analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

FoxySpar.msi

Full analysis: https://app.any.run/tasks/e460c59c-b0b4-44d3-b6d1-692848591bf2
Verdict: Malicious activity
Analysis date: January 17, 2020, 19:20:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Author: FoxySpar, Keywords: Installer, Template: Intel;1033, Revision Number: {F3E9D595-1E7E-46ED-96BE-9776910A8D8A}, Create Time/Date: Wed Dec 18 10:55:14 2019, Last Saved Time/Date: Wed Dec 18 10:55:14 2019, Number of Pages: 310, Number of Words: 2, Security: 2
MD5:

C8D2BD0763239DB2C4CA364AC19E96BC

SHA1:

6B61E9800C582B48ECFC7DF7E4C4FF29BCD2466C

SHA256:

A78DC162140313A35C489A72F6919D425B7F1CB57392725F4FA8C62B9AE2096B

SSDEEP:

49152:rheMLGYeGmLHZqqbWzvoq1YINULyxX9gvglTCmOt7dD5haLn:rh/LGYQMqbWzDYNLO9xu9tf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • instui.exe (PID: 1324)
      • instui.exe (PID: 3468)

    • Application was dropped or rewritten from another process

      • PService.exe (PID: 2508)
      • instui.exe (PID: 1324)
      • instui.exe (PID: 3468)
      • PService.exe (PID: 2988)

    • Changes settings of System certificates

      • instui.exe (PID: 3468)

    • Changes the autorun value in the registry

      • PService.exe (PID: 2508)

    • Writes to a start menu file

      • PService.exe (PID: 2508)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • instui.exe (PID: 3468)

    • Executable content was dropped or overwritten

      • PService.exe (PID: 2508)
      • msiexec.exe (PID: 1936)

    • Creates files in the program directory

      • instui.exe (PID: 3468)
      • firefox.exe (PID: 2952)
      • firefox.exe (PID: 1704)

    • Executed as Windows Service

      • vssvc.exe (PID: 2152)

    • Creates files in the user directory

      • PService.exe (PID: 2508)
      • instui.exe (PID: 3468)
      • PService.exe (PID: 2988)

    • Creates a software uninstall entry

      • PService.exe (PID: 2508)

    • Starts itself from another location

      • PService.exe (PID: 2508)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2152)

    • Creates files in the program directory

      • msiexec.exe (PID: 1936)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1936)

    • Reads CPU info

      • firefox.exe (PID: 2952)
      • firefox.exe (PID: 1704)

    • Application launched itself

      • firefox.exe (PID: 2952)
      • firefox.exe (PID: 1704)

    • Creates files in the user directory

      • firefox.exe (PID: 2952)
      • firefox.exe (PID: 1704)

    • Reads Internet Cache Settings

      • firefox.exe (PID: 1704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: Read-only recommended
Words: 2
Pages: 310
ModifyDate: 2019:12:18 10:55:14
CreateDate: 2019:12:18 10:55:14
RevisionNumber: {F3E9D595-1E7E-46ED-96BE-9776910A8D8A}
Template: Intel;1033
Keywords: Installer
Author: FoxySpar
Title: Installation Database
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
22
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs instui.exe no specs instui.exe pservice.exe firefox.exe no specs firefox.exe pservice.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe pingsender.exe pingsender.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
2448"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\FoxySpar.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1936C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2152C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1324"C:\Program Files\foxyspar\ff\instui.exe" /starterC:\Program Files\foxyspar\ff\instui.exemsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3468"C:\Program Files\foxyspar\ff\instui.exe" /install /url=? /preurl=? /uinsturl=? /waitforenterprise=0 /forceenterprise=0 /tag=?C:\Program Files\foxyspar\ff\instui.exe
msiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
80000
2508"C:\Program Files\foxyspar\ff\PService.exe" 183865836.1224242629F62D337B81813E76858E958FD4C5DC98D3DFE3A5EEE1F537393F42333B044C4452 183865836.F0FF08514B4E3F56C:\Program Files\foxyspar\ff\PService.exe
instui.exe
User:
admin
Company:
Service Software
Integrity Level:
MEDIUM
Description:
Service
Exit code:
0
Version:
1.0.0.0
1524"C:\Program Files\Mozilla Firefox\firefox.exe" -new-window "C:\Program Files\foxyspar\ff\foxyspar-1.0.1-fx.xpi"C:\Program Files\Mozilla Firefox\firefox.exeinstui.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2952"C:\Program Files\Mozilla Firefox\firefox.exe" -new-window "C:\Program Files\foxyspar\ff\foxyspar-1.0.1-fx.xpi"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
2988"C:\Users\admin\AppData\Roaming\PService Software\PService.exe" C:\Users\admin\AppData\Roaming\PService Software\PService.exe
PService.exe
User:
admin
Company:
Service Software
Integrity Level:
MEDIUM
Description:
Service
Version:
1.0.0.0
3092"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.0.402914269\1593731857" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1172 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
68.0.1
Total events
2 151
Read events
1 810
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
110
Text files
56
Unknown types
83

Dropped files

PID
Process
Filename
Type
1936msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2152vssvc.exeC:
MD5:
SHA256:
1936msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF3653C7EE75D5436A.TMP
MD5:
SHA256:
1936msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:B6075EAFAF897E56017BE0D700549908
SHA256:B0CF71C4461379E2D8BB347F3F04C584384DA8910CDAE0B47A75227BF68E55C1
1936msiexec.exeC:\Windows\Installer\MSID8B7.tmpbinary
MD5:98B5F160E5E191C51A67DC90670BE04F
SHA256:6C85DB3E3207F3921C0525618388903039A3BC32E4FE1FE2F6C4D682994D2412
2508PService.exeC:\Users\admin\AppData\Roaming\PService Software\init.paramstext
MD5:69C858EEEA39EA67AFC92BAE174C4032
SHA256:1D88A845EE16C1438C36761416E3FD149BE6E12B940ACF4579D0D7385124F54C
1936msiexec.exeC:\Windows\Installer\{F5C3B9AF-DE19-47B8-B240-284E26FA0220}\PRODUCT_ICONimage
MD5:BDB93ACA74B49DC4598FF2869D818694
SHA256:F076C9CC75BDB79C0C9D5EE7FAAC2B8EBCD10CF8D79BA0E52D9B7281590BF730
1936msiexec.exeC:\Windows\Installer\39d319.msiexecutable
MD5:C8D2BD0763239DB2C4CA364AC19E96BC
SHA256:A78DC162140313A35C489A72F6919D425B7F1CB57392725F4FA8C62B9AE2096B
1936msiexec.exeC:\Program Files\foxyspar\ff\foxyspar-1.0.1-fx.xpicompressed
MD5:2EF40156CB4944C1E84FE072C15871EF
SHA256:7E7FD834A0E799182AFAA9F783C6C04B13C7350E67BB0F2F7928CE7E71A982CC
2508PService.exeC:\Users\admin\AppData\Roaming\PService Software\PService.exeexecutable
MD5:16A954DEA9598B3D4C2E583508F7FD06
SHA256:4E6646DEA5C5D1BE48E920A23C4C455ADB41F7543B3EA32442B82AE0FC6BA408
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
46
DNS requests
82
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2952
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1704
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
1704
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2952
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2952
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2952
firefox.exe
POST
200
172.217.22.67:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
2952
firefox.exe
POST
200
2.21.242.220:80
http://ocsp.int-x3.letsencrypt.org/
NL
der
527 b
whitelisted
2952
firefox.exe
POST
200
172.217.22.67:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
2952
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2952
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2952
firefox.exe
172.217.22.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2952
firefox.exe
54.69.207.70:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3468
instui.exe
63.34.125.24:443
www.foxyspar.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
unknown
2952
firefox.exe
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2952
firefox.exe
52.222.174.142:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
2952
firefox.exe
34.215.87.43:443
services.addons.mozilla.org
Amazon.com, Inc.
US
unknown
2952
firefox.exe
52.89.218.39:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2952
firefox.exe
63.34.125.24:443
www.foxyspar.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
unknown
2988
PService.exe
63.34.125.24:443
www.foxyspar.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
unknown

DNS requests

Domain
IP
Reputation
www.foxyspar.com
  • 63.34.125.24
unknown
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.services.mozilla.com
  • 52.89.218.39
  • 35.164.109.147
  • 52.35.182.58
whitelisted
search.r53-2.services.mozilla.com
  • 52.35.182.58
  • 35.164.109.147
  • 52.89.218.39
whitelisted
push.services.mozilla.com
  • 52.24.205.129
  • 35.161.236.240
whitelisted
autopush.prod.mozaws.net
  • 52.24.205.129
  • 35.161.236.240
whitelisted
snippets.cdn.mozilla.net
  • 52.222.174.142
  • 52.222.174.154
  • 52.222.174.186
  • 52.222.174.150
whitelisted
d228z91au11ukj.cloudfront.net
  • 52.222.174.150
  • 52.222.174.186
  • 52.222.174.154
  • 52.222.174.142
whitelisted
services.addons.mozilla.org
  • 34.215.87.43
  • 54.148.19.119
  • 52.24.83.3
  • 52.27.163.166
  • 52.32.60.169
  • 52.10.136.27
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FoxySpar.msi