File name:

81b73.msi

Full analysis: https://app.any.run/tasks/1aa7f6e6-3b96-4db0-8185-f74df89d599d
Verdict: Malicious activity
Analysis date: November 14, 2023, 06:32:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {3EC57D06-013F-4180-9922-FE5C74B65FE6}, Number of Words: 10, Subject: Browser Assistant, Author: Realistic Media Inc., Name of Creating Application: Advanced Installer 15.8 build b14c769f44, Template: ;1033, Comments: This installer database contains the logic and data required to install Browser Assistant., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

1528B593F65BCBCA9A88663AC528510F

SHA1:

2528591984935CC3290AAC4931CDBA8DCA580BFB

SHA256:

69925C370A71B0BC37EB5D6381E8FC3309A7E71A7BDADE54233214C73C728170

SSDEEP:

196608://Jwrsfnmos+6n03JMfFCoyIfiyKmZ2AbyILoGeHwXVECuX:nJwrsfmZ05MMoamZ22yILoGfXJuX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 2412)
      • powershell.exe (PID: 2992)
    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 2784)
    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 1088)
      • 7za.exe (PID: 2840)
  • SUSPICIOUS

    • Reads the Internet Settings

      • msiexec.exe (PID: 2700)
      • powershell.exe (PID: 1584)
    • Executes as Windows Service

      • VSSVC.exe (PID: 2952)
    • Checks Windows Trust Settings

      • msiexec.exe (PID: 1088)
    • The process executes Powershell scripts

      • msiexec.exe (PID: 2784)
    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 2784)
    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 2784)
    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 2784)
    • Drops 7-zip archiver for unpacking

      • msiexec.exe (PID: 1088)
    • Uses TASKKILL.EXE to kill process

      • powershell.exe (PID: 2412)
    • The process drops C-runtime libraries

      • msiexec.exe (PID: 1088)
    • Process drops legitimate windows executable

      • msiexec.exe (PID: 1088)
    • Unusual connection from system programs

      • powershell.exe (PID: 1584)
  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2700)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 2992)
      • powershell.exe (PID: 2412)
    • Checks supported languages

      • msiexec.exe (PID: 1088)
      • msiexec.exe (PID: 2784)
      • 7za.exe (PID: 2840)
    • Reads the computer name

      • msiexec.exe (PID: 1088)
      • msiexec.exe (PID: 2784)
      • 7za.exe (PID: 2840)
    • Create files in a temporary directory

      • msiexec.exe (PID: 2700)
      • msiexec.exe (PID: 2784)
      • powershell.exe (PID: 1584)
      • powershell.exe (PID: 2412)
      • msiexec.exe (PID: 1088)
      • powershell.exe (PID: 2992)
    • Creates files or folders in the user directory

      • msiexec.exe (PID: 2700)
      • msiexec.exe (PID: 1088)
      • 7za.exe (PID: 2840)
    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1088)
      • msiexec.exe (PID: 2784)
    • Reads Environment values

      • msiexec.exe (PID: 2784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {3EC57D06-013F-4180-9922-FE5C74B65FE6}
Words: 10
Subject: Browser Assistant
Author: Realistic Media Inc.
LastModifiedBy: -
Software: Advanced Installer 15.8 build b14c769f44
Template: ;1033
Comments: This installer database contains the logic and data required to install Browser Assistant.
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
9
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
1088C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1584 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssD7F9.tmp.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2412 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssE1E0.tmp.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2448"C:\Windows\system32\taskkill.exe" /F /pid C:\Windows\SysWOW64\taskkill.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2700"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\81b73.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2784C:\Windows\syswow64\MsiExec.exe -Embedding A1BB27B6F358590E246C17DF05DBC1FCC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2840"C:\Users\admin\AppData\Roaming/Browser Assistant/7za.exe" x Data2.7z -y -p1.41.1302.28794C:\Users\admin\AppData\Roaming\Browser Assistant\7za.exepowershell.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
19.00
Modules
Images
c:\users\admin\appdata\roaming\browser assistant\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2952C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2992 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssEE58.tmp.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
7 277
Read events
7 229
Write events
43
Delete events
5

Modification events

(PID) Process:(2700) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000C42CD6BE4EB0D9014C0F0000380F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000C42CD6BE4EB0D9014C0F0000380F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
66
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
480000000000000080A00ABF4EB0D9014C0F0000380F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Leave)
Value:
4800000000000000A4CA79C04EB0D9014C0F0000380F0000D30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Enter)
Value:
4800000000000000A4CA79C04EB0D9014C0F0000380F0000D40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Leave)
Value:
4800000000000000CE3F8FC04EB0D9014C0F0000380F0000D40700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Leave)
Value:
48000000000000000CAEE5C24EB0D9014C0F0000380F0000D00700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Leave)
Value:
48000000000000006610E8C24EB0D9014C0F0000380F0000D50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
61
Suspicious files
67
Text files
2 085
Unknown types
0

Dropped files

PID
Process
Filename
Type
1088msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1088msiexec.exeC:\Windows\Installer\19d3b1.msi
MD5:
SHA256:
2784msiexec.exeC:\Users\admin\AppData\Local\Temp\msiD7E7.tmp.txt
MD5:
SHA256:
2784msiexec.exeC:\Users\admin\AppData\Local\Temp\pssD7E8.tmp.ps1
MD5:
SHA256:
2784msiexec.exeC:\Users\admin\AppData\Local\Temp\pssD7F9.tmp.ps1
MD5:
SHA256:
2784msiexec.exeC:\Users\admin\AppData\Local\Temp\msiE1CF.tmp.txt
MD5:
SHA256:
2784msiexec.exeC:\Users\admin\AppData\Local\Temp\pssE1DF.tmp.ps1
MD5:
SHA256:
2784msiexec.exeC:\Users\admin\AppData\Local\Temp\pssE1E0.tmp.ps1
MD5:
SHA256:
2700msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
2700msiexec.exeC:\Users\admin\AppData\Local\Temp\CabB3B6.tmpcompressed
MD5:F3441B8572AAE8801C04F3060B550443
SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2700
msiexec.exe
GET
200
34.229.33.15:80
http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt
US
binary
1.48 Kb
unknown
2700
msiexec.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?16a5120acdc97ea5
DE
compressed
61.6 Kb
unknown
1584
powershell.exe
POST
200
13.32.118.218:80
http://d1ph3c47yby10w.cloudfront.net/
US
binary
19 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
324
svchost.exe
224.0.0.252:5355
unknown
1956
svchost.exe
239.255.255.250:1900
whitelisted
2700
msiexec.exe
34.229.33.15:80
www.ssl.com
AMAZON-AES
US
unknown
2700
msiexec.exe
23.32.238.178:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1584
powershell.exe
13.32.118.218:80
d1ph3c47yby10w.cloudfront.net
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
www.ssl.com
  • 34.229.33.15
  • 18.205.123.191
unknown
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.232
  • 23.32.238.224
  • 23.32.238.171
  • 23.32.238.240
  • 23.32.238.226
  • 23.32.238.219
  • 23.32.238.169
  • 23.32.238.241
whitelisted
d1ph3c47yby10w.cloudfront.net
  • 13.32.118.218
  • 13.32.118.131
  • 13.32.118.75
  • 13.32.118.166
unknown

Threats

No threats detected
No debug info