File name:

DastineInstaller.msi

Full analysis: https://app.any.run/tasks/b683326f-6edf-4b7a-b578-747663381c9d
Verdict: Malicious activity
Analysis date: February 19, 2024, 08:13:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 1252, Revision Number: {043231E6-604C-426F-A925-A09D47342F82}, Number of Words: 2, Subject: Dastine, Author: Pendar Kooshk Imen, Name of Creating Application: Dastine, Template: ;1033, Comments: This installer database contains the logic and data required to install Dastine., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

E0FED8DEAA7523A3E2AC41C9E1C5B4C2

SHA1:

D4533AB69C81271BF41B1BEB28E2A466760735EE

SHA256:

7D5ED5909446261A8258D2BDDE5369283ABEF017012E427774F42CF182D10D98

SSDEEP:

98304:ENeMo0c4nl2OV3YtatngU/ziW/PZLypvsEt0vDZD56ebfzjk/8PWeBmmQl87GXHU:Hm29vMcrOahWMO6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • msiexec.exe (PID: 2472)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 2472)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 3848)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2020:09:18 14:06:51
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {043231E6-604C-426F-A925-A09D47342F82}
Words: 2
Subject: Dastine
Author: Pendar Kooshk Imen
LastModifiedBy: -
Software: Dastine
Template: ;1033
Comments: This installer database contains the logic and data required to install Dastine.
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2472"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\DastineInstaller.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3848C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 467
Read events
1 348
Write events
119
Delete events
0

Modification events

(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000007442B09E0B63DA01080F00008C0C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000007442B09E0B63DA01080F0000980F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000007442B09E0B63DA01080F00006C0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000007442B09E0B63DA01080F000054070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000CEA4B29E0B63DA01080F000054070000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000CEA4B29E0B63DA01080F00006C0F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000CEA4B29E0B63DA01080F00008C0C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
40000000000000002807B59E0B63DA01080F0000980F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Enter)
Value:
4000000000000000F2CE21A00B63DA01080F0000980F000001040000010000000000000000000000597D9510B3A609439C59934FE50D30C80000000000000000
(PID) Process:(3848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
Operation:writeName:PROVIDER_BEGINPREPARE (Leave)
Value:
4000000000000000F2CE21A00B63DA01080F0000980F000001040000000000000000000000000000597D9510B3A609439C59934FE50D30C80000000000000000
Executable files
7
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2472msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF428.tmpexecutable
MD5:85B69B55118FFC36F03B4DB94F4DDC3D
SHA256:E9E32CB36C162EF4527C725ADF76857439C26D1A5653A484CE4547B36471BB8E
2472msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF32C.tmpexecutable
MD5:85B69B55118FFC36F03B4DB94F4DDC3D
SHA256:E9E32CB36C162EF4527C725ADF76857439C26D1A5653A484CE4547B36471BB8E
2472msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF417.tmpexecutable
MD5:85B69B55118FFC36F03B4DB94F4DDC3D
SHA256:E9E32CB36C162EF4527C725ADF76857439C26D1A5653A484CE4547B36471BB8E
2472msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF2BC.tmpexecutable
MD5:85B69B55118FFC36F03B4DB94F4DDC3D
SHA256:E9E32CB36C162EF4527C725ADF76857439C26D1A5653A484CE4547B36471BB8E
2472msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF449.tmpexecutable
MD5:85B69B55118FFC36F03B4DB94F4DDC3D
SHA256:E9E32CB36C162EF4527C725ADF76857439C26D1A5653A484CE4547B36471BB8E
2472msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF30B.tmpexecutable
MD5:85B69B55118FFC36F03B4DB94F4DDC3D
SHA256:E9E32CB36C162EF4527C725ADF76857439C26D1A5653A484CE4547B36471BB8E
2472msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIF438.tmpexecutable
MD5:85B69B55118FFC36F03B4DB94F4DDC3D
SHA256:E9E32CB36C162EF4527C725ADF76857439C26D1A5653A484CE4547B36471BB8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2156
msiexec.exe
GET
304
23.32.238.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?17877333ae6fa208
unknown
unknown
2156
msiexec.exe
GET
200
2.17.100.200:80
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCECbd0itGycRNWmlNOYB%2Bcq0%3D
unknown
binary
1.54 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2156
msiexec.exe
212.16.70.8:443
pki.co.ir
Farhang Azma Communications Company LTD
IR
unknown
2156
msiexec.exe
23.32.238.210:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
2156
msiexec.exe
2.17.100.200:80
subca.ocsp-certum.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
pki.co.ir
  • 212.16.70.8
unknown
ctldl.windowsupdate.com
  • 23.32.238.210
  • 23.32.238.208
  • 23.32.238.209
  • 23.32.238.219
  • 23.32.238.195
  • 23.32.238.224
  • 23.32.238.218
  • 23.32.238.201
  • 23.32.238.217
whitelisted
subca.ocsp-certum.com
  • 2.17.100.200
  • 2.17.100.234
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DastineInstaller.msi