File name:

escargot-msn-7.5.0324-fr.msi

Full analysis: https://app.any.run/tasks/73b0127e-7e8a-4b1a-8720-29d47a9abe2f
Verdict: Malicious activity
Analysis date: May 22, 2018, 23:39:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MSN Messenger setup package, Author: Microsoft Corporation, Keywords: Installer,MSI,Database, Comments: MSN Messenger, Template: Intel;1036, Revision Number: {68340736-17D0-4ACA-AB16-9CF2FD600324}, Create Time/Date: Tue Jan 24 11:37:00 2006, Last Saved Time/Date: Tue Jan 24 11:37:00 2006, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML v2 (candle/light), Security: 1
MD5:

F07252C94E8A87DC3C52F8E3AB753005

SHA1:

CA21EACE15A77BCE2EDD0FB53D7F0C2CF66DCEF8

SHA256:

AC54BEB1DD82CE47F1F5680F411438F8A5A5362714DA4E50205B363F0DDF9F29

SSDEEP:

196608:qi8b2fM1IEARgYCz7A0iFBJ9vcYVGq1Q9pG7pDRuIIb:qilfawgZz0FBJDgGZRZIb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • msiexec.exe (PID: 3588)
      • msnmsgr.exe (PID: 2624)
      • mtbs.exe (PID: 1448)

    • Application was dropped or rewritten from another process

      • msnsearch.exe (PID: 2400)
      • msnmsgr.exe (PID: 2624)
      • mtbs.exe (PID: 3340)
      • mtbs.exe (PID: 1448)

    • Changes the autorun value in the registry

      • msnsearch.exe (PID: 2400)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • msiexec.exe (PID: 3176)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3588)
      • msiexec.exe (PID: 3176)
      • msnsearch.exe (PID: 2400)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 3176)

    • Creates COM task schedule object

      • msiexec.exe (PID: 3176)

    • Creates files in the user directory

      • msiexec.exe (PID: 3176)
      • mtbs.exe (PID: 1448)

    • Reads internet explorer settings

      • mtbs.exe (PID: 1448)

    • Starts Internet Explorer

      • msnmsgr.exe (PID: 2624)

  • INFO

    • Dropped object may contain URL's

      • msiexec.exe (PID: 3588)
      • msiexec.exe (PID: 3176)
      • iexplore.exe (PID: 2548)
      • msnsearch.exe (PID: 2400)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3136)
      • MsiExec.exe (PID: 2040)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3312)

    • Creates or modifies windows services

      • msiexec.exe (PID: 3176)
      • vssvc.exe (PID: 3312)

    • Application launched itself

      • msiexec.exe (PID: 3176)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3176)

    • Creates files in the program directory

      • msiexec.exe (PID: 3176)

    • Creates files in the user directory

      • iexplore.exe (PID: 2548)

    • Changes internet zones settings

      • iexplore.exe (PID: 3040)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (95.3)
.doc | Microsoft Word document (old ver.) (3.2)
. | Generic OLE2 / Multistream Compound File (1.3)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: MSN Messenger setup package
Author: Microsoft Corporation
Keywords: Installer,MSI,Database
Comments: MSN Messenger
Template: Intel;1036
RevisionNumber: {68340736-17D0-4ACA-AB16-9CF2FD600324}
CreateDate: 2006:01:24 11:37:00
ModifyDate: 2006:01:24 11:37:00
Pages: 200
Words: 2
Software: Windows Installer XML v2 (candle/light)
Security: Password protected
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
11
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs msnsearch.exe msnmsgr.exe no specs mtbs.exe no specs mtbs.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1448C:\Users\admin\AppData\Local\Temp\IXP000.TMP\mtbs.exe eC:\Users\admin\AppData\Local\Temp\IXP000.TMP\mtbs.exe
msnsearch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
MSN Toolbar setup program
Exit code:
0
Version:
01.01.2607.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\mtbs.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
2040C:\Windows\system32\MsiExec.exe -Embedding A72615C733B7B6A451BACE38DC27E9F3C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2400"C:\Users\admin\AppData\Local\Temp\msnsearch.exe" /C:"mtbs.exe e"C:\Users\admin\AppData\Local\Temp\msnsearch.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
1.0.2607.0
Modules
Images
c:\users\admin\appdata\local\temp\msnsearch.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2548"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3040 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2624"C:\Program Files\MSN Messenger\msnmsgr.exe" C:\Program Files\MSN Messenger\msnmsgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSN Messenger
Exit code:
0
Version:
7.5.0324
Modules
Images
c:\program files\msn messenger\msnmsgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3040"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
msnmsgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3136C:\Windows\system32\MsiExec.exe -Embedding 0E49E956858689DC81CF8CA5D06E4271 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3176C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3312C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3340C:\Users\admin\AppData\Local\Temp\IXP000.TMP\mtbs.exe eC:\Users\admin\AppData\Local\Temp\IXP000.TMP\mtbs.exemsnsearch.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSN Toolbar setup program
Exit code:
3221226540
Version:
01.01.2607.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\mtbs.exe
c:\systemroot\system32\ntdll.dll
Total events
1 585
Read events
852
Write events
719
Delete events
14

Modification events

(PID) Process:(3176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000001E1D303D26F2D301680C0000FC0B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000001E1D303D26F2D301680C0000FC0B0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3312) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000007AB68A3D26F2D301F00C0000A4080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3312) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000007AB68A3D26F2D301F00C0000700F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3312) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000007AB68A3D26F2D301F00C00003C020000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3312) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000007AB68A3D26F2D301F00C0000800F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
50
(PID) Process:(3176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
400000000000000004067A3D26F2D301680C0000FC0B0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000005E687C3D26F2D301680C0000740D0000E80300000100000000000000000000004212DA60292D124CB8E30053CEA783C80000000000000000
(PID) Process:(3312) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
400000000000000088DD913D26F2D301F00C0000800F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
20
Suspicious files
5
Text files
15
Unknown types
15

Dropped files

PID
Process
Filename
Type
3588msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI955.tmp
MD5:
SHA256:
3176msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3176msiexec.exeC:\Windows\Installer\144da1.msi
MD5:
SHA256:
3312vssvc.exeC:
MD5:
SHA256:
3176msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFA881B17256202DA0.TMP
MD5:
SHA256:
3176msiexec.exeC:\Windows\Installer\MSI735C.tmp
MD5:
SHA256:
3176msiexec.exeC:\Windows\Installer\MSI732C.tmpbinary
MD5:
SHA256:
3176msiexec.exeC:\Program Files\MSN Messenger\mailtmpl.txttext
MD5:
SHA256:
3588msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI16A4.tmpexecutable
MD5:416FD1413E34A2DD22D36B30A84C916F
SHA256:1E14BAE53A42415A1B1F9CDDD097692BEB3C46E99F652EC618C814A8B92D813F
3176msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2548
iexplore.exe
GET
65.55.253.15:80
http://messenger.msn.com/redirs/PORTAL.asp?GeoID=000000f4&Plcid=040c&CLCID=0409&Country=00&BrandID=msmsgs&Build=7.5.0324&OS=Win&Version=7.5
US
whitelisted
2548
iexplore.exe
GET
302
207.46.194.14:80
http://g.msn.com/5meen_us/103?GeoID=000000f4&Plcid=040c&CLCID=0409&Country=00&BrandID=msmsgs&Build=7.5.0324&OS=Win&Version=7.5
IE
whitelisted
3040
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2548
iexplore.exe
65.55.253.15:80
messenger.msn.com
Microsoft Corporation
US
whitelisted
3040
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2548
iexplore.exe
207.46.194.14:80
g.msn.com
Microsoft Corporation
IE
whitelisted

DNS requests

Domain
IP
Reputation
runonce.msn.com
  • 23.99.81.176
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
g.msn.com
  • 207.46.194.14
whitelisted
messenger.msn.com
  • 65.55.253.15
whitelisted

Threats

No threats detected
Process
Message
mtbs.exe
1347 OS: 0x6, 0x1
mtbs.exe
*** Assertion: Unknown IE Build Format (A) ***
mtbs.exe
*** Assertion: Unknown IE Major Version ***
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
escargot-msn-7.5.0324-fr.msi