File name:

3CXPhone6.msi

Full analysis: https://app.any.run/tasks/4fd8126b-559d-4c51-be5c-49be1af396b4
Verdict: Malicious activity
Analysis date: April 10, 2019, 13:43:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {D205D479-89C2-4B2C-BA1E-426411082CBF}, Number of Words: 2, Subject: 3CXPhone, Author: 3CX, Name of Creating Application: Advanced Installer 9.2 build 44805, Template: ;1033, Comments: This installer database contains the logic and data required to install 3CXPhone.
MD5:

CEEC4DBD300086C8F052BDC51D287CA5

SHA1:

5F36BC56D6D4484D4557092F4BEFE8F280EE0C1B

SHA256:

ABC2869C39480F0040D872679B961BCD565DB1D8FD1F79DE99FEFC78A88D10CF

SSDEEP:

393216:cC2sv/LoSsfbZv+6wuZebE8osHeht3QCBe2iLftp:cC2kolv+6w4gMs0SCwLff

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 3CXPhone.exe (PID: 2156)
      • 3CXPhoneLookup.exe (PID: 3948)
      • 3CXPhoneLookup.exe (PID: 344)

    • Loads dropped or rewritten executable

      • 3CXPhone.exe (PID: 2156)

  • SUSPICIOUS

    • Creates COM task schedule object

      • msiexec.exe (PID: 2168)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2168)
      • 3CXPhoneLookup.exe (PID: 3948)

    • Starts itself from another location

      • 3CXPhoneLookup.exe (PID: 3948)

  • INFO

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 1012)

    • Application launched itself

      • msiexec.exe (PID: 2168)

    • Searches for installed software

      • msiexec.exe (PID: 2168)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3544)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 1012)

    • Creates files in the program directory

      • msiexec.exe (PID: 2168)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Title: Installation Database
Keywords: Installer, MSI, Database
LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Pages: 200
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {D205D479-89C2-4B2C-BA1E-426411082CBF}
Words: 2
Subject: 3CXPhone
Author: 3CX
LastModifiedBy: -
Software: Advanced Installer 9.2 build 44805
Template: ;1033
Comments: This installer database contains the logic and data required to install 3CXPhone.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs msiexec.exe no specs HNetCfg.FwPolicy2 no specs 3cxphone.exe no specs 3cxphonelookup.exe 3cxphonelookup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
344"C:\Users\admin\AppData\Local\3CX VoIP Phone\Updater\3CXPhoneLookup.exe" C:\Program Files\3CXPhoneC:\Users\admin\AppData\Local\3CX VoIP Phone\Updater\3CXPhoneLookup.exe3CXPhoneLookup.exe
User:
admin
Company:
3CX Ltd
Integrity Level:
MEDIUM
Description:
3CXPhone lookup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\3cx voip phone\updater\3cxphonelookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
580C:\Windows\system32\MsiExec.exe -Embedding 5E56E138F50E8115F3AD180E5027BB91 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1012DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000580" "00000388"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1356C:\Windows\system32\MsiExec.exe -Embedding A70E42B104F80F5E4DDC221E59E954BBC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2156"C:\Program Files\3CXPhone\3CXPhone.exe" C:\Program Files\3CXPhone\3CXPhone.exeMsiExec.exe
User:
admin
Company:
3CX Ltd
Integrity Level:
MEDIUM
Description:
3CX VoIP Phone
Exit code:
0
Version:
6.0.26523.0
Modules
Images
c:\program files\3cxphone\3cxphone.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\3cxphone\3cxvoipphone.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
2168C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2688"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\3CXPhone6.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3524C:\Windows\system32\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}C:\Windows\system32\DllHost.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3544C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3948"C:\Program Files\3CXPhone\3CXPhoneLookup.exe" 3CXPhoneC:\Program Files\3CXPhone\3CXPhoneLookup.exe
3CXPhone.exe
User:
admin
Company:
3CX Ltd
Integrity Level:
MEDIUM
Description:
3CXPhone lookup
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\3cxphone\3cxphonelookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
2 012
Read events
1 069
Write events
931
Delete events
12

Modification events

(PID) Process:(2688) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2168) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
400000000000000016D22376A3EFD4017808000018070000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2168) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
400000000000000016D22376A3EFD4017808000018070000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2168) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
20
(PID) Process:(2168) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000BEA67976A3EFD4017808000018070000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2168) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000018097C76A3EFD4017808000000090000E8030000010000000000000000000000EC18EDCEA98FBD40A0E4975BCBD00B630000000000000000
(PID) Process:(3544) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009CE09376A3EFD401D80D0000980F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3544) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009CE09376A3EFD401D80D0000E8080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3544) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009CE09376A3EFD401D80D0000B80A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3544) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009CE09376A3EFD401D80D0000000F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
34
Suspicious files
29
Text files
89
Unknown types
22

Dropped files

PID
Process
Filename
Type
2688msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI49D7.tmp
MD5:
SHA256:
2688msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4A55.tmp
MD5:
SHA256:
2688msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4A66.tmp
MD5:
SHA256:
2688msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4A86.tmp
MD5:
SHA256:
2688msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI6718.tmp
MD5:
SHA256:
2168msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2168msiexec.exeC:\Windows\Installer\11abbe.msi
MD5:
SHA256:
2168msiexec.exeC:\Windows\Installer\MSIB1D8.tmp
MD5:
SHA256:
2168msiexec.exeC:\Windows\Installer\MSIB2D3.tmp
MD5:
SHA256:
2168msiexec.exeC:\Windows\Installer\MSIB2F3.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3CXPhone6.msi