEcuT/L3t80+GxioKbvLY27yVc242sTjaHm:0R+JCG7VQd4nkRa7XJvVvzupDL5D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6432)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 3972)
      • msiexec.exe (PID: 6560)
      • drvinst.exe (PID: 3936)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3972)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5976)
      • cmd.exe (PID: 1884)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 3972)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 3580)

    • Executing commands from a ".bat" file

      • msiexec.exe (PID: 3580)

    • Executable content was dropped or overwritten

      • drvinst.exe (PID: 3936)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6304)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6304)

    • Reads the software policy settings

      • msiexec.exe (PID: 6304)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6304)
      • msiexec.exe (PID: 3972)
      • msiexec.exe (PID: 6560)

    • Manages system restore points

      • SrTasks.exe (PID: 2648)

    • Sends debugging messages

      • msiexec.exe (PID: 3580)
      • VACon64.exe (PID: 884)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5976)
      • cmd.exe (PID: 1884)

    • Application launched itself

      • msiexec.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {98BB4D3F-1FAE-44FB-BA79-BFCCD04278DE}
Words: 2
Subject: Cisco AnyConnect Secure Mobility Client
Author: Cisco Systems, Inc.
LastModifiedBy: -
Software: Advanced Installer 15.6 build 0c40bd432e
Template: ;1033
Comments: A SmartNET contract is required for support - Cisco AnyConnect Secure Mobility Client.
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
40
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs installhelper.exe no specs msiexec.exe runonce.exe no specs grpconv.exe no specs vacon64.exe drvinst.exe drvinst.exe no specs vacon64.exe no specs runonce.exe no specs grpconv.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
860chcp 65001 C:\Windows\SysWOW64\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
884"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\VACon64.exe" -install "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\\vpnva-6.inf" VPNVAC:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\VACon64.exe
msiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Virtual Adapter Installer
Exit code:
3758096967
Version:
4, 9, 01095
1332/C "C:\Users\admin\AppData\Local\Temp\{123E5331-89A9-40AF-B4E1-E2C6F904018E}.bat"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
1792"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exe" -registerdll "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnapi.dll"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exemsiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Install Helper
Exit code:
0
Version:
4, 9, 01095
1884/C "C:\Users\admin\AppData\Local\Temp\{274D34BD-E6AD-4C37-8C7F-92448001F6EC}.bat"C:\Windows\SysWOW64\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
2140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2420"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exe" -moveIfExist "C:\ProgramData\\Cisco\Cisco AnyConnect VPN Client\preferences_global.xml" "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\\preferences_global.xml"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exemsiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Install Helper
Exit code:
0
Version:
4, 9, 01095
2464\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2588"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exe" -copyFiles "C:\Users\admin\Desktop\Profiles\feedback\\" "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\CustomerExperienceFeedback\\" "CustomerExperience_Feedback.xml"C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\InstallHelper.exemsiexec.exe
User:
admin
Company:
Cisco Systems, Inc.
Integrity Level:
MEDIUM
Description:
AnyConnect Secure Mobility Client Install Helper
Exit code:
1
Version:
4, 9, 01095
2648C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
20 062
Read events
19 141
Write events
479
Delete events
442

Modification events

(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D1A8ED0EC639DB01840F00002C040000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D1A8ED0EC639DB01840F00002C040000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000B7A04A0FC639DB01840F00002C040000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000B7A04A0FC639DB01840F00002C040000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000044044D0FC639DB01840F00002C040000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000003CE510FC639DB01840F00002C040000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000EBBD2A10C639DB01840F00002C040000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3972) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000B1852F10C639DB01840F000038050000E80300000100000000000000000000007823A13CE437FE479B8D85BE9C2DF58E00000000000000000000000000000000
(PID) Process:(6432) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000008C063910C639DB012019000080090000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
65
Suspicious files
32
Text files
52
Unknown types
6

Dropped files

PID
Process
Filename
Type
3972msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3972msiexec.exeC:\Windows\Installer\9fdec.msi
MD5:
SHA256:
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3854FAC0D697873AEC36877F496668D2der
MD5:B56FDB4D741604F326FB0EDAE1A1622B
SHA256:DF636A9C176EEACF0849AC36C25D5E78EB751A05AF32D12E8CED1F674A549107
3972msiexec.exeC:\Windows\Installer\MSI1DAC.tmp
MD5:
SHA256:
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78Bbinary
MD5:5BFA51F3A417B98E7443ECA90FC94703
SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\472BC96E644745821BD57EA65406C816der
MD5:B7B89696A30ACAB9B6B6B944D55514A7
SHA256:450D65C3E4A85FC4E7F39B972B71982042E1A1302DCE6D9242AADD6FA90FBCCB
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78Bbinary
MD5:DAD63AC4BE3C01DCBFB3081FF1CA6699
SHA256:AB6336D8ECC6DE82550828FBFC3DD04AC98D73B04B2EC0B406FEAD0CE1D1B8BC
6304msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEC4D.tmpexecutable
MD5:09979FE43E7417C747CA0F71D811B5C1
SHA256:D3AB8B009C45EA39791A8179EC1EC8C649281D7AF3C8E975991085A25D4757A9
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3854FAC0D697873AEC36877F496668D2binary
MD5:25F9063202171CFEBD5789A150C32370
SHA256:77C5C38E501BC224FF8D79B665D595AA2883F59E41EA3A26A810C682EC4AF885
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_C90A4A142FC951BB5BA5ADB1D629C0D7binary
MD5:CD5501B2BD2C726005D8B31B2C2258E7
SHA256:5B4B3E91D41A103B107624162517DBE15B13020C71A21C2AC1742692C4144A79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
27
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6304
msiexec.exe
GET
200
152.199.19.74:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FYHKj6JjF6UBieQioTYpFsuEriQQUtnf6aUhHn1MS1cLqBzJ2B9GXBxkCEHwbNTVK59t050FfEWnKa6g%3D
unknown
whitelisted
6304
msiexec.exe
GET
200
152.199.19.74:80
http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FYHKj6JjF6UBieQioTYpFsuEriQQUtnf6aUhHn1MS1cLqBzJ2B9GXBxkCEHwbNTVK59t050FfEWnKa6g%3D
unknown
whitelisted
6304
msiexec.exe
GET
200
192.229.221.95:80
http://s.symcb.com/universal-root.crl
unknown
whitelisted
6304
msiexec.exe
GET
200
152.199.19.74:80
http://rb.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTDRSYViRCZTxmZjLENmnwVjLly9QQU1MAGIknrOUvdk%2BJcobhHdglyA1gCEDSwesDam3xemKiAzep%2Fvu4%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
s.symcd.com
  • 152.199.19.74
shared
s.symcb.com
  • 192.229.221.95
whitelisted
rb.symcd.com
  • 152.199.19.74
whitelisted
rb.symcb.com
  • 192.229.221.95
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted
www.bing.com
  • 2.16.110.160
  • 2.16.110.161
  • 2.16.110.168
  • 2.16.110.155
  • 2.16.110.145
  • 2.16.110.152
  • 2.16.110.153
  • 2.16.110.154
  • 2.16.110.147
whitelisted

Threats

No threats detected
Process
Message
msiexec.exe
DBGHELP: Symbol Search Path: C:\Windows\syswow64
msiexec.exe
DBGHELP: Symbol Search Path: .
msiexec.exe
DBGHELP: symsrv.dll load failure
msiexec.exe
DBGHELP: C:\Windows\syswow64\symbols\dll\wntdll.pdb - file not found
msiexec.exe
DBGHELP: C:\Windows\syswow64\dll\wntdll.pdb - file not found
msiexec.exe
DBGHELP: wntdll.pdb - file not found
msiexec.exe
DBGHELP: ntdll - export symbols
msiexec.exe
DBGHELP: C:\Windows\syswow64\wntdll.pdb - file not found
VACon64.exe
VACON: -install
msiexec.exe
DBGHELP: Symbol Search Path: C:\Windows\syswow64
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
anyconnect-win-4.9.01095-core-vpn-predeploy-k9.msi