File name:	system-scan.msi
Full analysis:	https://app.any.run/tasks/3308282e-c290-409a-a940-a93b819bc8f5
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	August 24, 2024, 16:03:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	exe-to-msi opendir loader asyncrat
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 09:56:09 2012, Create Time/Date: Fri Sep 21 09:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 11:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:	85E87BEE47AA51159F27118E742CB643
SHA1:	645701E8934E7C4261F001AC029114D74A8DEB36
SHA256:	8FD972EEDB519A22A8B2FA8E705833F603B7FABC2DB1818CFA2D18380982B788
SSDEEP:	3072:1EHq5DlfEHcMYMcelfwD2lmJ7TMftdT72yddlKCL52632wx9MtEPPX16N11+bkbY:1EHWDuHweCy6GtdTisdjNfkQoaaRm

CodePage:	Windows Latin 1 (Western European)
LastPrinted:	2012:09:21 09:56:09
CreateDate:	2012:09:21 09:56:09
Software:	Windows Installer
Title:	Exe to msi converter free
Subject:	-
Author:	www.exetomsi.com
Keywords:	-
Comments:	-
Template:	;0
LastModifiedBy:	devuser
RevisionNumber:	{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate:	2013:05:21 11:56:44
Pages:	100
Words:	-
Security:	None


(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000C5FE50283FF6DA01AC1A0000CC1A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000C5FE50283FF6DA01AC1A0000CC1A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 48000000000000000DA29F283FF6DA01AC1A0000CC1A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 48000000000000000DA29F283FF6DA01AC1A0000CC1A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000EF04A2283FF6DA01AC1A0000CC1A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000BB30A9283FF6DA01AC1A0000CC1A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000063D19293FF6DA01AC1A0000CC1A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6828) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000BEA11B293FF6DA01AC1A0000981B0000E80300000100000000000000000000002E1081B2FE457B42AB48A19BE9E40E7900000000000000000000000000000000
(PID) Process:	(6876) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000E4CD22293FF6DA01DC1A0000101B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
6828	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6828	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:0DB8093046F4457193EB314FCE71D7B7	SHA256:A4405CF359D1BFAD63AAA300BBDA12BE68016562BF983EBA0195D3924EA91B84
1356	MSI23EC.tmp	C:\Users\admin\AppData\Local\Temp\ps241A.tmp.ps1		text
		MD5:985D54664DCCE4666E49CA661063B925	SHA256:BF8E98B473ADAC13902B7557D3CBA744402A5996A137B952E40CC87FAC037B2B
6828	msiexec.exe	C:\Windows\Installer\12218a.msi		executable
		MD5:85E87BEE47AA51159F27118E742CB643	SHA256:8FD972EEDB519A22A8B2FA8E705833F603B7FABC2DB1818CFA2D18380982B788
6828	msiexec.exe	C:\Windows\Temp\~DF3DBEDF3A6E04AFB1.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6828	msiexec.exe	C:\Windows\Temp\~DF8A2D7A653636E028.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6828	msiexec.exe	C:\Windows\Temp\~DFCC9605E31FC33C54.TMP		binary
		MD5:D13AF1C8E0225CFF70DAF0C1E8C41EFC	SHA256:3FCC43E520059D082BDA7119BD0113E8AEBD09D112494D645CE469DA90C30EE9
6828	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{b281102e-45fe-427b-ab48-a19be9e40e79}_OnDiskSnapshotProp		binary
		MD5:0DB8093046F4457193EB314FCE71D7B7	SHA256:A4405CF359D1BFAD63AAA300BBDA12BE68016562BF983EBA0195D3924EA91B84
6828	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:D13AF1C8E0225CFF70DAF0C1E8C41EFC	SHA256:3FCC43E520059D082BDA7119BD0113E8AEBD09D112494D645CE469DA90C30EE9
1356	MSI23EC.tmp	C:\Users\admin\AppData\Local\Temp\ps241A.tmp		text
		MD5:985D54664DCCE4666E49CA661063B925	SHA256:BF8E98B473ADAC13902B7557D3CBA744402A5996A137B952E40CC87FAC037B2B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3184	powershell.exe	GET	200	91.92.244.233:80	http://subsystem.servehttp.com/SETUP/1	unknown	—	—	unknown
3184	powershell.exe	GET	200	91.92.244.233:80	http://subsystem.servehttp.com/SETUP/audio-driver.exe	unknown	—	—	unknown
3184	powershell.exe	GET	200	91.92.244.233:80	http://subsystem.servehttp.com/SETUP/1.reg	unknown	—	—	unknown
3184	powershell.exe	GET	200	91.92.244.233:80	http://subsystem.servehttp.com/SETUP/H.exe	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
1360	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1616	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3184	powershell.exe	91.92.244.233:80	subsystem.servehttp.com	Natskovi & Sie Ltd.	BG	unknown
2344	svchost.exe	239.255.255.250:3702	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.185.238	whitelisted
subsystem.servehttp.com	91.92.244.233	unknown
tech22.ddns.net	—	malicious
tech11.ddns.net	—	malicious

PID	Process	Class	Message
2256	svchost.exe	Potentially Bad Traffic	ET POLICY DNS Query to DynDNS Domain *.servehttp .com
3184	powershell.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.servehttp .com Domain
3184	powershell.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.servehttp .com Domain
3184	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
3184	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
3184	powershell.exe	A Network Trojan was detected	ET MALWARE Single char EXE direct download likely trojan (multiple families)
3184	powershell.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.servehttp .com Domain
3184	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
3184	powershell.exe	Misc activity	ET INFO Packed Executable Download
3184	powershell.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

system-scan.msi

85E87BEE47AA51159F27118E742CB643

645701E8934E7C4261F001AC029114D74A8DEB36

8FD972EEDB519A22A8B2FA8E705833F603B7FABC2DB1818CFA2D18380982B788

3072:1EHq5DlfEHcMYMcelfwD2lmJ7TMftdT72yddlKCL52632wx9MtEPPX16N11+bkbY:1EHWDuHweCy6GtdTisdjNfkQoaaRm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Run PowerShell with an invisible window

Bypass execution policy to execute commands

Disables Windows Defender

Uses Task Scheduler to autorun other applications

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Drops the executable file immediately after the start

Drops the ExeToMSI Application

Executes as Windows Service

Reads the Windows owner or organization settings

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

Executable content was dropped or overwritten

Uses REG/REGEDIT.EXE to modify registry

Identifying current user with WHOAMI command

Potential Corporate Privacy Violation

Reads security settings of Internet Explorer

Reads the date of Windows installation

Uses ATTRIB.EXE to modify file attributes

Executing commands from a ".bat" file

Uses TIMEOUT.EXE to delay execution

The executable file from the user directory is run by the CMD process

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Executable content was dropped or overwritten

Reads the computer name

Starts application with an unusual extension

Script raised an exception (POWERSHELL)

Gets data length (POWERSHELL)

Uses string replace method (POWERSHELL)

Checks if a key exists in the options dictionary (POWERSHELL)

Disables trace logs

Reads the machine GUID from the registry

Process checks computer location settings

Create files in a temporary directory

Creates files or folders in the user directory

Malware configuration

AsyncRat

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AsyncRat

Information