Malware analysis 123.msi Malicious activity | ANY.RUN

Add for printing

File name:	123.msi
Full analysis:	https://app.any.run/tasks/a6f226de-916c-4696-8984-b2ef66f32816
Verdict:	Malicious activity
Analysis date:	April 25, 2019, 12:56:29
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Orange Heap, Author: Mikalai Kalpinski, Keywords: Installer, Comments: This installer database contains the logic and data required to install Orange Heap., Template: Intel;1049, Revision Number: {78BD0E71-C2C8-4D59-B8A1-312C2113C584}, Create Time/Date: Wed Jun 6 09:32:38 2012, Last Saved Time/Date: Wed Jun 6 09:32:38 2012, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 2
MD5:	5DD480E2FF9FBA53A1ACAD8BCF80A184
SHA1:	B2799D68F70C04E5BDC20684DC29922C215A1E60
SHA256:	5C5F6A2B329E8EA9CE7EC6FAB25E2DC574FBB817375A057B8999E95FE64C9DD1
SSDEEP:	49152:d39GHHHDIVPYRnuEMX27gWAaHZBUmVS28:dNGnHDJxZ7UmV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - OrangeHeap.exe (PID: 4044)
- Loads dropped or rewritten executable
  - OrangeHeap.exe (PID: 4044)
SUSPICIOUS
- Creates files in the user directory
  - msiexec.exe (PID: 2184)
  - MsiExec.exe (PID: 2440)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 2184)
- Application launched itself
  - taskmgr.exe (PID: 2724)
INFO
- Searches for installed software
  - msiexec.exe (PID: 2184)
- Changes settings of System certificates
  - DrvInst.exe (PID: 3564)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 4056)
- Application launched itself
  - msiexec.exe (PID: 2184)
- Adds / modifies Windows certificates
  - DrvInst.exe (PID: 3564)
- Creates files in the program directory
  - msiexec.exe (PID: 2184)
- Creates a software uninstall entry
  - msiexec.exe (PID: 2184)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Orange Heap
Author:	Mikalai Kalpinski
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install Orange Heap.
Template:	Intel;1049
RevisionNumber:	{78BD0E71-C2C8-4D59-B8A1-312C2113C584}
CreateDate:	2012:06:06 08:32:38
ModifyDate:	2012:06:06 08:32:38
Pages:	200
Words:	2
Software:	Windows Installer XML (3.5.2519.0)
Security:	Read-only recommended

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2956	"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\123.msi"	C:\Windows\System32\msiexec.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2184	C:\Windows\system32\msiexec.exe /V	C:\Windows\system32\msiexec.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2780	C:\Windows\system32\MsiExec.exe -Embedding E1B7DC18518CC7B1CE0318C48EDF815E C	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
4056	C:\Windows\system32\vssvc.exe	C:\Windows\system32\vssvc.exe	—	services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3564	DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A0" "000005BC"	C:\Windows\system32\DrvInst.exe	—	svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3316	C:\Windows\system32\MsiExec.exe -Embedding 9FE6C4AD29C0E9A617C03C0E99271C03	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2440	C:\Windows\system32\MsiExec.exe -Embedding 000F42ADD05196A10A4D349682A4E531 M Global\MSI0000	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2724	"C:\Windows\system32\taskmgr.exe" /4	C:\Windows\system32\taskmgr.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2320	"C:\Windows\system32\taskmgr.exe" /1	C:\Windows\system32\taskmgr.exe		taskmgr.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
4044	"C:\Program Files\Orange Heap\OrangeHeap.exe"	C:\Program Files\Orange Heap\OrangeHeap.exe	—	explorer.exe
User: admin Company: Mikalai Kalpinski Integrity Level: MEDIUM Description: OrangeHeap Version: 1.3.29.0

Add for printing

Total events

1 252

Read events

966

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

123

Unknown types

Dropped files

PID	Process	Filename		Type
2956	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI1A32.tmp		—
		MD5:—	SHA256:—
2184	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
3564	DrvInst.exe	C:\Windows\INF\setupapi.ev3		binary
		MD5:76DCC60F78B3DFF1AE3627619074F465	SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
3564	DrvInst.exe	C:\Windows\INF\setupapi.dev.log		ini
		MD5:3CB61953D90C10E06C8037F7E495CD75	SHA256:F858A73052A16D58A5B51AD93538913A8EDE8FC41E0666A7CEB812CB0BAF1185
2184	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:D438DC1CC18C2475A5FAAEF9670EF6BD	SHA256:D362518B77F3F2E4D33D8CB53FE2AACD756607492A659829B8E82F3529B59CD3
3564	DrvInst.exe	C:\Windows\INF\setupapi.ev1		binary
		MD5:3AC55C42EB7419C5F353E063B15CB80F	SHA256:EF3E33DEED0B767701F0052554D2A674F7A02FB78E6458EAA21AE549ADDE8FD0
2184	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{4b15ad3e-8aeb-4fab-b1c7-cd2d14691870}_OnDiskSnapshotProp		binary
		MD5:D438DC1CC18C2475A5FAAEF9670EF6BD	SHA256:D362518B77F3F2E4D33D8CB53FE2AACD756607492A659829B8E82F3529B59CD3
2184	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DF29352CAEC2795EF8.TMP		—
		MD5:—	SHA256:—
4056	vssvc.exe	C:		—
		MD5:—	SHA256:—
2184	msiexec.exe	C:\Windows\Installer\135392.msi		executable
		MD5:5DD480E2FF9FBA53A1ACAD8BCF80A184	SHA256:5C5F6A2B329E8EA9CE7EC6FAB25E2DC574FBB817375A057B8999E95FE64C9DD1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

123.msi

5DD480E2FF9FBA53A1ACAD8BCF80A184

B2799D68F70C04E5BDC20684DC29922C215A1E60

5C5F6A2B329E8EA9CE7EC6FAB25E2DC574FBB817375A057B8999E95FE64C9DD1

49152:d39GHHHDIVPYRnuEMX27gWAaHZBUmVS28:dNGnHDJxZ7UmV

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Creates files in the user directory

Executable content was dropped or overwritten

Application launched itself

INFO

Searches for installed software

Changes settings of System certificates

Low-level read access rights to disk partition

Application launched itself

Adds / modifies Windows certificates

Creates files in the program directory

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings