analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

TribulusTerrestres01.msi

Full analysis: https://app.any.run/tasks/b9877e11-13d4-48d9-b528-63712d487d8b
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:58:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {DD6D8E82-46D3-456D-AEE3-6CBE34B72183}, Number of Words: 10, Subject: Installer, Author: Installer, Name of Creating Application: Installer 64247, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

D6D1E2E887EC9496A1195C722BB9281A

SHA1:

DF4904313082C7A4294A4292B72E58F5183017A2

SHA256:

3CABD5F4059D1B665F5461663C4289A7CEDF1E1A56481A2A43CF958A30E77E06

SSDEEP:

98304:IezS5Chbr9cvcTfrwlZof5mtsIWmOYpA:IzU7ycTDw7of53pm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msiexec.exe (PID: 880)

  • SUSPICIOUS

    • Checks supported languages

      • msiexec.exe (PID: 880)
      • MsiExec.exe (PID: 2724)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 1056)
      • msiexec.exe (PID: 880)

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 1056)
      • msiexec.exe (PID: 880)

    • Reads the computer name

      • msiexec.exe (PID: 880)
      • MsiExec.exe (PID: 2724)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 880)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 880)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 1056)

    • Reads the computer name

      • msiexec.exe (PID: 1056)

    • Application launched itself

      • msiexec.exe (PID: 880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (84.6)
.mst | Windows SDK Setup Transform Script (9.5)
.xls | Microsoft Excel sheet (4.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Pages: 200
Keywords: Installer, MSI, Database
Title: Installation Database
Comments: -
Template: ;1033
Software: Installer 64247
LastModifiedBy: -
Author: Installer
Subject: Installer
Words: 10
RevisionNumber: {DD6D8E82-46D3-456D-AEE3-6CBE34B72183}
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
LastPrinted: 2009:12:11 11:47:44
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\TribulusTerrestres01.msi"C:\Windows\System32\msiexec.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
880C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2724C:\Windows\system32\MsiExec.exe -Embedding D0BB8556C4A50332270520F1DB637181C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
2 001
Read events
1 979
Write events
10
Delete events
12

Modification events

(PID) Process:(880) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
70030000B0E757C9148AD801
(PID) Process:(880) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
88B55249E9EC6C04436B4A355FED00561AE5DDC73ACA5F3ECB5AC091861885E3
(PID) Process:(880) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(880) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
Operation:writeName:(default)
Value:
C:\Windows\Installer\f9fb3.ipi
(PID) Process:(880) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(880) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\f9fb4.rbs
Value:
30968349
(PID) Process:(880) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\f9fb4.rbsLow
Value:
729525696
(PID) Process:(880) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\5A17B9C9A2D3B63458E41EF38F50D086
Operation:writeName:AFB5490E8ED44EA4784B8455AB156AA1
Value:
01:\Software\CODE ERROR 02x71241\CODE ERROR 02x71241\Version
(PID) Process:(880) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\CODE ERROR 02x71241\CODE ERROR 02x71241
Operation:writeName:Version
Value:
11.0.0.25
(PID) Process:(880) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\CODE ERROR 02x71241\CODE ERROR 02x71241
Operation:writeName:Path
Value:
C:\Users\admin\AppData\Roaming\CODE ERROR 02x71241\CODE ERROR 02x71241\
Executable files
3
Suspicious files
4
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
880msiexec.exeC:\Windows\Installer\f9fb1.msi
MD5:
SHA256:
880msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF61000A9BCAB9D9FF.TMPgmc
MD5:C592F1212F945E8C5A16D5133B4CCD62
SHA256:B067B8E8B35299D736227371969A7BE3C4A9F170AC0C1F5FD3580EE20D35C33B
880msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF92615CEB22C6C16C.TMPgmc
MD5:938F86B5194BFE12AFE517D8C49865FF
SHA256:2CDC5D556F5003C88F5EBE5A1A4EDD173C7837DBD2A0AA856218532113B95F25
880msiexec.exeC:\Windows\Installer\MSIA159.tmpbinary
MD5:E5BE0C03A8FD06592A2013B754C1F06C
SHA256:9A262A1DADE596BD4E3634C58B905D347F0D68C63BE77E65ADE513B0C498E6C7
880msiexec.exeC:\Windows\Installer\MSIA1A9.tmpexecutable
MD5:EC3E2D0CA21DB3AECBF527960F198C43
SHA256:FDD8FC5F8D31B638D145AE1D8B4EA358F2F5E8469B4FF18D34D8C1CB11490A3F
880msiexec.exeC:\Windows\Installer\SourceHash{E0945BFA-4DE8-4AE4-87B4-4855BA51A61A}binary
MD5:3E723D9AA7091E03B23DF6263103CA9A
SHA256:6AD8501231C22C68AC04574CF14A00B2A3473BCDC30D704C6FA351DD62378A3F
880msiexec.exeC:\Config.Msi\f9fb4.rbsbinary
MD5:1441998EB1E625B77C08048BE0099C35
SHA256:561349DEF3E89808461C9461281E10DAE329892B813A9560EA0232C2E945F562
880msiexec.exeC:\Windows\Installer\f9fb3.ipibinary
MD5:8C7FA8E029CB0B9A09E6ED4BDC3EFA7B
SHA256:41CA620D7E78A3317CE5C874896C771911D45984E63A9EFB3B2AE98634E4D4C4
880msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFC2770D9AC4D595AA.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
880msiexec.exeC:\Windows\Installer\MSIA03E.tmpexecutable
MD5:9F1E5D66C2889018DAEF4AEF604EEBC4
SHA256:02A81AEA451CDFA2CD6668E3B814C4E50C6025E36B70AB972A8CC68ABA5B3222
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
TribulusTerrestres01.msi