File name:

ALVARA-072.msi

Full analysis: https://app.any.run/tasks/ca970764-8278-451b-9592-afdb4844666b
Verdict: Malicious activity
Analysis date: October 25, 2024, 13:02:01
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
ateraagent
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

A232621B778A64163B77169820AD579E

SHA1:

252A8E0AA905AA1880161AB53AAEB54E345991A8

SHA256:

8C684BF0B13E4BC010D63490BD53593CD627BE43E8178117C80E4B836881DAD6

SSDEEP:

98304:iIZTffzvns6eLKLdpRwznfsJb+7J7ERXndiWaKzPtSjXmbABY/lT8vjkZBvrePVv:73XP9No

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ATERAAGENT has been detected (YARA)

      • msiexec.exe (PID: 6800)
      • msiexec.exe (PID: 1112)

    • Starts NET.EXE for service management

      • msiexec.exe (PID: 7960)
      • net.exe (PID: 7996)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6360)

    • Changes powershell execution policy (Bypass)

      • AgentPackageAgentInformation.exe (PID: 7824)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 1112)
      • msiexec.exe (PID: 6800)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 7668)
      • rundll32.exe (PID: 7816)
      • rundll32.exe (PID: 7892)
      • AteraAgent.exe (PID: 6956)
      • rundll32.exe (PID: 6720)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5976)
      • AteraAgent.exe (PID: 6956)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 7960)

    • Starts SC.EXE for service management

      • AteraAgent.exe (PID: 6956)

    • The process executes VB scripts

      • cmd.exe (PID: 7612)

    • Executes application which crashes

      • cscript.exe (PID: 7948)

    • Starts CMD.EXE for commands execution

      • AgentPackageAgentInformation.exe (PID: 7824)

    • The process executes Powershell scripts

      • cmd.exe (PID: 6300)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6300)
      • AgentPackageAgentInformation.exe (PID: 7824)

  • INFO

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1112)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1112)

    • Checks proxy server information

      • msiexec.exe (PID: 1112)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6800)

    • Manages system restore points

      • SrTasks.exe (PID: 7472)

    • Reads the software policy settings

      • msiexec.exe (PID: 1112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: AteraAgent
Author: Atera networks
Keywords: Installer
Comments: This installer database contains the logic and data required to install AteraAgent.
Template: Intel;1033
RevisionNumber: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}
CreateDate: 2024:02:28 10:52:02
ModifyDate: 2024:02:28 10:52:02
Pages: 200
Words: 6
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
33
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #ATERAAGENT msiexec.exe no specs #ATERAAGENT msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs taskkill.exe no specs conhost.exe no specs ateraagent.exe no specs ateraagent.exe rundll32.exe sc.exe no specs conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs agentpackageagentinformation.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe werfault.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1112"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\ALVARA-072.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1700\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
3508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
5516powershell.exe -File "C:\Program Files\Microsoft Office\Office16\vNextDiag.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
5580"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000C:\Windows\System32\sc.exeAteraAgent.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
5976C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6300"cmd.exe" /c powershell.exe -File "C:\Program Files\Microsoft Office\Office16\vNextDiag.ps1"C:\Windows\System32\cmd.exeAgentPackageAgentInformation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
6360"powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUserC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAgentPackageAgentInformation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
6720rundll32.exe "C:\WINDOWS\Installer\MSI51F3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_610859 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndC:\Windows\SysWOW64\rundll32.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
6800C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
8 805
Read events
8 651
Write events
145
Delete events
9

Modification events

(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000098E8AD1ADE26DB01901A000074050000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000098E8AD1ADE26DB01901A000074050000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000498CC11CDE26DB01901A000074050000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000498CC11CDE26DB01901A000074050000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000001CF1C31CDE26DB01901A000074050000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000DFB9C81CDE26DB01901A000074050000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000004BE45E1DDE26DB01901A000074050000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6800) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000005947611DDE26DB01901A0000200C0000E803000001000000000000000000000082983F24887C6C4199470D25A0291CF300000000000000000000000000000000
(PID) Process:(5976) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000BA3B6D1DDE26DB0158170000BC1B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
34
Suspicious files
34
Text files
22
Unknown types
4

Dropped files

PID
Process
Filename
Type
6800msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1112msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944binary
MD5:931CDC45E55EE617614978C2DC94D34B
SHA256:63A5B54969AECF834C5CFB7737A976A299E3AAB6AE696C48FF8F571D1F479CA7
7668rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI2C05.tmp-\Newtonsoft.Json.dllexecutable
MD5:715A1FBEE4665E99E859EDA667FE8034
SHA256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
1112msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:7C8E16D9AEDF42888A80C6D9D0794A7C
SHA256:4865A3EC883F4F3570911C5CF827EA8CC81122AB6613944773DE4C8FBAFCD411
1112msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:F5DD53B33A4CC9C9A6DF77841E0CA947
SHA256:A12CE488EF21C3C1B36A781CE185A818245E9B49712F912702A73437C108146B
6800msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{243f9882-7c88-416c-9947-0d25a0291cf3}_OnDiskSnapshotPropbinary
MD5:3DD388CA699DDE83FA342006159F1C0A
SHA256:BF283D7EE38B9E8C21FF8F0A6D4EC03A241661E8C8C9B5174AABE65288B28542
7668rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI2C05.tmp-\Microsoft.Deployment.WindowsInstaller.dllexecutable
MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
SHA256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
7668rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI2C05.tmp-\CustomAction.configxml
MD5:BC17E956CDE8DD5425F2B2A68ED919F8
SHA256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
7816rundll32.exeC:\Users\admin\AppData\Local\Temp\MSI325F.tmp-\Microsoft.Deployment.WindowsInstaller.dllexecutable
MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
SHA256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
6800msiexec.exeC:\Windows\Installer\MSI325F.tmpexecutable
MD5:88D29734F37BDCFFD202EAFCDD082F9D
SHA256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
68
DNS requests
27
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAooSZl45YmN9AojjrilUug%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
23.48.23.145:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
239.255.255.250:1900
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
92.123.104.8:443
www.bing.com
Akamai International B.V.
DE
whitelisted
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.177
  • 23.48.23.143
  • 23.48.23.164
  • 23.48.23.145
  • 23.48.23.176
  • 23.48.23.147
  • 23.48.23.173
whitelisted
www.microsoft.com
  • 23.218.209.163
  • 23.35.229.160
whitelisted
google.com
  • 216.58.206.46
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 92.123.104.8
  • 92.123.104.10
  • 92.123.104.13
  • 92.123.104.17
  • 92.123.104.11
  • 92.123.104.67
  • 92.123.104.7
  • 92.123.104.19
  • 92.123.104.9
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.136
  • 40.126.32.68
  • 40.126.32.140
  • 40.126.32.138
  • 40.126.32.76
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
th.bing.com
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.136
  • 104.126.37.131
  • 104.126.37.129
  • 104.126.37.123
  • 104.126.37.139
  • 104.126.37.130
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted

Threats

Found threats are available for the paid subscriptions
8 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ALVARA-072.msi