analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

putty-0.74-installer.msi

Full analysis: https://app.any.run/tasks/3162d4dc-5c1a-42d2-9d70-927d66f33c31
Verdict: Malicious activity
Analysis date: October 20, 2020, 08:42:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: PuTTY release 0.74 installer, Author: Simon Tatham, Keywords: Installer, Comments: This installer database contains the logic and data required to install PuTTY release 0.74., Template: Intel;1033, Revision Number: {7C2826B0-6C80-4DDA-821D-927688BC0979}, Create Time/Date: Sun Jun 21 19:44:52 2020, Last Saved Time/Date: Sun Jun 21 19:44:52 2020, Number of Pages: 100, Number of Words: 2, Number of Characters: 0, Name of Creating Application: Windows Installer XML Toolset (), Security: 2
MD5:

90C376DAD4ADF767A8418DABDA2C633E

SHA1:

E15FFEAAB22BD176512A0401D46305C49BB8C88E

SHA256:

A630B507D726D7B378F1D82108B99FE7A0CC8713F7182957325AD07CF288228C

SSDEEP:

49152:OzZv2D6lzY4JinxrTkKGBJfBXEJwH4r8oUW8U0ayOA2bwPPNcCh:OlOU7INUTfCOH4AlRabWco

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 3508)

    • Executed via COM

      • DllHost.exe (PID: 2540)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 2736)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2736)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 2736)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3508)

    • Manual execution by user

      • NOTEPAD.EXE (PID: 3296)

    • Creates files in the program directory

      • msiexec.exe (PID: 2736)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: Read-only recommended
Software: Windows Installer XML Toolset ()
Characters: -
Words: 2
Pages: 100
ModifyDate: 2020:06:21 18:44:52
CreateDate: 2020:06:21 18:44:52
RevisionNumber: {7C2826B0-6C80-4DDA-821D-927688BC0979}
Template: Intel;1033
Comments: This installer database contains the logic and data required to install PuTTY release 0.74.
Keywords: Installer
Author: Simon Tatham
Subject: PuTTY release 0.74 installer
Title: Installation Database
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe no specs vssvc.exe no specs PhotoViewer.dll no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3064"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\putty-0.74-installer.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2736C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1592C:\Windows\system32\MsiExec.exe -Embedding E1A0A829FC3253C95776D0CE74D93C17 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3508C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2540C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3296"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\sa.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
940
Read events
647
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
6
Text files
5
Unknown types
9

Dropped files

PID
Process
Filename
Type
3064msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI9F04.tmp
MD5:
SHA256:
2736msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2736msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF7371AC0693467503.TMP
MD5:
SHA256:
2736msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\PuTTY\~uTTY.tmp
MD5:
SHA256:
3508vssvc.exeC:
MD5:
SHA256:
2736msiexec.exeC:\Windows\Installer\16e40b.msiexecutable
MD5:90C376DAD4ADF767A8418DABDA2C633E
SHA256:A630B507D726D7B378F1D82108B99FE7A0CC8713F7182957325AD07CF288228C
2736msiexec.exeC:\Windows\Installer\MSIEB7E.tmpbinary
MD5:A9E734C3B4FDA3CCFCB1E3E9CB6840BA
SHA256:F136674EE72ADB56A7D55F0B215709FAB7CD3E6F2337F7F02747931AB782723A
2736msiexec.exeC:\Program Files\PuTTY\LICENCEtext
MD5:8182423C4C610605F69574536328B7DB
SHA256:09AA3954A238BE8F2AF2165309DEAF430637ACFE3F110E32E1F5D18C1BA78D36
2736msiexec.exeC:\Program Files\PuTTY\putty.chmchm
MD5:BCCCB2446EED1B57BD9940034FCCF7EC
SHA256:FF9E9D5DA94CBDD4BAF8E423832C39A2FDB10D82549BFC6C86BAE6DD2B83FE16
2736msiexec.exeC:\Program Files\PuTTY\puttygen.exeexecutable
MD5:41A4D7994FF3BEAC5B7BA8AA7ECD1710
SHA256:7767CE6F49775F90651185982869FC36E01C0E307FDE2F364BF30EB89D65D822
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
putty-0.74-installer.msi