analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

http://169.239.128.104/alg

Full analysis: https://app.any.run/tasks/981396f5-b44f-4ccf-a56f-337c22ee1ad3
Verdict: Malicious activity
Analysis date: March 21, 2019, 15:06:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

D4C11BDA021113CA4604D80896B2A492

SHA1:

6F6C9D565E37D612D5494A56034BE7A117435514

SHA256:

AE2B1B1F7265386EDBBF2617084F277CDB9BC5AC34BD9AAC00CBC77A6BDCD829

SSDEEP:

6144:OENa+Dc4rPekT5sBLg6bGTCnvSxLKvSitOunZ2ze4FnPTglY61NpwoF:OEhoGPVTs0LKqxuZ2ze4R4h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 3604)
    • Application was dropped or rewritten from another process

      • ns3BA6.tmp (PID: 3032)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 3948)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • MSI3A8C.tmp (PID: 2444)
    • Executable content was dropped or overwritten

      • MSI3A8C.tmp (PID: 2444)
      • msiexec.exe (PID: 2320)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2320)
    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 3572)
    • Starts CMD.EXE for commands execution

      • rundll32.exe (PID: 3948)
      • ns3BA6.tmp (PID: 3032)
    • Creates files in the user directory

      • powershell.exe (PID: 2560)
  • INFO

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 3628)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 2320)
    • Searches for installed software

      • msiexec.exe (PID: 2320)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2148)
    • Changes settings of System certificates

      • DrvInst.exe (PID: 3628)
    • Application was dropped or rewritten from another process

      • MSI3A8C.tmp (PID: 2444)
    • Loads dropped or rewritten executable

      • MSI3A8C.tmp (PID: 2444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
LastPrinted: 2012:09:21 09:56:09
CreateDate: 2012:09:21 09:56:09
Software: Windows Installer
Title: Exe to msi converter free
Subject: -
Author: www.exetomsi.com
Keywords: -
Comments: -
Template: ;0
LastModifiedBy: devuser
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate: 2013:05:21 11:56:44
Pages: 100
Words: -
Security: None
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
10
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msi3a8c.tmp ns3ba6.tmp cmd.exe no specs rundll32.exe cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2708"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\alg.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2320C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2148C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3628DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000398" "00000574"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2444"C:\Windows\Installer\MSI3A8C.tmp"C:\Windows\Installer\MSI3A8C.tmp
msiexec.exe
User:
admin
Company:
hepsu burda
Integrity Level:
MEDIUM
Description:
hepsu burda Application
Version:
1.0.2.1
3032"C:\Users\admin\AppData\Local\Temp\nsm3B96.tmp\ns3BA6.tmp" "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Users\admin\AppData\Local\Temp\nsm3B96.tmp\ns3BA6.tmp
MSI3A8C.tmp
User:
SYSTEM
Integrity Level:
SYSTEM
3572"cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Windows\system32\cmd.exens3BA6.tmp
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3948rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, segaC:\Windows\system32\rundll32.exe
cmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3604cmd.exe /C powershell -nop -ep bypass -f %temp%\enu.ps1C:\Windows\system32\cmd.exerundll32.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2560powershell -nop -ep bypass -f C:\Users\admin\AppData\Local\Temp\enu.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
672
Read events
512
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
8
Text files
94
Unknown types
1

Dropped files

PID
Process
Filename
Type
2320msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2320msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:1099098F0248AC4CB751B2FE63768247
SHA256:5C02C4B76C84C6B95DEA608064972503AE49153CE362231C1A533349E886F040
3628DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:2B5D017B83C676E68E516E7A9CDA6991
SHA256:B482948D35A30E294881ACFC2978E41CA583E8A327FAF2160974A5E26E279588
3628DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
3628DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:484179E82C2FBEEDE7CC8413E43B410F
SHA256:4D9746762DD8FA2AAFC3FC46020560E15B78F2C90F17FC5E28179D077D88CABA
2320msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{038f43a5-4f9d-423d-a6a8-89c82307f652}_OnDiskSnapshotPropbinary
MD5:1099098F0248AC4CB751B2FE63768247
SHA256:5C02C4B76C84C6B95DEA608064972503AE49153CE362231C1A533349E886F040
2320msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF6E14BEC33CC2DC8E.TMP
MD5:
SHA256:
2148vssvc.exeC:
MD5:
SHA256:
2560powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VXAX75SUHKGAZHQ14XDY.temp
MD5:
SHA256:
2320msiexec.exeC:\Windows\Installer\1032ac.ipibinary
MD5:5E661337C990B6C8F54664786733C6CD
SHA256:EEDDA7ECFEC81533DCBC71FAA3F5CD4BD89DB41D4D02EF863003CBBBED9D0F1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3948
rundll32.exe
179.43.156.37:80
cdnavupdate.icu
Private Layer INC
CH
suspicious

DNS requests

Domain
IP
Reputation
cdnavupdate.icu
  • 179.43.156.37
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3948
rundll32.exe
Potentially Bad Traffic
ET INFO HTTP POST Request to Suspicious *.icu domain
No debug info