analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

CommunityClipsSetup_1813.msi

Full analysis: https://app.any.run/tasks/7e7038f2-1e01-4af6-a533-973bfddd5448
Verdict: Malicious activity
Analysis date: October 09, 2019, 14:03:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {A5766F94-C04B-48F4-9219-A2CA61F01DC0}, Title: Community Clips, Author: Microsoft, Number of Words: 2, Last Saved Time/Date: Thu Jun 19 22:53:38 2008, Last Printed: Thu Jun 19 22:53:38 2008
MD5:

2349E63E0690385B7579F3CD16FD6915

SHA1:

E6056AB3DE0B86D96C03CF76546860E122E05B9E

SHA256:

2BCDF7918E439556268AAF457A6895F5DBF274C888F272932E18809BB4C48341

SSDEEP:

196608:SVaOOtokclkc00tE+xeO3yRxDmGmgVyoLzaMUgGcQUrjHj5nasvU3hW0cd4Gn:SVzk6vVtE+o6sw24fkj5ruav

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • CommunityClips.exe (PID: 2500)
      • WMEncoder.exe (PID: 2900)
      • WMEncoder.exe (PID: 2868)
      • settmp.exe (PID: 2932)
      • wmasfdist.exe (PID: 4088)
      • settmp.exe (PID: 3580)
      • WMFDist.exe (PID: 3140)
      • wmstypelib.exe (PID: 2168)
      • WMEncAgt.exe (PID: 2064)
      • wmenc.exe (PID: 2820)

    • Loads dropped or rewritten executable

      • CommunityClips.exe (PID: 2500)
      • WMEncoder.exe (PID: 2868)
      • rundll32.exe (PID: 3224)
      • wmasfdist.exe (PID: 4088)
      • rundll32.exe (PID: 3516)
      • wmstypelib.exe (PID: 2168)
      • MsiExec.exe (PID: 3436)
      • MsiExec.exe (PID: 4056)
      • MsiExec.exe (PID: 2480)
      • MsiExec.exe (PID: 3344)
      • MsiExec.exe (PID: 1300)
      • MsiExec.exe (PID: 2244)
      • MsiExec.exe (PID: 568)
      • MsiExec.exe (PID: 3932)
      • MsiExec.exe (PID: 3296)
      • MsiExec.exe (PID: 4000)
      • MsiExec.exe (PID: 3356)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 3156)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2612)
      • msiexec.exe (PID: 3064)
      • WMEncoder.exe (PID: 2868)
      • wmasfdist.exe (PID: 4088)
      • DrvInst.exe (PID: 3308)
      • rundll32.exe (PID: 3224)
      • wmstypelib.exe (PID: 2168)
      • DrvInst.exe (PID: 2964)
      • rundll32.exe (PID: 3516)

    • Executed via COM

      • DrvInst.exe (PID: 2100)
      • DrvInst.exe (PID: 968)
      • DrvInst.exe (PID: 3308)
      • DrvInst.exe (PID: 2964)

    • Creates COM task schedule object

      • msiexec.exe (PID: 3064)
      • MsiExec.exe (PID: 3436)
      • MsiExec.exe (PID: 3776)
      • MsiExec.exe (PID: 4056)
      • MsiExec.exe (PID: 2244)
      • MsiExec.exe (PID: 1300)
      • MsiExec.exe (PID: 568)
      • MsiExec.exe (PID: 2480)
      • MsiExec.exe (PID: 3344)
      • MsiExec.exe (PID: 3932)
      • MsiExec.exe (PID: 3356)
      • MsiExec.exe (PID: 3296)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 3064)
      • wmasfdist.exe (PID: 4088)
      • DrvInst.exe (PID: 3308)
      • wmstypelib.exe (PID: 2168)
      • DrvInst.exe (PID: 2964)

    • Starts Microsoft Installer

      • WMEncoder.exe (PID: 2868)

    • Uses RUNDLL32.EXE to load library

      • wmasfdist.exe (PID: 4088)
      • wmstypelib.exe (PID: 2168)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 3064)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 3308)
      • DrvInst.exe (PID: 2964)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 3308)
      • wmasfdist.exe (PID: 4088)
      • DrvInst.exe (PID: 2964)
      • wmstypelib.exe (PID: 2168)

  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2508)
      • MsiExec.exe (PID: 2688)
      • msiexec.exe (PID: 3064)
      • MsiExec.exe (PID: 2212)
      • MsiExec.exe (PID: 3096)

    • Searches for installed software

      • msiexec.exe (PID: 3064)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3156)

    • Application launched itself

      • msiexec.exe (PID: 3064)

    • Creates files in the program directory

      • MsiExec.exe (PID: 2212)
      • msiexec.exe (PID: 3064)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3064)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 3064)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 3308)

    • Application was dropped or rewritten from another process

      • MSIC799.tmp (PID: 2180)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (93.3)
.pps/ppt | Microsoft PowerPoint document (5.2)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2008:06:19 21:53:38
ModifyDate: 2008:06:19 21:53:38
Words: 2
Comments: -
Keywords: -
Author: Microsoft
Subject: -
Title: Community Clips
RevisionNumber: {A5766F94-C04B-48F4-9219-A2CA61F01DC0}
Pages: 200
Template: Intel;1033
CodePage: Windows Latin 1 (Western European)
Security: Password protected
Software: Windows Installer
CreateDate: 1999:06:21 07:00:00
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
37
Malicious processes
16
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs msiexec.exe no specs communityclips.exe no specs wmencoder.exe no specs wmencoder.exe msiexec.exe no specs drvinst.exe no specs msiexec.exe no specs settmp.exe no specs wmasfdist.exe rundll32.exe drvinst.exe wmfdist.exe no specs settmp.exe no specs wmstypelib.exe rundll32.exe drvinst.exe msic799.tmp no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs wmencagt.exe no specs wmenc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2612"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\CommunityClipsSetup_1813.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3064C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2508C:\Windows\system32\MsiExec.exe -Embedding CFC4DDD4B1AAFCF35785AD03205F32D9 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3156C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2100DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000394" "000003D0"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2688C:\Windows\system32\MsiExec.exe -Embedding C946BB470EF50EA3D2B64D279A15565EC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2212C:\Windows\system32\MsiExec.exe -Embedding 81D974ADDBBAC722A7C0AF17EFA1B73C M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2500"C:\Program Files\Microsoft\Office Labs\CommunityClips\CommunityClips.exe"C:\Program Files\Microsoft\Office Labs\CommunityClips\CommunityClips.exemsiexec.exe
User:
admin
Company:
Microsoft Office Labs
Integrity Level:
MEDIUM
Description:
CommunityClips
Version:
1.0.1813.0
2900"C:\Program Files\Microsoft\Office Labs\CommunityClips\WMEncoder.exe" /QC:\Program Files\Microsoft\Office Labs\CommunityClips\WMEncoder.exeCommunityClips.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Component Setup Application
Exit code:
3221226540
Version:
9.00.00.2980
2868"C:\Program Files\Microsoft\Office Labs\CommunityClips\WMEncoder.exe" /QC:\Program Files\Microsoft\Office Labs\CommunityClips\WMEncoder.exe
CommunityClips.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Media Component Setup Application
Exit code:
0
Version:
9.00.00.2980
Total events
3 717
Read events
1 136
Write events
0
Delete events
0

Modification events

No data
Executable files
68
Suspicious files
26
Text files
335
Unknown types
29

Dropped files

PID
Process
Filename
Type
2612msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI7E06.tmp
MD5:
SHA256:
3064msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3064msiexec.exeC:\Windows\Installer\193917.msi
MD5:
SHA256:
3064msiexec.exeC:\Windows\Installer\MSI3D4E.tmp
MD5:
SHA256:
3064msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:584E7B2B150A20BF77E1D77131FA3D1C
SHA256:1BE505A100CF543BC4BE2C19F161745F0BB5D11ACAD6268985938490C41EBC41
2100DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:8F761032829FB6121AEE77E26DC667A6
SHA256:F83E1592023B7C8F6C15847F26D30770C0A52E6C7304DBA951EEA437E2737649
3064msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{78a34cdb-6f0e-4357-9c4f-88e90e003a63}_OnDiskSnapshotPropbinary
MD5:584E7B2B150A20BF77E1D77131FA3D1C
SHA256:1BE505A100CF543BC4BE2C19F161745F0BB5D11ACAD6268985938490C41EBC41
3064msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFD4F99371F735BD77.TMP
MD5:
SHA256:
3156vssvc.exeC:
MD5:
SHA256:
2100DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:7543E903C3C3199A2F4889337111026D
SHA256:5EA0C109DF3150926A768D9DA3A807F884139AFDF58C08B34048FBE8B765D2BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
7
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
www.officelabs.com
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
Process
Message
rundll32.exe
MSOOBCI: DoInstall failed with error: 0x80070002
rundll32.exe
MSOOBCI: DoInstall failed with error: 0x80070002
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CommunityClipsSetup_1813.msi