analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ewgxyk.msi

Full analysis: https://app.any.run/tasks/4f62b4ee-f4e1-4628-9639-ce054b3b8530
Verdict: Malicious activity
Analysis date: November 08, 2018, 08:58:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
evasion
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

CD16C24F80EE94A98A29496BC1A0BCEA

SHA1:

971B601750F7291DE24E7F43986DB3B3F0315745

SHA256:

591B52B0A340E6893EC42E27A3D635196A6B939EB0F2DA572BE0AD4B65DA723B

SSDEEP:

12288:JEZhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4ac1Uz6HzKfhHH:JEnRmJkcoQricOIQxiZY1iacSmYlH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2372)
      • MSIE77F.tmp (PID: 2044)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2372)

    • Creates files in the user directory

      • MSIE77F.tmp (PID: 2044)

    • Uses RUNDLL32.EXE to load library

      • MSIE77F.tmp (PID: 2044)

  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 2372)

    • Creates or modifies windows services

      • msiexec.exe (PID: 2372)
      • vssvc.exe (PID: 3480)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3480)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 2372)

    • Application was dropped or rewritten from another process

      • MSIE77F.tmp (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
Words: -
Pages: 100
ModifyDate: 2013:05:21 11:56:44
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
LastModifiedBy: devuser
Template: ;0
Comments: -
Keywords: -
Author: www.exetomsi.com
Subject: -
Title: Exe to msi converter free
Software: Windows Installer
CreateDate: 2012:09:21 09:56:09
LastPrinted: 2012:09:21 09:56:09
CodePage: Windows Latin 1 (Western European)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msie77f.tmp rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3556"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\ewgxyk.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2372C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3480C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2508DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000060" "000005B0"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2044"C:\Windows\Installer\MSIE77F.tmp"C:\Windows\Installer\MSIE77F.tmp
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3, 3, 8, 1
2076"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeMSIE77F.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
546
Read events
344
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
123
Unknown types
0

Dropped files

PID
Process
Filename
Type
2372msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2508DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:99DB7FAABD66664DB7206412FB0FA297
SHA256:5A79F4BA81E6DA3360AC2E3CEF9D3DFF1F5B747BB48E4DDDD7D8649D2AE18CD4
2508DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:80B77BD9EC39520E5F07B2BF31E363F3
SHA256:5358BA868639D8703C840259DBC92E99AD90507C3525B0613A78F065070C16B5
2372msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{c5ee5e13-999c-4e64-b5c6-3f25bf956a8b}_OnDiskSnapshotPropbinary
MD5:BA75BA887C3C4ED256A6F389FD04AEC9
SHA256:8D14DB6AAFDBDF86C207FBA663F942E2512F6FA8705C293691EDAFCD4E6C6271
2372msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:BA75BA887C3C4ED256A6F389FD04AEC9
SHA256:8D14DB6AAFDBDF86C207FBA663F942E2512F6FA8705C293691EDAFCD4E6C6271
2508DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:B6CE657F1A8C54A457CF1EAD6333D59A
SHA256:801183C7185904B7B791CB0E6458CA4901517615D98D747E101844CB9861F85A
2372msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF595DB09861BCD9E9.TMP
MD5:
SHA256:
3480vssvc.exeC:
MD5:
SHA256:
2372msiexec.exeC:\Windows\Installer\5ddb77.msiexecutable
MD5:CD16C24F80EE94A98A29496BC1A0BCEA
SHA256:591B52B0A340E6893EC42E27A3D635196A6B939EB0F2DA572BE0AD4B65DA723B
2372msiexec.exeC:\Windows\Installer\5ddb79.ipibinary
MD5:B1C152F0D520D9AD7C0FCB9FF3352E15
SHA256:2BD5360811C15ED96DCC0C4C539D1DE61CE3A5CDEE59D5C28B103AB486FA99D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2044
MSIE77F.tmp
104.25.210.99:443
ipapi.co
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
ipapi.co
  • 104.25.210.99
  • 104.25.209.99
shared

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ewgxyk.msi