analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

run.msi

Full analysis: https://app.any.run/tasks/64515381-f596-408a-96ac-a6bb8b9c9b3d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 21, 2019, 11:52:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
opendir
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {2622B2D2-0293-4E19-A4BE-590CF4C9B544}, Number of Words: 10, Subject: Caff, Author: Caff, Name of Creating Application: Advanced Installer 14.4 build 82383, Template: ;1033, Comments: This installer database contains the logic and data required to install Caff., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

1D7B8B1FBF676329A7A9A2D03DBB5877

SHA1:

446B6527EC4F1E145579A10B6DDE973CAC0137FB

SHA256:

7200D5C19A1F4110E45D5E5588F3952355059AC73D8826509511B0E042771619

SSDEEP:

24576:fCcYknjfVAsskAjBlAU0tPV9qbvU6GE+QZK/pcZXyqz91mbWWBaG:fCcYkjfVvskAjTAU0FVMNnhKyZ3yjBaG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • msiexec.exe (PID: 2672)
      • cmd.exe (PID: 3188)
    • Downloads executable files from the Internet

      • chrome.exe (PID: 4084)
    • Downloads executable files from IP

      • chrome.exe (PID: 4084)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2816)
      • msiexec.exe (PID: 2672)
      • chrome.exe (PID: 4084)
      • extrac32.exe (PID: 2416)
    • Creates files in the user directory

      • msiexec.exe (PID: 2672)
      • mshta.exe (PID: 2760)
      • wscript.exe (PID: 3280)
      • extrac32.exe (PID: 2416)
      • wscript.exe (PID: 3348)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2816)
    • Starts Microsoft Installer

      • chrome.exe (PID: 2816)
    • Executes scripts

      • MSID979.tmp (PID: 3124)
      • cmd.exe (PID: 2176)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • chrome.exe (PID: 2816)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3348)
      • mshta.exe (PID: 2760)
  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3940)
      • MsiExec.exe (PID: 2944)
    • Application launched itself

      • msiexec.exe (PID: 2672)
      • chrome.exe (PID: 2816)
    • Reads settings of System Certificates

      • chrome.exe (PID: 4084)
    • Reads internet explorer settings

      • mshta.exe (PID: 2760)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 2672)
    • Application was dropped or rewritten from another process

      • MSID979.tmp (PID: 3124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {2622B2D2-0293-4E19-A4BE-590CF4C9B544}
Words: 10
Subject: Caff
Author: Caff
LastModifiedBy: -
Software: Advanced Installer 14.4 build 82383
Template: ;1033
Comments: This installer database contains the logic and data required to install Caff.
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
35
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msiexec.exe no specs msiexec.exe no specs msid979.tmp no specs wscript.exe no specs mshta.exe no specs chrome.exe no specs cmd.exe no specs PhotoViewer.dll no specs cmd.exe no specs cmd.exe no specs wscript.exe no specs shutdown.exe no specs cmd.exe extrac32.exe explorer.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3464"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\run.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2672C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3940C:\Windows\system32\MsiExec.exe -Embedding A47D9F0F9EAD51C9C1A4DC0E24170805C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2816"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
73.0.3683.75
3516"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f150f18,0x6f150f28,0x6f150f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
856"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2832 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3748"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=960,3323325876109207577,9460580090475254303,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16779339042617556181 --mojo-platform-channel-handle=952 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
4084"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=960,3323325876109207577,9460580090475254303,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=15351000550379488359 --mojo-platform-channel-handle=1516 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2268"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,3323325876109207577,9460580090475254303,131072 --enable-features=PasswordImport --service-pipe-token=7661315324452360898 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7661315324452360898 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2644"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,3323325876109207577,9460580090475254303,131072 --enable-features=PasswordImport --service-pipe-token=3662909965808991373 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3662909965808991373 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
2 519
Read events
2 328
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
72
Text files
170
Unknown types
26

Dropped files

PID
Process
Filename
Type
2672msiexec.exeC:\Windows\Installer\MSIAB1.tmp
MD5:
SHA256:
2672msiexec.exeC:\Windows\Installer\MSIAE1.tmp
MD5:
SHA256:
2672msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFA3B688CFCB423F97.TMP
MD5:
SHA256:
2672msiexec.exeC:\Windows\Installer\10094b.ipi
MD5:
SHA256:
2672msiexec.exeC:\Windows\Installer\MSIB7F.tmp
MD5:
SHA256:
2672msiexec.exeC:\Windows\Installer\MSIB9F.tmp
MD5:
SHA256:
2672msiexec.exeC:\Windows\Installer\MSIB5F.tmp
MD5:
SHA256:
2672msiexec.exeC:\Config.Msi\10094c.rbs
MD5:
SHA256:
2672msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF4A11990AD40D6834.TMP
MD5:
SHA256:
2816chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4084
chrome.exe
GET
200
87.247.155.64:80
http://87.247.155.64/nc.msi
GB
executable
835 Kb
suspicious
4084
chrome.exe
GET
200
87.247.155.64:80
http://87.247.155.64/
GB
html
1.21 Kb
suspicious
4084
chrome.exe
GET
302
172.217.23.174:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
506 b
whitelisted
4084
chrome.exe
GET
200
173.194.183.103:80
http://r2---sn-aigl6nek.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=194.187.251.125&mm=28&mn=sn-aigl6nek&ms=nvh&mt=1553169143&mv=m&pl=24&shardbypass=yes
US
crx
842 Kb
whitelisted
4084
chrome.exe
GET
200
87.247.155.64:80
http://87.247.155.64/ReservationFlight233212.hta
GB
html
1.61 Mb
suspicious
4084
chrome.exe
GET
404
87.247.155.64:80
http://87.247.155.64/favicon.ico
GB
xml
1.16 Kb
suspicious
4084
chrome.exe
GET
200
87.247.155.64:80
http://87.247.155.64/icons/unknown.gif
GB
image
245 b
suspicious
4084
chrome.exe
GET
200
87.247.155.64:80
http://87.247.155.64/icons/blank.gif
GB
image
148 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4084
chrome.exe
172.217.23.174:80
redirector.gvt1.com
Google Inc.
US
whitelisted
4084
chrome.exe
216.58.208.35:443
www.gstatic.com
Google Inc.
US
whitelisted
4084
chrome.exe
172.217.23.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
4084
chrome.exe
216.58.210.4:443
www.google.com
Google Inc.
US
whitelisted
4084
chrome.exe
172.217.22.110:443
sb-ssl.google.com
Google Inc.
US
whitelisted
4084
chrome.exe
216.58.207.46:443
apis.google.com
Google Inc.
US
whitelisted
4084
chrome.exe
172.217.18.13:443
accounts.google.com
Google Inc.
US
whitelisted
4084
chrome.exe
216.58.207.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted
4084
chrome.exe
173.194.183.103:80
r2---sn-aigl6nek.gvt1.com
Google Inc.
US
whitelisted
4084
chrome.exe
87.247.155.64:80
GB
suspicious

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.23.131
whitelisted
www.google.com
  • 216.58.210.4
whitelisted
accounts.google.com
  • 172.217.18.13
shared
ssl.gstatic.com
  • 216.58.207.35
whitelisted
www.gstatic.com
  • 216.58.208.35
whitelisted
apis.google.com
  • 216.58.207.46
whitelisted
clients2.google.com
  • 216.58.207.46
whitelisted
redirector.gvt1.com
  • 172.217.23.174
whitelisted
r2---sn-aigl6nek.gvt1.com
  • 173.194.183.103
whitelisted
sb-ssl.google.com
  • 172.217.22.110
whitelisted

Threats

PID
Process
Class
Message
4084
chrome.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
No debug info