File name:

5411ADS002F1SS14D12222S1.msi

Full analysis: https://app.any.run/tasks/487bec1b-ce30-49c3-bd95-225de13c4c12
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: August 07, 2020, 07:19:00
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
generated-doc
trojan
ursa
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft V2x, Author: m1n64bi6, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft V2x., Template: Intel;15370, Revision Number: {637B171A-DD76-44A8-8EFF-EA1BBF81694D}, Create Time/Date: Thu Aug 6 02:39:02 2020, Last Saved Time/Date: Thu Aug 6 02:39:02 2020, Number of Pages: 121, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

AF986079C015D5863207770C3C55E041

SHA1:

53661279500A7354FDAC7149E312B2AB2D7FE9A4

SHA256:

C45C0F433E89B12751DF0EE039C4AD4A83C94330BF7DB27536C5CF85AA422B26

SSDEEP:

384:j1W43all+etg5PPRARUFievgqdMjIZG/FhCy1oXgysgXK:HIqxievB7ZmF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URSA was detected

      • WScript.exe (PID: 2572)

    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 5984)

  • SUSPICIOUS

    • Connects to server without host name

      • WScript.exe (PID: 2572)

    • Executes scripts

      • MsiExec.exe (PID: 2576)

    • Executed via COM

      • DllHost.exe (PID: 1688)
      • RuntimeBroker.exe (PID: 4524)
      • DllHost.exe (PID: 3184)
      • SystemSettings.exe (PID: 3688)
      • ApplicationFrameHost.exe (PID: 4132)
      • backgroundTaskHost.exe (PID: 5500)
      • SpeechRuntime.exe (PID: 6092)
      • DllHost.exe (PID: 5580)
      • RuntimeBroker.exe (PID: 3420)
      • SystemSettings.exe (PID: 2540)
      • backgroundTaskHost.exe (PID: 5504)
      • SpeechRuntime.exe (PID: 4892)

    • Low-level read access rights to disk partition

      • srtasks.exe (PID: 76)
      • srtasks.exe (PID: 4916)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4452)

    • Checks supported languages

      • SystemSettings.exe (PID: 3688)
      • backgroundTaskHost.exe (PID: 5500)
      • CompMgmtLauncher.exe (PID: 5428)
      • SystemSettings.exe (PID: 2540)
      • backgroundTaskHost.exe (PID: 5504)

    • Creates files in the user directory

      • SystemSettings.exe (PID: 3688)
      • SystemSettings.exe (PID: 2540)

    • Reads the machine GUID from the registry

      • backgroundTaskHost.exe (PID: 5500)
      • SystemSettings.exe (PID: 3688)
      • SpeechRuntime.exe (PID: 6092)
      • mmc.exe (PID: 5984)
      • SystemSettings.exe (PID: 2540)
      • backgroundTaskHost.exe (PID: 5504)
      • SpeechRuntime.exe (PID: 4892)

    • Searches for installed software

      • systempropertiesprotection.exe (PID: 6000)

    • Creates files in the Windows directory

      • systempropertiesprotection.exe (PID: 6000)
      • rstrui.exe (PID: 4584)

    • Removes files from Windows directory

      • systempropertiesprotection.exe (PID: 6000)

    • Application launched itself

      • rstrui.exe (PID: 5116)

    • Creates files in the program directory

      • SystemSettings.exe (PID: 2540)

  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 4452)

    • Manual execution by user

      • rundll32.exe (PID: 5652)
      • CompMgmtLauncher.exe (PID: 5428)
      • control.exe (PID: 5724)
      • systempropertiesprotection.exe (PID: 6000)
      • systempropertiesprotection.exe (PID: 4892)
      • runonce.exe (PID: 4976)
      • msiexec.exe (PID: 1084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Microsoft V2x
Author: m1n64bi6
Keywords: Installer
Comments: This installer database contains the logic and data required to install Microsoft V2x.
Template: Intel;15370
RevisionNumber: {637B171A-DD76-44A8-8EFF-EA1BBF81694D}
CreateDate: 2020:08:06 01:39:02
ModifyDate: 2020:08:06 01:39:02
Pages: 121
Words: 10
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
259
Monitored processes
32
Malicious processes
1
Suspicious processes
9

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe no specs #URSA wscript.exe srtasks.exe no specs conhost.exe no specs msiexec.exe no specs runtimebroker.exe no specs WebPlatStorageBrokerServer no specs WebPlatformStorageServer no specs systemsettings.exe applicationframehost.exe no specs backgroundtaskhost.exe no specs speechruntime.exe rundll32.exe no specs compmgmtlauncher.exe no specs mmc.exe no specs mmc.exe control.exe no specs COpenControlPanel no specs systempropertiesprotection.exe no specs systempropertiesprotection.exe srtasks.exe no specs conhost.exe no specs runtimebroker.exe no specs systemsettings.exe no specs backgroundtaskhost.exe no specs speechruntime.exe runonce.exe rstrui.exe no specs rstrui.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
76C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\WINDOWS\system32\srtasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\spp.dll
1084"C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\admin\Downloads\5411ADS002F1SS14D12222S1.msi" C:\WINDOWS\System32\msiexec.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1196\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exesrtasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1612"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Downloads\5411ADS002F1SS14D12222S1.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1688C:\WINDOWS\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}C:\WINDOWS\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2540"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanelC:\Windows\ImmersiveControlPanel\SystemSettings.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Settings
Exit code:
1
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\immersivecontrolpanel\systemsettings.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
2572"C:\WINDOWS\System32\WScript.exe" "C:\Users\Public\D68.vbs" C:\WINDOWS\SysWOW64\WScript.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
2576C:\Windows\syswow64\MsiExec.exe -Embedding FD3A530297D07555070FD2DA08B2FE43 CC:\Windows\syswow64\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
2656C:\Windows\syswow64\MsiExec.exe -Embedding 5718628913980F40806DDB115FE63A86C:\Windows\syswow64\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
3184C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}C:\WINDOWS\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
1073807364
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
Total events
6 703
Read events
6 207
Write events
485
Delete events
11

Modification events

(PID) Process:(2576) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(2576) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts
Operation:writeName:VBSFile_.vbs
Value:
0
(PID) Process:(2576) MsiExec.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\WScript.exe.FriendlyAppName
Value:
Microsoft ® Windows Based Script Host
(PID) Process:(2576) MsiExec.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\WScript.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(2576) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(2576) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2576) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2576) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2576) MsiExec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4452) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000B1988B138B6CD60164110000A8030000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
1
Suspicious files
14
Text files
2
Unknown types
6

Dropped files

PID
Process
Filename
Type
4452msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3184DllHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb
MD5:
SHA256:
3184DllHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.jfm
MD5:
SHA256:
3184DllHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb.log
MD5:
SHA256:
3688SystemSettings.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NEQWLV3CB5VHKA34WIOH.temp
MD5:
SHA256:
6000systempropertiesprotection.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2540SystemSettings.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2RC3GHW23FC9IIGK4MJA.temp
MD5:
SHA256:
4452msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
2576MsiExec.exeC:\Users\Public\D68.vbstext
MD5:
SHA256:
3184DllHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edbtmp.logmp3
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
6
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2572
WScript.exe
POST
200
104.44.143.28:80
http://104.44.143.28/bd23.php
US
text
5.56 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2572
WScript.exe
104.44.143.28:80
Microsoft Corporation
US
malicious
2716
svchost.exe
23.32.10.77:443
fs.microsoft.com
Telia Company AB
NL
unknown
3688
SystemSettings.exe
152.199.19.161:443
onecs-live.azureedge.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
6092
SpeechRuntime.exe
51.11.168.232:443
settings-win.data.microsoft.com
Microsoft Corporation
GB
suspicious
4892
SpeechRuntime.exe
51.11.168.232:443
settings-win.data.microsoft.com
Microsoft Corporation
GB
suspicious
2168
svchost.exe
51.11.168.232:443
settings-win.data.microsoft.com
Microsoft Corporation
GB
suspicious
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
fs.microsoft.com
  • 23.32.10.77
whitelisted
onecs-live.azureedge.net
  • 152.199.19.161
whitelisted
settings-win.data.microsoft.com
  • 51.11.168.232
whitelisted
www.bing.com
  • 204.79.197.200
whitelisted

Threats

PID
Process
Class
Message
2572
WScript.exe
A Network Trojan was detected
LOADER [PTsecurity] Script.Ursa
1 ETPRO signatures available at the full report
Process
Message
mmc.exe
ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementUI.CombinedControls.EventsNode
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerExtension
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
5411ADS002F1SS14D12222S1.msi