| File name: | ImageSort.x86.msi |
| Full analysis: | https://app.any.run/tasks/934c3cbb-8c79-4289-ad8e-f3890deaff96 |
| Verdict: | Malicious activity |
| Analysis date: | April 30, 2024, 19:03:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Image Sort installer, Author: Lolle2000la, Keywords: Installer, Comments: This installer database contains the logic and data required to install Image Sort., Template: Intel;1033, Revision Number: {EC5E9098-9C28-4494-B938-F55284760EF8}, Create Time/Date: Thu Apr 11 14:33:34 2024, Last Saved Time/Date: Thu Apr 11 14:33:34 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.2.0), Security: 2 |
| MD5: | A6380D8572F801074F02E81F81202DA6 |
| SHA1: | D0E6AE4C04D112E5DBD1B8352CE8D17C74DE1EC7 |
| SHA256: | 520DBA0BF549E79BF4D1AF4C9AA92EA14B46D5FDA56416DA5358DA11D13867EC |
| SSDEEP: | 98304:uzaZ5nyPsYaWNWzp5/5AAy+DFDBQAakZgiN7853J2lshc9/y2VKBDq4iz5Yz7U64:zu |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 3964)
- msiexec.exe (PID: 4000)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 4084)
Process drops legitimate windows executable
- msiexec.exe (PID: 4000)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 4000)
Reads the Internet Settings
- Image Sort.exe (PID: 1852)
INFO
Reads the machine GUID from the registry
- msiexec.exe (PID: 4000)
- msiexec.exe (PID: 4048)
Checks supported languages
- msiexec.exe (PID: 4000)
- msiexec.exe (PID: 4048)
- Image Sort.exe (PID: 1852)
Reads the computer name
- msiexec.exe (PID: 4000)
- msiexec.exe (PID: 4048)
- Image Sort.exe (PID: 1852)
Application launched itself
- msiexec.exe (PID: 4000)
- msedge.exe (PID: 2276)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3964)
- msiexec.exe (PID: 4000)
Create files in a temporary directory
- msiexec.exe (PID: 4000)
Creates a software uninstall entry
- msiexec.exe (PID: 4000)
Manual execution by a user
- Image Sort.exe (PID: 1852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | Image Sort installer |
| Author: | Lolle2000la |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install Image Sort. |
| Template: | Intel;1033 |
| RevisionNumber: | {EC5E9098-9C28-4494-B938-F55284760EF8} |
| CreateDate: | 2024:04:11 14:33:34 |
| ModifyDate: | 2024:04:11 14:33:34 |
| Pages: | 200 |
| Words: | 2 |
| Software: | WiX Toolset (4.0.2.0) |
| Security: | Read-only recommended |
Total processes
41
Monitored processes
7
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1852 | "C:\Program Files\Image Sort\Image Sort.exe" | C:\Program Files\Image Sort\Image Sort.exe | explorer.exe | ||||||||||||
User: admin Company: Image Sort Integrity Level: MEDIUM Description: Image Sort Exit code: 2147516547 Version: 2.12.9.0 Modules
| |||||||||||||||
| 2272 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6d81f598,0x6d81f5a8,0x6d81f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2276 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win-x86&os=win7&apphost_version=8.0.4&gui=true | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | Image Sort.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 3964 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\ImageSort.x86.msi | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4000 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4048 | C:\Windows\system32\MsiExec.exe -Embedding DF74C403DC3C542743F4277D59A50E72 C | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4084 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 464
Read events
5 185
Write events
267
Delete events
12
Modification events
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 400000000000000092732428319BDA01A00F0000F00F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 400000000000000092732428319BDA01A00F0000F00F0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 75 | |||
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 40000000000000003C7FD228319BDA01A00F0000F00F0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000003C7FD228319BDA01A00F0000F4070000E8030000010000000000000000000000A104FAEE03180C4F95F9F6341BA2CB020000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004AA6D928319BDA01F40F000044080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004AA6D928319BDA01F40F0000FC0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004AA6D928319BDA01F40F000018080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004AA6D928319BDA01F40F0000E8070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4000000000000000FE6ADE28319BDA01F40F000044080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
32
Suspicious files
13
Text files
2
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4000 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 4000 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{eefa04a1-1803-4f0c-95f9-f6341ba2cb02}_OnDiskSnapshotProp | binary | |
MD5:04679A52813AB252DBC24A816F2621F0 | SHA256:48249B8F6ABED5039A658140D9B7B78A3D2DDA158BCF51DA85FFFEA0114137DE | |||
| 4000 | msiexec.exe | C:\Windows\Installer\108f71.ipi | binary | |
MD5:E4E5A0DC031724F4334A474F5955389E | SHA256:9B8972422298128EBB46FE6AF4F6E70383924D32084CD90DA9E86DAE56385885 | |||
| 4000 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF54B2DA9D4FF6F17E.TMP | binary | |
MD5:D2598B344A0C13FFBD955B2F837F8C19 | SHA256:F5152D8637525E61426031C7FE9E5AE2B0E567C3D6AED6EBAA2D06AF8BBCA95C | |||
| 4000 | msiexec.exe | C:\Windows\Installer\MSI9646.tmp | binary | |
MD5:73C7C9FBED434002A490AA7C2DE0B8C1 | SHA256:D95E4B81DA2FFF2C96AD3AB1E20BEF84AF83204BE4078B7C64E2D08A60D620A5 | |||
| 4000 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:04679A52813AB252DBC24A816F2621F0 | SHA256:48249B8F6ABED5039A658140D9B7B78A3D2DDA158BCF51DA85FFFEA0114137DE | |||
| 4000 | msiexec.exe | C:\Windows\Installer\108f70.msi | executable | |
MD5:A6380D8572F801074F02E81F81202DA6 | SHA256:520DBA0BF549E79BF4D1AF4C9AA92EA14B46D5FDA56416DA5358DA11D13867EC | |||
| 3964 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI6A54.tmp | executable | |
MD5:FE3B18330666AAE361016C21F0C28578 | SHA256:D6B15C1928C493CD5B51213F69295465F220EADB54C9D67E75427F1BBA05D9B7 | |||
| 4000 | msiexec.exe | C:\Program Files\Image Sort\Image Sort.runtimeconfig.json | binary | |
MD5:07B9A30265CA4E69C7016A1B6E3FFC27 | SHA256:C71152BF25E40D647B2440C5B39BE157A3D356106BE9D5B678AB97BB87B4E782 | |||
| 4000 | msiexec.exe | C:\Program Files\Image Sort\Image Sort.exe | executable | |
MD5:982F2F0100849A40DE71253F27107F2B | SHA256:B7FAB4A525BC3EF780AA4C036B9B6118396F3A385BA49CCB900754E24F303DBB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
Image Sort.exe | You must install .NET to run this application.
App: C:\Program Files\Image Sort\Image Sort.exe
Architecture: x86
App host version: 8.0.4
.NET location: Not found
Learn more:
https://aka.ms/dotnet/app-launch-failed
Download the .NET runtime:
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win-x86&os=win7&apphost_version=8.0.4 |