| File name: | 2.msi |
| Full analysis: | https://app.any.run/tasks/ccc1d46f-efce-4a9b-848f-35a7eb176c00 |
| Verdict: | Suspicious activity |
| Analysis date: | October 03, 2020, 16:11:02 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 936, Revision Number: {AD327640-4D21-47D0-A40A-803A76A95258}, Number of Words: 2, Subject: CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL, Author: CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL, Name of Creating Application: Advanced Installer 16.5 build 8df7ad95, Template: ;2052, Comments: CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL , Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200 |
| MD5: | C376D94DB48DA589CA1A2AEEEAE33A16 |
| SHA1: | 3EB80CB6060F4572AB1738354EF3CC319C476A1D |
| SHA256: | A643770E43D57E8811D48F7A5F4F0E9FD199A8323E08C0B42A3B4069C6D25543 |
| SSDEEP: | 24576:QTSBqnGIQ5M6DLrVVdWb859GCHrSoUzLyaVtFUl:QTUlrXVVdWY59GUrSLzeaVtFU |
MALICIOUS
No malicious indicators.SUSPICIOUS
Creates files in the Windows directory
- msiexec.exe (PID: 5352)
Reads Environment values
- MsiExec.exe (PID: 3684)
Executable content was dropped or overwritten
- msiexec.exe (PID: 5352)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (88.6) |
|---|---|---|
| .mst | | | Windows SDK Setup Transform Script (10) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| LastPrinted: | 2009:12:11 11:47:44 |
|---|---|
| CreateDate: | 2009:12:11 11:47:44 |
| ModifyDate: | 2009:12:11 11:47:44 |
| Security: | None |
| CodePage: | Windows Simplified Chinese (PRC, Singapore) |
| RevisionNumber: | {AD327640-4D21-47D0-A40A-803A76A95258} |
| Words: | 2 |
| Subject: | CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL |
| Author: | CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL |
| LastModifiedBy: | - |
| Software: | Advanced Installer 16.5 build 8df7ad95 |
| Template: | ;2052 |
| Comments: | ?˰?װ???ݿ??????˰?װ CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL ?????????????ݡ? |
| Title: | Installation Database |
| Keywords: | Installer, MSI, Database |
| Pages: | 200 |
Total processes
102
Monitored processes
3
Malicious processes
0
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3296 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\2.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3684 | C:\Windows\syswow64\MsiExec.exe -Embedding 3E689F3CD7B51868266E7D9E7FEAC102 | C:\Windows\syswow64\MsiExec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5352 | C:\WINDOWS\system32\msiexec.exe /V | C:\WINDOWS\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
805
Read events
794
Write events
11
Delete events
0
Modification events
| (PID) Process: | (5352) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: E8140000237920D69F99D601 | |||
| (PID) Process: | (5352) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: A7C39138E2F071DD060AADD513E0C6C0B025FB9E6A253C7F9803ADBBF1FBC54D | |||
| (PID) Process: | (5352) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3296) msiexec.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\IME\15.0\IMEJP |
| Operation: | write | Name: | LastLogDate |
Value: DABC3DDA9F99D601 | |||
| (PID) Process: | (3296) msiexec.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\IME\15.0\IMEJP\MSIME\AutoCharWidth |
| Operation: | write | Name: | LearnData |
Value: A2,040,050,060,070,080,090,160,170, | |||
| (PID) Process: | (5352) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | write | Name: | C:\Config.Msi\1aa81ff5.rbs |
Value: 30841323 | |||
| (PID) Process: | (5352) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | write | Name: | C:\Config.Msi\1aa81ff5.rbsLow |
Value: 1277087392 | |||
| (PID) Process: | (5352) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4B7B00AA4731E2647AAC15042EA5873C |
| Operation: | write | Name: | 230593080361B4C49A79A0C7BC277CB5 |
Value: C:\WINDOWS\AppPatch\Custom\ | |||
| (PID) Process: | (5352) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\70BF55C3EB8F6EA41939DB875DE7E060 |
| Operation: | write | Name: | 230593080361B4C49A79A0C7BC277CB5 |
Value: C:\WINDOWS\.ini | |||
| (PID) Process: | (5352) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders |
| Operation: | write | Name: | C:\Program Files (x86)\CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL\CTH3VNU8KZHDXY6YYCF9YV8OXGPW3P2APZPL\ |
Value: 1 | |||
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5352 | msiexec.exe | C:\WINDOWS\Installer\MSI437B.tmp | — | |
MD5:— | SHA256:— | |||
| 5352 | msiexec.exe | C:\WINDOWS\Installer\MSI43AB.tmp | — | |
MD5:— | SHA256:— | |||
| 5352 | msiexec.exe | C:\WINDOWS\Installer\MSI43DB.tmp | — | |
MD5:— | SHA256:— | |||
| 5352 | msiexec.exe | C:\WINDOWS\TEMP\~DF03257E97F0071D28.TMP | — | |
MD5:— | SHA256:— | |||
| 5352 | msiexec.exe | C:\WINDOWS\TEMP\~DFCBE36FE2ABCBF907.TMP | — | |
MD5:— | SHA256:— | |||
| 5352 | msiexec.exe | C:\WINDOWS\Installer\MSI443A.tmp | binary | |
MD5:— | SHA256:— | |||
| 5352 | msiexec.exe | C:\WINDOWS\Installer\1aa81ff3.msi | executable | |
MD5:— | SHA256:— | |||
| 5352 | msiexec.exe | C:\WINDOWS\Installer\MSI3F43.tmp | executable | |
MD5:305A50C391A94B42A68958F3F89906FB | SHA256:F89C4313F2F4BC8654A7FA3697702E36688E8C2756DF5ADA209A7F3E3F1D906F | |||
| 5352 | msiexec.exe | C:\WINDOWS\Installer\MSI432C.tmp | executable | |
MD5:305A50C391A94B42A68958F3F89906FB | SHA256:F89C4313F2F4BC8654A7FA3697702E36688E8C2756DF5ADA209A7F3E3F1D906F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
3
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2052 | SIHClient.exe | GET | 304 | 13.74.179.117:443 | https://sls.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.16299.0/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.16299.98&MK=DELL&MD=DELL | IE | — | — | whitelisted |
2052 | SIHClient.exe | GET | 200 | 23.210.249.93:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | NL | der | 813 b | whitelisted |
2052 | SIHClient.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | der | 1.11 Kb | whitelisted |
2052 | SIHClient.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | der | 555 b | whitelisted |
2052 | SIHClient.exe | GET | 200 | 13.74.179.117:443 | https://sls.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.16299.0/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.16299.98&MK=DELL&MD=DELL | IE | compressed | 24.8 Kb | whitelisted |
2052 | SIHClient.exe | GET | 200 | 2.16.186.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | der | 824 b | whitelisted |
2052 | SIHClient.exe | GET | 200 | 23.210.249.93:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | NL | der | 813 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2052 | SIHClient.exe | 13.74.179.117:443 | sls.update.microsoft.com | Microsoft Corporation | IE | whitelisted |
2052 | SIHClient.exe | 2.16.186.120:80 | crl.microsoft.com | Akamai International B.V. | — | whitelisted |
2052 | SIHClient.exe | 23.210.249.93:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
self.events.data.microsoft.com |
| whitelisted |
sls.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
MsiExec.exe | [AVX_CRT_Fix][C:\WINDOWS\Installer\MSI3F43.tmp] CPU: __isa_available = 5
|
MsiExec.exe | [AVX_CRT_Fix][C:\WINDOWS\Installer\MSI432C.tmp] CPU: __isa_available = 5
|
MsiExec.exe | [AVX_CRT_Fix][C:\WINDOWS\Installer\MSI437B.tmp] CPU: __isa_available = 5
|
MsiExec.exe | [AVX_CRT_Fix][C:\WINDOWS\Installer\MSI43AB.tmp] CPU: __isa_available = 5
|
MsiExec.exe | [AVX_CRT_Fix][C:\WINDOWS\Installer\MSI43DB.tmp] CPU: __isa_available = 5
|