analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

SMB2.jpg

Full analysis: https://app.any.run/tasks/1352feb3-7cbe-4b22-8046-1f26d7220633
Verdict: Malicious activity
Analysis date: October 29, 2019, 06:56:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 936, Revision Number: {54900365-375C-422E-B1C5-97195DCA50E3}, Number of Words: 2, Subject: FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH, Author: FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH, Name of Creating Application: Advanced Installer 16.3 build ee189028, Template: ;2052, Comments: FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH , Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

4658DDC4E03F0003F590666AB73261E3

SHA1:

820D49D231F14F31C1689B6EB9D8B1C0583748F4

SHA256:

5E45545B7DD0AF0EF81BEE46477D41C80B6C866A4435E67306BB3C0F4F600651

SSDEEP:

49152:+mxZBWV19qV2wyFFKHh9ZU16EhD2s0VhKH3dLE4wJ9tROy5Ig9S:vJGKHh9nk5H3xE4wVRnd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Disables Windows Defender

      • msiexec.exe (PID: 516)

  • SUSPICIOUS

    • Reads Environment values

      • MsiExec.exe (PID: 2748)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 516)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 516)

    • Creates or modifies windows services

      • netsh.exe (PID: 3704)

    • Uses NETSH.EXE for network configuration

      • MsiExec.exe (PID: 3244)

  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2748)

    • Application launched itself

      • msiexec.exe (PID: 516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Pages: 200
Keywords: Installer, MSI, Database
Title: Installation Database
Comments: ?˰?װ???ݿ??????˰?װ FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH ???????߼??????ݡ?
Template: ;2052
Software: Advanced Installer 16.3 build ee189028
LastModifiedBy: -
Author: FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH
Subject: FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH
Words: 2
RevisionNumber: {54900365-375C-422E-B1C5-97195DCA50E3}
CodePage: Windows Simplified Chinese (PRC, Singapore)
Security: None
ModifyDate: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
LastPrinted: 2009:12:11 11:47:44
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
29
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2448"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\SMB2.jpg.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
516C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2748C:\Windows\system32\MsiExec.exe -Embedding C1D0AD962481C976B68EF5AD1551F3DBC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3244C:\Windows\system32\MsiExec.exe -Embedding 3E9F7D5F8CA1A80E526EBA8FDFA477A0 M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1036"C:\Windows\System32\netsh.exe" interface ipv6 installC:\Windows\System32\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4064"C:\Windows\System32\netsh.exe" ipsec static add policy name=qianyeC:\Windows\System32\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2344"C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1C:\Windows\System32\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1012"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCPC:\Windows\System32\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2772"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCPC:\Windows\System32\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1504"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCPC:\Windows\System32\netsh.exeMsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 866
Read events
561
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
516msiexec.exeC:\Windows\Installer\MSIADDF.tmp
MD5:
SHA256:
516msiexec.exeC:\Windows\Installer\MSIAE0F.tmp
MD5:
SHA256:
516msiexec.exeC:\Windows\Installer\MSIAE20.tmp
MD5:
SHA256:
516msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF2D2BA2914FAA0E4A.TMP
MD5:
SHA256:
516msiexec.exeC:\Config.Msi\39a98c.rbs
MD5:
SHA256:
516msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF23F75C80B674617E.TMP
MD5:
SHA256:
516msiexec.exeC:\Windows\Installer\MSIAECC.tmpbinary
MD5:3490688D8974E2133B72A1019AE897AC
SHA256:AFC7A7908DF93A28DA5F8E8C55EE5890B26111E8E2350139CA20D7BD6BB98E85
516msiexec.exeC:\Windows\sysupdate.logbinary
MD5:28B9D10FC3C7F9A107ADE095CDB236F1
SHA256:33600F3C20CE2F8FCB7102F58281B91A75F413E728F7F885D09B58AE09EACE6E
516msiexec.exeC:\Windows\winupdate32.logexecutable
MD5:77901A244FE32FAD8498F4ADF9650638
SHA256:1F1BB1B05DEAD3F371A03367175786299DB9004C2251435BAEE206C2643F7672
516msiexec.exeC:\Windows\Installer\39a989.msiexecutable
MD5:4658DDC4E03F0003F590666AB73261E3
SHA256:5E45545B7DD0AF0EF81BEE46477D41C80B6C866A4435E67306BB3C0F4F600651
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SMB2.jpg