analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9d4506549b9e4906df8de5604e9f4bfefe84fdccbe996c5cb46877b629306e02

Full analysis: https://app.any.run/tasks/4f15f68a-35a3-4e89-a934-f63f3f17dfc4
Verdict: Malicious activity
Analysis date: September 30, 2020, 07:17:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Code page: 1252, Last Printed: Wed Sep 23 11:25:12 2020, Title: Microsoft Contabilidade, Author: Microsoft Contabilidade, Template: Intel;1046, Last Saved By: Padrao, Revision Number: {56728283-E6B2-4B05-921F-F1162CC137B0}, Last Saved Time/Date: Wed Sep 23 11:25:23 2020, Number of Pages: 200, Number of Words: 10, Security: 0
MD5:

158A77B96836DFC383FC959A2FCE3925

SHA1:

6ECC87171886FA82BB663431C5E2893C3D5C1412

SHA256:

9D4506549B9E4906DF8DE5604E9F4BFEFE84FDCCBE996C5CB46877B629306E02

SSDEEP:

6144:7VedjFBYTYQ7eEw8gpemh3+N7f4gsUEEgCtL:7k5FBeeP8uemk7fDsUEE9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • msiexec.exe (PID: 2060)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2060)

    • Reads Internet Cache Settings

      • MsiExec.exe (PID: 3248)

    • Executed as Windows Service

      • vssvc.exe (PID: 2772)

    • Executed via COM

      • DllHost.exe (PID: 948)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 2060)
      • MsiExec.exe (PID: 3248)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2772)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CreateDate: 1999:06:21 07:00:00
Software: Windows Installer
CodePage: Windows Latin 1 (Western European)
LastPrinted: 2020:09:23 10:25:12
Title: Microsoft Contabilidade
Subject: -
Author: Microsoft Contabilidade
Keywords: -
Comments: -
Template: Intel;1046
LastModifiedBy: Padrao
RevisionNumber: {56728283-E6B2-4B05-921F-F1162CC137B0}
ModifyDate: 2020:09:23 10:25:23
Pages: 200
Words: 10
Security: None
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe msiexec.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
588"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\9d4506549b9e4906df8de5604e9f4bfefe84fdccbe996c5cb46877b629306e02.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2060C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2772C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3248C:\Windows\system32\MsiExec.exe -Embedding 74DC3457C1B7F8A05115D000C117B617C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2136"C:\Windows\System32\msiexec.exe" /i Bad, bad boy. No donut for you. /qC:\Windows\System32\msiexec.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1639
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
948C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 128
Read events
879
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2060msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2060msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF24CC46FA32A23C86.TMP
MD5:
SHA256:
2772vssvc.exeC:
MD5:
SHA256:
2060msiexec.exeC:\Config.Msi\1ae11d.rbs
MD5:
SHA256:
2060msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFE47FBB4890B12C3A.TMP
MD5:
SHA256:
2060msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{8d012752-65f5-4bab-8007-85d91f04feb1}_OnDiskSnapshotPropbinary
MD5:42A9C93C8865D229C7BC0D1923D59D4D
SHA256:A2CB450A0AE9ED924F255B11CDB3E3783B9573941ED3D7ADE3A7648EAFDA4BC7
2060msiexec.exeC:\Users\admin\AppData\Roaming\extrato.jpgimage
MD5:7AAA84BC45E881911592C9A00BF359BA
SHA256:2E28A308955AA1F2A307CC5400B7A6BC57313DE604C9024A4B929C09A3B3234C
2060msiexec.exeC:\Windows\Installer\1ae11e.msiexecutable
MD5:158A77B96836DFC383FC959A2FCE3925
SHA256:9D4506549B9E4906DF8DE5604E9F4BFEFE84FDCCBE996C5CB46877B629306E02
2060msiexec.exeC:\Windows\Installer\MSIE3E9.tmpbinary
MD5:D2B78091C326126E3216F56779E86BD5
SHA256:13AEF40ACF92874EACB10AFC15875F46B469308E42AB21826A73CE2FC0402332
2060msiexec.exeC:\Windows\Installer\1ae11a.msiexecutable
MD5:158A77B96836DFC383FC959A2FCE3925
SHA256:9D4506549B9E4906DF8DE5604E9F4BFEFE84FDCCBE996C5CB46877B629306E02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3248
MsiExec.exe
GET
200
187.45.193.152:80
http://cecosal.org.br/wp-includes/Requests/Transport/index.php
BR
text
31 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3248
MsiExec.exe
187.45.193.152:80
cecosal.org.br
Locaweb Serviços de Internet S/A
BR
malicious

DNS requests

Domain
IP
Reputation
cecosal.org.br
  • 187.45.193.152
malicious

Threats

PID
Process
Class
Message
3248
MsiExec.exe
A Network Trojan was detected
MALWARE [PTsecurity] VBS.Loader.Gen
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
9d4506549b9e4906df8de5604e9f4bfefe84fdccbe996c5cb46877b629306e02