analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

http://169.239.128.104/alg

Full analysis: https://app.any.run/tasks/78d8d093-e1d7-4878-94d2-9fe321461332
Verdict: Malicious activity
Analysis date: March 21, 2019, 17:02:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

D4C11BDA021113CA4604D80896B2A492

SHA1:

6F6C9D565E37D612D5494A56034BE7A117435514

SHA256:

AE2B1B1F7265386EDBBF2617084F277CDB9BC5AC34BD9AAC00CBC77A6BDCD829

SSDEEP:

6144:OENa+Dc4rPekT5sBLg6bGTCnvSxLKvSitOunZ2ze4FnPTglY61NpwoF:OEhoGPVTs0LKqxuZ2ze4R4h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2724)

    • Application was dropped or rewritten from another process

      • ns31F2.tmp (PID: 3868)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2904)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1864)
      • MSI3099.tmp (PID: 2188)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 1864)

    • Starts CMD.EXE for commands execution

      • ns31F2.tmp (PID: 3868)
      • rundll32.exe (PID: 2724)

    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 2360)

    • Starts application with an unusual extension

      • MSI3099.tmp (PID: 2188)

    • Creates files in the user directory

      • powershell.exe (PID: 2604)

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 2636)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3980)

    • Searches for installed software

      • msiexec.exe (PID: 1864)

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 2688)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 2688)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 1864)

    • Loads dropped or rewritten executable

      • MSI3099.tmp (PID: 2188)

    • Application was dropped or rewritten from another process

      • MSI3099.tmp (PID: 2188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
LastPrinted: 2012:09:21 09:56:09
CreateDate: 2012:09:21 09:56:09
Software: Windows Installer
Title: Exe to msi converter free
Subject: -
Author: www.exetomsi.com
Keywords: -
Comments: -
Template: ;0
LastModifiedBy: devuser
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate: 2013:05:21 11:56:44
Pages: 100
Words: -
Security: None
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
12
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msi3099.tmp ns31f2.tmp cmd.exe no specs rundll32.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs whoami.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2700"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\alg.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1864C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3980C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2688DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000398" "00000574"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2188"C:\Windows\Installer\MSI3099.tmp"C:\Windows\Installer\MSI3099.tmp
msiexec.exe
User:
admin
Company:
hepsu burda
Integrity Level:
MEDIUM
Description:
hepsu burda Application
Version:
1.0.2.1
3868"C:\Users\admin\AppData\Local\Temp\nss31C2.tmp\ns31F2.tmp" "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Users\admin\AppData\Local\Temp\nss31C2.tmp\ns31F2.tmp
MSI3099.tmp
User:
SYSTEM
Integrity Level:
SYSTEM
2360"cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Windows\system32\cmd.exens31F2.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2724rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Windows\system32\rundll32.exe
cmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2904cmd.exe /C powershell -nop -ep bypass -f %temp%\enu.ps1C:\Windows\system32\cmd.exerundll32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2604powershell -nop -ep bypass -f C:\Users\admin\AppData\Local\Temp\enu.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
677
Read events
517
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
8
Text files
77
Unknown types
1

Dropped files

PID
Process
Filename
Type
1864msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1864msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:4F51BD83ADA443F03A948DC88FD23187
SHA256:2CB9095E0AD448300865AD9E19A8E322A99947999ECD12B52B34E238093D6F51
2688DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
2688DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:2EB0A4CA669F2EE44330622BDCED0E17
SHA256:01411089ED359E7AE23FB62E8527B9F66464233E6B22BD6A8232B2C8DFE37E56
2688DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:2F771CC26E2DC8D8580B1216E4E8DCBF
SHA256:A36768531251120B82EAC50BD198138B1D06FC86091EF5E734BFAAB6B980CDA5
1864msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{ef02696c-bb0e-43f4-b07a-ae5b3c2b0bd7}_OnDiskSnapshotPropbinary
MD5:4F51BD83ADA443F03A948DC88FD23187
SHA256:2CB9095E0AD448300865AD9E19A8E322A99947999ECD12B52B34E238093D6F51
1864msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF160E0D31A19155A9.TMP
MD5:
SHA256:
3980vssvc.exeC:
MD5:
SHA256:
2604powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RRWBYO4UYOWOAQEVJOR2.temp
MD5:
SHA256:
1864msiexec.exeC:\Windows\Installer\MSI3099.tmpexecutable
MD5:DDAE8B7AA9A93CE17610EB063F5838CE
SHA256:E0323064F2561AE02F9EFAE418AEAF433B3FE0E6E3A640A9C46EC404D4563DE1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2724
rundll32.exe
POST
200
179.43.156.37:80
http://cdnavupdate.icu/jquery/jquery.php
CH
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2724
rundll32.exe
179.43.156.37:80
cdnavupdate.icu
Private Layer INC
CH
suspicious

DNS requests

Domain
IP
Reputation
cdnavupdate.icu
  • 179.43.156.37
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
2724
rundll32.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.icu domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://169.239.128.104/alg