analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1XMLIMG1911-1958682032_.zip

Full analysis: https://app.any.run/tasks/f9b1d0d6-e828-4df4-9c3f-bc03f2ff5ee4
Verdict: Malicious activity
Analysis date: October 09, 2019, 17:13:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: data
MD5:

155182584992C8E4F717CB64E08C7AC4

SHA1:

BFF088121F847544885C709656083CB4F580A440

SHA256:

C304D47F318FDE337BCB32B22A1938A544B0835169DDE182A40820666A01B169

SSDEEP:

6144:jOdsD1vjSQA6z87QbskebenZVSRqQPWcXFyr:IIvj/A6zFbTyYZYkazYr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • msiexec.exe (PID: 3468)

    • Writes to a start menu file

      • MsiExec.exe (PID: 3056)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3468)
      • WinRAR.exe (PID: 2912)
      • msiexec.exe (PID: 3260)

    • Starts Microsoft Installer

      • WinRAR.exe (PID: 2912)

    • Executed as Windows Service

      • vssvc.exe (PID: 3156)

    • Executed via COM

      • DrvInst.exe (PID: 3364)

    • Creates files in the user directory

      • MsiExec.exe (PID: 3056)

  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2668)
      • MsiExec.exe (PID: 2864)
      • MsiExec.exe (PID: 3056)

    • Application launched itself

      • msiexec.exe (PID: 3260)

    • Searches for installed software

      • msiexec.exe (PID: 3260)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe msiexec.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
2912"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1XMLIMG1911-1958682032_.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3468"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa2912.23469\1SCX7734769589574545.msi" C:\Windows\System32\msiexec.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3260C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2864C:\Windows\system32\MsiExec.exe -Embedding 74D0DC856EAAF8DFD79FD4BB19B1FC00 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3812"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa2912.23546\1SCX7734769589574545.msi" C:\Windows\System32\msiexec.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2668C:\Windows\system32\MsiExec.exe -Embedding 8168C7AD0F4DB7D1C47D1B42A385B2BA CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3156C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3364DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000390" "000005BC"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3056C:\Windows\system32\MsiExec.exe -Embedding 43530338BA8696290EE91D5C5F39F1C1C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
1 295
Read events
1 097
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
6
Text files
30
Unknown types
2

Dropped files

PID
Process
Filename
Type
3468msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIAF97.tmp
MD5:
SHA256:
3468msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIAFB7.tmp
MD5:
SHA256:
3468msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIB006.tmp
MD5:
SHA256:
3812msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIB10D.tmp
MD5:
SHA256:
3812msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIB18B.tmp
MD5:
SHA256:
3812msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIB19C.tmp
MD5:
SHA256:
3812msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIB1CC.tmp
MD5:
SHA256:
3260msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3468msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CDder
MD5:DB78CBD190952735D940BC80AC2432C0
SHA256:1A5174980A294A528A110726D5855650266C48D9883BEA692B67B6D726DA98C5
3260msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF45F0438323D2D206.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3468
msiexec.exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3468
msiexec.exe
91.199.212.52:80
crt.usertrust.com
Comodo CA Ltd
GB
suspicious

DNS requests

Domain
IP
Reputation
crt.usertrust.com
  • 91.199.212.52
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1XMLIMG1911-1958682032_.zip