| File name: | ImageSort.x86.msi |
| Full analysis: | https://app.any.run/tasks/934c3cbb-8c79-4289-ad8e-f3890deaff96 |
| Verdict: | Malicious activity |
| Analysis date: | April 30, 2024, 19:03:34 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Image Sort installer, Author: Lolle2000la, Keywords: Installer, Comments: This installer database contains the logic and data required to install Image Sort., Template: Intel;1033, Revision Number: {EC5E9098-9C28-4494-B938-F55284760EF8}, Create Time/Date: Thu Apr 11 14:33:34 2024, Last Saved Time/Date: Thu Apr 11 14:33:34 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.2.0), Security: 2 |
| MD5: | A6380D8572F801074F02E81F81202DA6 |
| SHA1: | D0E6AE4C04D112E5DBD1B8352CE8D17C74DE1EC7 |
| SHA256: | 520DBA0BF549E79BF4D1AF4C9AA92EA14B46D5FDA56416DA5358DA11D13867EC |
| SSDEEP: | 98304:uzaZ5nyPsYaWNWzp5/5AAy+DFDBQAakZgiN7853J2lshc9/y2VKBDq4iz5Yz7U64:zu |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 4000)
- msiexec.exe (PID: 3964)
SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 4084)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 4000)
Process drops legitimate windows executable
- msiexec.exe (PID: 4000)
Reads the Internet Settings
- Image Sort.exe (PID: 1852)
INFO
Checks supported languages
- msiexec.exe (PID: 4048)
- msiexec.exe (PID: 4000)
- Image Sort.exe (PID: 1852)
Reads the computer name
- msiexec.exe (PID: 4000)
- msiexec.exe (PID: 4048)
- Image Sort.exe (PID: 1852)
Application launched itself
- msiexec.exe (PID: 4000)
- msedge.exe (PID: 2276)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3964)
- msiexec.exe (PID: 4000)
Reads the machine GUID from the registry
- msiexec.exe (PID: 4000)
- msiexec.exe (PID: 4048)
Creates a software uninstall entry
- msiexec.exe (PID: 4000)
Manual execution by a user
- Image Sort.exe (PID: 1852)
Create files in a temporary directory
- msiexec.exe (PID: 4000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | Image Sort installer |
| Author: | Lolle2000la |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install Image Sort. |
| Template: | Intel;1033 |
| RevisionNumber: | {EC5E9098-9C28-4494-B938-F55284760EF8} |
| CreateDate: | 2024:04:11 14:33:34 |
| ModifyDate: | 2024:04:11 14:33:34 |
| Pages: | 200 |
| Words: | 2 |
| Software: | WiX Toolset (4.0.2.0) |
| Security: | Read-only recommended |
Total processes
41
Monitored processes
7
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1852 | "C:\Program Files\Image Sort\Image Sort.exe" | C:\Program Files\Image Sort\Image Sort.exe | explorer.exe | ||||||||||||
User: admin Company: Image Sort Integrity Level: MEDIUM Description: Image Sort Exit code: 2147516547 Version: 2.12.9.0 Modules
| |||||||||||||||
| 2272 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6d81f598,0x6d81f5a8,0x6d81f5b4 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2276 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win-x86&os=win7&apphost_version=8.0.4&gui=true | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | Image Sort.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 3964 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\ImageSort.x86.msi | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4000 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4048 | C:\Windows\system32\MsiExec.exe -Embedding DF74C403DC3C542743F4277D59A50E72 C | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4084 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 464
Read events
5 185
Write events
267
Delete events
12
Modification events
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 400000000000000092732428319BDA01A00F0000F00F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 400000000000000092732428319BDA01A00F0000F00F0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 75 | |||
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 40000000000000003C7FD228319BDA01A00F0000F00F0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4000) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000003C7FD228319BDA01A00F0000F4070000E8030000010000000000000000000000A104FAEE03180C4F95F9F6341BA2CB020000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004AA6D928319BDA01F40F000044080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004AA6D928319BDA01F40F0000FC0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004AA6D928319BDA01F40F000018080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000004AA6D928319BDA01F40F0000E8070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4084) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4000000000000000FE6ADE28319BDA01F40F000044080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
32
Suspicious files
13
Text files
2
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4000 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 4000 | msiexec.exe | C:\Windows\Installer\108f70.msi | executable | |
MD5:A6380D8572F801074F02E81F81202DA6 | SHA256:520DBA0BF549E79BF4D1AF4C9AA92EA14B46D5FDA56416DA5358DA11D13867EC | |||
| 4000 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{eefa04a1-1803-4f0c-95f9-f6341ba2cb02}_OnDiskSnapshotProp | binary | |
MD5:04679A52813AB252DBC24A816F2621F0 | SHA256:48249B8F6ABED5039A658140D9B7B78A3D2DDA158BCF51DA85FFFEA0114137DE | |||
| 4000 | msiexec.exe | C:\Program Files\Image Sort\DynamicData.dll | executable | |
MD5:0B6937362CE2549FC4DDD2736207346D | SHA256:C40DB5B6E03FA916D665B03DC68A1BFDAA79B370ED35CFD1E5DBBE20060AC0DF | |||
| 4000 | msiexec.exe | C:\Program Files\Image Sort\AdonisUI.ClassicTheme.dll | executable | |
MD5:9E7A433FDB407CF63BC52CBB2657994A | SHA256:89B75CDF263A4BFC81399CAF3C98255C4C16307172DC7702CBBDB2B0BD0BAE61 | |||
| 4000 | msiexec.exe | C:\Windows\Installer\108f71.ipi | binary | |
MD5:E4E5A0DC031724F4334A474F5955389E | SHA256:9B8972422298128EBB46FE6AF4F6E70383924D32084CD90DA9E86DAE56385885 | |||
| 4000 | msiexec.exe | C:\Windows\Installer\MSI9646.tmp | binary | |
MD5:73C7C9FBED434002A490AA7C2DE0B8C1 | SHA256:D95E4B81DA2FFF2C96AD3AB1E20BEF84AF83204BE4078B7C64E2D08A60D620A5 | |||
| 4000 | msiexec.exe | C:\Program Files\Image Sort\Image Sort.pdb | binary | |
MD5:CFD923F249F012FA2227B2351B32389D | SHA256:C6887A60E7ABD99EB82DA837833D16E7288DDD58B530750E8982677E6FCEE670 | |||
| 4000 | msiexec.exe | C:\Program Files\Image Sort\ImageSort.WindowsUpdater.pdb | binary | |
MD5:7B0548013EC2828AC2385C978B77CDDD | SHA256:CE86D3449343CD889C767831180AD8497BF14002EA493E92ECA7870673F6B2A7 | |||
| 4000 | msiexec.exe | C:\Program Files\Image Sort\ImageSort.Localization.dll | executable | |
MD5:E302AC51A81FA79836E2F29E85A9C65A | SHA256:8E25E5C9F67524032F9984304B28BD8D7EE4F11AD33737DF7C9373779F8CCBB9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
Image Sort.exe | You must install .NET to run this application.
App: C:\Program Files\Image Sort\Image Sort.exe
Architecture: x86
App host version: 8.0.4
.NET location: Not found
Learn more:
https://aka.ms/dotnet/app-launch-failed
Download the .NET runtime:
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win-x86&os=win7&apphost_version=8.0.4 |