analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

http://169.239.128.104/alg

Full analysis: https://app.any.run/tasks/61269748-01bb-4094-bfa9-dafa3c3a7432
Verdict: Malicious activity
Analysis date: March 21, 2019, 15:52:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

D4C11BDA021113CA4604D80896B2A492

SHA1:

6F6C9D565E37D612D5494A56034BE7A117435514

SHA256:

AE2B1B1F7265386EDBBF2617084F277CDB9BC5AC34BD9AAC00CBC77A6BDCD829

SSDEEP:

6144:OENa+Dc4rPekT5sBLg6bGTCnvSxLKvSitOunZ2ze4FnPTglY61NpwoF:OEhoGPVTs0LKqxuZ2ze4R4h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • nsEEAF.tmp (PID: 3872)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 1360)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3384)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1376)
      • MSIECAB.tmp (PID: 1588)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 1376)

    • Starts application with an unusual extension

      • MSIECAB.tmp (PID: 1588)

    • Starts CMD.EXE for commands execution

      • nsEEAF.tmp (PID: 3872)
      • rundll32.exe (PID: 1360)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 1892)

    • Creates files in the user directory

      • powershell.exe (PID: 2452)

  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 1376)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 1052)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3984)

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 1052)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 1376)

    • Loads dropped or rewritten executable

      • MSIECAB.tmp (PID: 1588)

    • Application was dropped or rewritten from another process

      • MSIECAB.tmp (PID: 1588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
LastPrinted: 2012:09:21 09:56:09
CreateDate: 2012:09:21 09:56:09
Software: Windows Installer
Title: Exe to msi converter free
Subject: -
Author: www.exetomsi.com
Keywords: -
Comments: -
Template: ;0
LastModifiedBy: devuser
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate: 2013:05:21 11:56:44
Pages: 100
Words: -
Security: None
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
10
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiecab.tmp nseeaf.tmp cmd.exe no specs rundll32.exe cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1332"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\alg.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1376C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3984C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1052DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005B4" "00000398"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1588"C:\Windows\Installer\MSIECAB.tmp"C:\Windows\Installer\MSIECAB.tmp
msiexec.exe
User:
admin
Company:
hepsu burda
Integrity Level:
MEDIUM
Description:
hepsu burda Application
Version:
1.0.2.1
3872"C:\Users\admin\AppData\Local\Temp\nsrEE9F.tmp\nsEEAF.tmp" "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Users\admin\AppData\Local\Temp\nsrEE9F.tmp\nsEEAF.tmp
MSIECAB.tmp
User:
SYSTEM
Integrity Level:
SYSTEM
1892"cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Windows\system32\cmd.exensEEAF.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1360rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Windows\system32\rundll32.exe
cmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3384cmd.exe /C powershell -nop -ep bypass -f %temp%\enu.ps1C:\Windows\system32\cmd.exerundll32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2452powershell -nop -ep bypass -f C:\Users\admin\AppData\Local\Temp\enu.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
687
Read events
527
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
8
Text files
117
Unknown types
1

Dropped files

PID
Process
Filename
Type
1376msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1376msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:117C9878FC1443ADEE68021D634CF9FE
SHA256:4C9C606DB2E7B7F31A5591449D20F57213A98D63C3EE952BA93391BE215EA0A5
1376msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{1a55e0b7-c6fb-4281-9708-8f25c360d78b}_OnDiskSnapshotPropbinary
MD5:117C9878FC1443ADEE68021D634CF9FE
SHA256:4C9C606DB2E7B7F31A5591449D20F57213A98D63C3EE952BA93391BE215EA0A5
1052DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
1052DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:05ED8BC44B1283E83389A42A3C9D1CDA
SHA256:67C658323DF834C256496EAFD0D6801CED8A08D7DA6C02F027C46DC489D6BB02
1052DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:4112CACAB9A8CFD8B971214E38D75BDC
SHA256:1235F01B3E69B8800268136315A8CFDD0663F0FC5EFBED9E1DA27C945CF29725
1376msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF483DC014CFAB63E4.TMP
MD5:
SHA256:
3984vssvc.exeC:
MD5:
SHA256:
2452powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CMW0FMS1YZ89PW4HUBAH.temp
MD5:
SHA256:
1588MSIECAB.tmpC:\Users\admin\AppData\Local\Temp\xmlparse.dllexecutable
MD5:6675C63A2534FD65B3B2DA751F2B393F
SHA256:BEE3B2710F7E874CE05E6B8B45CC20E021B9C00EE337238598E71E7315128333
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1360
rundll32.exe
POST
179.43.156.37:80
http://cdnavupdate.icu/jquery/jquery.php
CH
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1360
rundll32.exe
179.43.156.37:80
cdnavupdate.icu
Private Layer INC
CH
suspicious

DNS requests

Domain
IP
Reputation
cdnavupdate.icu
  • 179.43.156.37
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://169.239.128.104/alg