analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sii0909098761234114.msi

Full analysis: https://app.any.run/tasks/ded5169b-90c4-4855-a5a4-d17817892d4f
Verdict: Malicious activity
Analysis date: August 13, 2019, 19:08:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {EF039855-95DA-4F53-B8CB-552320887DD9}, Number of Words: 10, Subject: Archivo, Author: Principal, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1027, Comments: La base de dades del installador cont la lgica i les dades necessries per installar Archivo.
MD5:

69BF9FAB7277A08DB19E049E4B16695D

SHA1:

1127D9025DE9E42F11E3FA31C157E9E3AF78D11D

SHA256:

75E4C68705063E0CEAD0028B63D02FECFC91301A776D24E3E58E858063D79302

SSDEEP:

196608:jE3msQOTE4GyNB0Fa3mVUr8Ejl4OPbYsZJK7eoc:g3m4TEyNB0gI+9jYwWX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1512)
      • QVTA5974HI2IH.exe (PID: 3688)

    • Application was dropped or rewritten from another process

      • QVTA5974HI2IH.exe (PID: 3688)

    • Changes the autorun value in the registry

      • QVTA5974HI2IH.exe (PID: 3688)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 1484)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3652)

    • Executed via COM

      • DrvInst.exe (PID: 3060)

    • Disables Form Suggestion in IE

      • QVTA5974HI2IH.exe (PID: 3688)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1484)

    • Searches for installed software

      • msiexec.exe (PID: 3652)

    • Application launched itself

      • msiexec.exe (PID: 3652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Comments: La base de dades del instal·lador conté la lògica i les dades necessàries per instal·lar Archivo.
Template: ;1027
Software: Advanced Installer 12.2.1 build 64247
LastModifiedBy: -
Author: Principal
Subject: Archivo
Words: 10
RevisionNumber: {EF039855-95DA-4F53-B8CB-552320887DD9}
CodePage: Windows Latin 1 (Western European)
Security: None
Pages: 200
ModifyDate: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
LastPrinted: 2009:12:11 11:47:44
Keywords: Installer, MSI, Database
Title: Installation Database
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs qvta5974hi2ih.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2488"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Sii0909098761234114.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3652C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1484C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3060DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005DC" "00000578"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3244C:\Windows\system32\MsiExec.exe -Embedding DDF5F4FCDFA15EA091A33CA4A700E1C1C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3688"C:\Users\admin\Documents\QVTA5974HI2IH.exe"C:\Users\admin\Documents\QVTA5974HI2IH.exe
msiexec.exe
User:
admin
Company:
VMware, Inc.
Integrity Level:
MEDIUM
Description:
VMware NAT Service
Version:
12.5.6 build-5528349
1512"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
505
Read events
324
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
3652msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3652msiexec.exeC:\Windows\Installer\372639.msi
MD5:
SHA256:
3652msiexec.exeC:\Windows\Installer\MSI29A5.tmp
MD5:
SHA256:
3652msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFDF2DDE43514ECFE5.TMP
MD5:
SHA256:
3060DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:8F761032829FB6121AEE77E26DC667A6
SHA256:F83E1592023B7C8F6C15847F26D30770C0A52E6C7304DBA951EEA437E2737649
3060DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:AF215E34D00F19F406D064CB13407114
SHA256:50EFBBA318045A5C270C7ABE975B6575B55002E2A49E86E5E43261CCF69C92AE
3652msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:7BB96DEEEF7C63C39C7D3E997F4FBE50
SHA256:A691666C7F274D3F9758E22EB5476A4836326CBF8FEA8A8013A961A53999A844
3652msiexec.exeC:\Config.Msi\37263c.rbs
MD5:
SHA256:
3652msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF732150D332154814.TMP
MD5:
SHA256:
1484vssvc.exeC:
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
QVTA5974HI2IH.exe
CodeSet_Init: no ICU
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sii0909098761234114.msi