analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

8da646fe11393fb01f81e285d1938a85a82c5334b874edd0e57143858afc54fd.msi

Full analysis: https://app.any.run/tasks/c837abe0-ba1e-4332-846c-42e5fc396a87
Verdict: Malicious activity
Analysis date: March 21, 2019, 23:33:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1251, Title: Installation Database, Subject: InnoExtractor, Author: user, Keywords: Installer, Comments: This installer database contains the logic and data required to install InnoExtractor., Template: Intel;1049, Revision Number: {D3FAC324-5F24-482C-9903-6EEF40424C0F}, Create Time/Date: Tue Mar 19 00:02:38 2019, Last Saved Time/Date: Tue Mar 19 00:02:38 2019, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2
MD5:

C02FBDF52638241988047706B51AE564

SHA1:

F0522CE00357561311469CDE7AF0F63F443B7B3F

SHA256:

8DA646FE11393FB01F81E285D1938A85A82C5334B874EDD0E57143858AFC54FD

SSDEEP:

49152:KVIeH1g95jvIMLd/4SzCaQeHlMxihRfa1ys:KVv65BaS4eHlAL1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • z.exe (PID: 2480)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2284)
      • WerFault.exe (PID: 2216)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • MsiExec.exe (PID: 1352)
    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 2320)
    • Uses TASKKILL.EXE to kill process

      • rundll32.exe (PID: 2284)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2140)
      • cmd.exe (PID: 2320)
  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 2140)
    • Application launched itself

      • msiexec.exe (PID: 2140)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2088)
    • Changes settings of System certificates

      • DrvInst.exe (PID: 1308)
    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 1308)
    • Application was crashed

      • rundll32.exe (PID: 2284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: Read-only recommended
Software: Windows Installer XML Toolset (3.11.0.1528)
Words: 10
Pages: 200
ModifyDate: 2019:03:19 00:02:38
CreateDate: 2019:03:19 00:02:38
RevisionNumber: {D3FAC324-5F24-482C-9903-6EEF40424C0F}
Template: Intel;1049
Comments: This installer database contains the logic and data required to install InnoExtractor.
Keywords: Installer
Author: user
Subject: InnoExtractor
Title: Installation Database
CodePage: Windows Cyrillic
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
11
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs cmd.exe no specs z.exe no specs cmd.exe rundll32.exe taskkill.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
2260"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\8da646fe11393fb01f81e285d1938a85a82c5334b874edd0e57143858afc54fd.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2140C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2088C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1308DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005C0" "000005B4"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1352C:\Windows\system32\MsiExec.exe -Embedding 432005C4E8CEDB47545E15A8497481D9C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1524"cmd" /c "cd "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\"&z -o -P kika mse.zip"C:\Windows\system32\cmd.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2480z -o -P kika mse.zipC:\Users\admin\AppData\Local\Temp\Steam64.dll\z.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2320"cmd" /v:on /c "set Tlder=rundll32&set Dlsrt=%random%&mkdir "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\!Dlsrt!"&cd "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\!Dlsrt!\"&move /y "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\*.*" "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\!Dlsrt!"\&!Tlder! _steam.dll,Entry i"C:\Windows\system32\cmd.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
3221225477
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2284rundll32 _steam.dll,Entry iC:\Windows\system32\rundll32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
3221225477
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1728"C:\Windows\System32\taskkill.exe" /IM msiexec.exe /FC:\Windows\System32\taskkill.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
607
Read events
417
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
10
Text files
132
Unknown types
2

Dropped files

PID
Process
Filename
Type
2140msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2140msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{5c95f8d3-98c7-4e8a-b3d0-03f6dddba5cb}_OnDiskSnapshotPropbinary
MD5:AF550987887789CD8F99BA0493270B34
SHA256:C4F6732B30240F23F94CE1A6B77218586708430C33BC03391F01FE09A846FDB2
1308DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
1308DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:05B0BA9E89CAD2BA1ECE02FD5E7E3619
SHA256:2C00288834543A7245DCC70F63C46D700AD93EB30AC47C2C9DD625987CAC2C04
1308DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:6EAF41B83D58273105BCA803F437BAE5
SHA256:B2793DBB346600FE2FB5E523ACE6941E1CF14F7F63D42987E4DBCEC8B03C2D12
2140msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:AF550987887789CD8F99BA0493270B34
SHA256:C4F6732B30240F23F94CE1A6B77218586708430C33BC03391F01FE09A846FDB2
2140msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF4FB82D5AEBF69A49.TMP
MD5:
SHA256:
2140msiexec.exeC:\Windows\Installer\MSIC433.tmp
MD5:
SHA256:
2480z.exeC:\Users\admin\AppData\Local\Temp\Steam64.dll\bin.dat
MD5:
SHA256:
2480z.exeC:\Users\admin\AppData\Local\Temp\Steam64.dll\_steam.dll
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2216
WerFault.exe
GET
40.67.186.102:80
http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/ntdll_dll/6_1_7601_17514/4ce7b96e/c0000005/000533b1.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2216
WerFault.exe
40.67.186.102:80
watson.microsoft.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
watson.microsoft.com
  • 40.67.186.102
whitelisted

Threats

PID
Process
Class
Message
2216
WerFault.exe
Potential Corporate Privacy Violation
ET POLICY Application Crash Report Sent to Microsoft
Process
Message
rundll32.exe
rundll32.exe
rundll32.exe