File name: | bns72a0EI7.msi |
Full analysis: | https://app.any.run/tasks/27e4bbe9-0264-4672-95bc-ef703ce388b4 |
Verdict: | Malicious activity |
Threats: | Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil. |
Analysis date: | March 30, 2020, 14:54:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {476E9454-BA37-4EFD-8DBC-AC5EC9733219}, Number of Words: 10, Subject: PowerShell, Author: Microsft Windows, Name of Creating Application: Advanced Installer 12.3 build 64631, Template: ;1033, Comments: PowerShell. |
MD5: | 77D915E0EC11D7BEC69A56DDDAEEA711 |
SHA1: | E7D163E60D6842C73E214A9618DDA57ECC8E35A9 |
SHA256: | 8E01F1D66620D9D498B5C43F9A7D4EAFE64471DE6CB85FD12D36EDC9A7F3BDFB |
SSDEEP: | 12288:OxtV2aY5AMrxiOH/t2S4TuHJTEl3SdQshdkP77GqjTqp4nbur:OxtV2aY5AMrv/t2S/HJTEl3S2shd47q3 |
.msi | | | Microsoft Windows Installer (88.6) |
---|---|---|
.mst | | | Windows SDK Setup Transform Script (10) |
.msi | | | Microsoft Installer (100) |
Comments: | PowerShell. |
---|---|
Template: | ;1033 |
Software: | Advanced Installer 12.3 build 64631 |
LastModifiedBy: | - |
Author: | Microsft Windows |
Subject: | PowerShell |
Words: | 10 |
RevisionNumber: | {476E9454-BA37-4EFD-8DBC-AC5EC9733219} |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
Pages: | 200 |
ModifyDate: | 2009:12:11 11:47:44 |
CreateDate: | 2009:12:11 11:47:44 |
LastPrinted: | 2009:12:11 11:47:44 |
Keywords: | Installer, MSI, Database |
Title: | Installation Database |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3380 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\bns72a0EI7.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2604 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2396 | C:\Windows\system32\MsiExec.exe -Embedding 4E5EC1C0C21C34BB15344974B2A0CFF4 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
852 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\bns72a0EI7.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2376 | C:\Windows\system32\MsiExec.exe -Embedding CEA759C885DF0F56A3BAB6D93CE02756 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3276 | "C:\Windows\System32\reg.exe" add "HKCU\software\Microsoft\Windows\CurrentVersion\Run" /v SDSI3F /t reg_sz /d C:\Users\admin\Documents\SDSI3F\SDSI3F.EXE | C:\Windows\System32\reg.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2952 | "C:\Users\admin\Documents\SDSI3F\SDSI3F.EXE" | C:\Users\admin\Documents\SDSI3F\SDSI3F.EXE | MsiExec.exe | |
User: admin Integrity Level: MEDIUM Description: NVIDIA Smart Maximise Helper Host Exit code: 250477278 Version: 6.14.10.100.03 | ||||
2748 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2604 | msiexec.exe | C:\Windows\Installer\MSI7067.tmp | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFEB4D51DD5F802B0B.TMP | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Windows\Installer\MSI70D6.tmp | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Windows\Installer\MSI70B6.tmp | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Windows\Installer\MSI165F.tmp | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Config.Msi\a66d2c.rbs | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Windows\Installer\MSI167F.tmp | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFFB428BDF4AE088B6.TMP | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Windows\Installer\MSI45E9.tmp | — | |
MD5:— | SHA256:— | |||
2604 | msiexec.exe | C:\Windows\Installer\MSI4677.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2952 | SDSI3F.EXE | POST | 200 | 94.177.160.157:80 | http://megasena1.duckdns.org/UP/ | IT | — | — | malicious |
2376 | MsiExec.exe | GET | 200 | 18.230.78.79:80 | http://18.230.78.79/Ddas1.tar | US | compressed | 10.5 Mb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2376 | MsiExec.exe | 18.230.78.79:80 | — | Massachusetts Institute of Technology | US | unknown |
2396 | MsiExec.exe | 18.230.78.79:80 | — | Massachusetts Institute of Technology | US | unknown |
2952 | SDSI3F.EXE | 94.177.160.157:80 | megasena1.duckdns.org | Aruba S.p.A. | IT | malicious |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
megasena1.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |