analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

VoucherCarrefourSpainEUR.msi

Full analysis: https://app.any.run/tasks/39f9ca71-7df4-4abf-815e-e3330bb4cbb1
Verdict: Malicious activity
Analysis date: November 08, 2019, 12:45:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {27F0A235-ECAF-4F52-8DFD-3FFB8EB6B8A8}, Number of Words: 10, Subject: PDF Adobe Flash, Author: PDF Adobe Flash, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install PDF Adobe Flash., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

2C7A4E84892AB3B5FAE30945E2E4D896

SHA1:

12105410025548138374F0BC64E71BC107E1D817

SHA256:

3945D13A480EBA2E8350CD8B71C866E0C5FA7A6A0C642074BABF9540979727EF

SSDEEP:

24576:CXxXVe5QbwW5Ap9nGl/BljpqGQbBEpqkzi0LkiYeq2CNzQBG/435qKmMdDWjTU+s:CXVE9nO7jpqGU+IsIz+OTPYGYPKA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1796)

    • Connects to unusual port

      • MsiExec.exe (PID: 3832)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 1796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (84.2)
.mst | Windows SDK Setup Transform Script (9.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {27F0A235-ECAF-4F52-8DFD-3FFB8EB6B8A8}
Words: 10
Subject: PDF Adobe Flash
Author: PDF Adobe Flash
LastModifiedBy: -
Software: Advanced Installer 12.2.1 build 64247
Template: ;1033
Comments: This installer database contains the logic and data required to install PDF Adobe Flash.
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
2504"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\VoucherCarrefourSpainEUR.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1796C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3832C:\Windows\system32\MsiExec.exe -Embedding DD52E9A7FC864257D085B21C9C5E8185C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
427
Read events
405
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1796msiexec.exeC:\Windows\Installer\MSIA5EF.tmp
MD5:
SHA256:
1796msiexec.exeC:\Windows\Installer\MSIA67C.tmp
MD5:
SHA256:
1796msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFBE8D180CB9A9B24B.TMP
MD5:
SHA256:
1796msiexec.exeC:\Windows\Installer\39a535.ipibinary
MD5:EAC184332C5EA99845EF4A1954CBBC86
SHA256:9FB4898A2E2AC3E8297568E2F397051A1DE3413D7A95B011DED2F089FB9732F1
1796msiexec.exeC:\Windows\Installer\39a533.msiexecutable
MD5:2C7A4E84892AB3B5FAE30945E2E4D896
SHA256:3945D13A480EBA2E8350CD8B71C866E0C5FA7A6A0C642074BABF9540979727EF
1796msiexec.exeC:\Windows\Installer\MSIA73A.tmpexecutable
MD5:EE101CA054B2670565F6B7B91E186D34
SHA256:1BB9E08FF69E0CECBD34B2E868A4C88403D4F1F5CAE135D25CE165F2B4C3D8DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3832
MsiExec.exe
GET
35.247.208.129:4748
http://35.247.208.129:4748/ecjay.zip
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3832
MsiExec.exe
35.247.208.129:4748
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3832
MsiExec.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Loader (Trojan.Agent.DDSA) Requesting Zip Archive
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
VoucherCarrefourSpainEUR.msi