analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

http://169.239.128.104/alg

Full analysis: https://app.any.run/tasks/4d694eea-20ba-4c5d-b29d-bdd1420ce259
Verdict: Malicious activity
Analysis date: March 21, 2019, 15:11:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

D4C11BDA021113CA4604D80896B2A492

SHA1:

6F6C9D565E37D612D5494A56034BE7A117435514

SHA256:

AE2B1B1F7265386EDBBF2617084F277CDB9BC5AC34BD9AAC00CBC77A6BDCD829

SSDEEP:

6144:OENa+Dc4rPekT5sBLg6bGTCnvSxLKvSitOunZ2ze4FnPTglY61NpwoF:OEhoGPVTs0LKqxuZ2ze4R4h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 4072)

    • Application was dropped or rewritten from another process

      • nsE856.tmp (PID: 2748)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 3984)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • nsE856.tmp (PID: 2748)
      • rundll32.exe (PID: 3984)

    • Starts application with an unusual extension

      • MSIE623.tmp (PID: 1484)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3996)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3996)
      • MSIE623.tmp (PID: 1484)

    • Creates files in the user directory

      • powershell.exe (PID: 1436)

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 3540)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 3420)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3436)

    • Searches for installed software

      • msiexec.exe (PID: 3996)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3996)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 3280)

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 3280)

    • Loads dropped or rewritten executable

      • MSIE623.tmp (PID: 1484)

    • Application was dropped or rewritten from another process

      • MSIE623.tmp (PID: 1484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
Words: -
Pages: 100
ModifyDate: 2013:05:21 11:56:44
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
LastModifiedBy: devuser
Template: ;0
Comments: -
Keywords: -
Author: www.exetomsi.com
Subject: -
Title: Exe to msi converter free
Software: Windows Installer
CreateDate: 2012:09:21 09:56:09
LastPrinted: 2012:09:21 09:56:09
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
12
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msie623.tmp nse856.tmp cmd.exe no specs rundll32.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs whoami.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1016"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\alg.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3996C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3436C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3280DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005B4" "00000398"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1484"C:\Windows\Installer\MSIE623.tmp"C:\Windows\Installer\MSIE623.tmp
msiexec.exe
User:
admin
Company:
hepsu burda
Integrity Level:
MEDIUM
Description:
hepsu burda Application
Version:
1.0.2.1
2748"C:\Users\admin\AppData\Local\Temp\nsoE836.tmp\nsE856.tmp" "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Users\admin\AppData\Local\Temp\nsoE836.tmp\nsE856.tmp
MSIE623.tmp
User:
SYSTEM
Integrity Level:
SYSTEM
3420"cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Windows\system32\cmd.exensE856.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3984rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Windows\system32\rundll32.exe
cmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4072cmd.exe /C powershell -nop -ep bypass -f %temp%\enu.ps1C:\Windows\system32\cmd.exerundll32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1436powershell -nop -ep bypass -f C:\Users\admin\AppData\Local\Temp\enu.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
686
Read events
526
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
8
Text files
104
Unknown types
1

Dropped files

PID
Process
Filename
Type
3996msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3280DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:FCEFF71484D16E1A63A2A4F2E9FBB70F
SHA256:F8187D1A903BF5A111BCD77006BD268894DE9BD5FC21AFDB75E12BD085174DB1
3280DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
3996msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{1a55e0b7-c6fb-4281-9708-8f25c360d78b}_OnDiskSnapshotPropbinary
MD5:D32B6ED04C39A8BFA34034DDA103CA6F
SHA256:3878176AEF185D4052F1CD1449B2A09A9A5B84283FD75A838B2B6AEF50193645
3280DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:A0F1DFAD8A7998A971022A98EA945661
SHA256:E6014AF3E6DBD5908459C3C600561F29AFEA1556D3E46B461E3593A99981C125
3996msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:D32B6ED04C39A8BFA34034DDA103CA6F
SHA256:3878176AEF185D4052F1CD1449B2A09A9A5B84283FD75A838B2B6AEF50193645
3996msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF9C8890DC609D993C.TMP
MD5:
SHA256:
3436vssvc.exeC:
MD5:
SHA256:
1436powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HP5EBB7L9Y5MBHTWBZSX.temp
MD5:
SHA256:
3996msiexec.exeC:\Windows\Installer\MSIE48A.tmpbinary
MD5:EDA6B16C13759C0A3A08BF57BDB98829
SHA256:DF2DB648B032074F8CAEC15C62D16BFBFC9BD41220C035F64AF671E967D29544
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3984
rundll32.exe
POST
200
179.43.156.37:80
http://cdnavupdate.icu/jquery/jquery.php
CH
text
12 b
malicious
3984
rundll32.exe
POST
200
179.43.156.37:80
http://cdnavupdate.icu/jquery/jquery.php
CH
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3984
rundll32.exe
179.43.156.37:80
cdnavupdate.icu
Private Layer INC
CH
suspicious

DNS requests

Domain
IP
Reputation
cdnavupdate.icu
  • 179.43.156.37
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3984
rundll32.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.icu domain
3984
rundll32.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.icu domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://169.239.128.104/alg