| File name: | TortoiseSVN-1.14.8.29723-x64-svn-1.14.4.msi |
| Full analysis: | https://app.any.run/tasks/5757a765-bed7-4ce4-93c3-61a95de7b1a7 |
| Verdict: | Malicious activity |
| Analysis date: | October 21, 2024, 11:47:10 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Subversion Client, Author: Stefan Kueng, Keywords: Sourcecontrol;Subversion;TortoiseSVN;Shell, Comments: Windows Shell Integration For Subversion Source Control, v1.14.8.29723, Template: x64;1033, Revision Number: {D5F18CB7-6D83-4F8B-97D5-ED36C9E01CF9}, Create Time/Date: Sat Oct 5 07:09:38 2024, Last Saved Time/Date: Sat Oct 5 07:09:38 2024, Number of Pages: 405, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2 |
| MD5: | BC79CEC21A8ACC0FA0AA65DB2DC6A2EE |
| SHA1: | 3C9D5D868E93AC9038AA8C40E4B66CAB5A5D27D0 |
| SHA256: | CC4AEAE4CFE958F330A16AFC2967AB583A8FC63166DF508DBC6BDB198339DADF |
| SSDEEP: | 393216:6nZk7Gu+6zGqpsC8TTHfv/1/c50EfPg19p:u4tzLpeTHX/y5Pg1 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executes as Windows Service
- VSSVC.exe (PID: 6952)
Process drops legitimate windows executable
- msiexec.exe (PID: 7100)
The process drops C-runtime libraries
- msiexec.exe (PID: 7100)
INFO
Reads the software policy settings
- msiexec.exe (PID: 3104)
Creates files or folders in the user directory
- msiexec.exe (PID: 3104)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 3104)
An automatically generated document
- msiexec.exe (PID: 3104)
Checks supported languages
- msiexec.exe (PID: 7100)
Checks proxy server information
- msiexec.exe (PID: 3104)
Reads the computer name
- msiexec.exe (PID: 7100)
Manages system restore points
- SrTasks.exe (PID: 612)
Executable content was dropped or overwritten
- msiexec.exe (PID: 7100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | Subversion Client |
| Author: | Stefan Kueng |
| Keywords: | Sourcecontrol;Subversion;TortoiseSVN;Shell |
| Comments: | Windows Shell Integration For Subversion Source Control, v1.14.8.29723 |
| Template: | x64;1033 |
| RevisionNumber: | {D5F18CB7-6D83-4F8B-97D5-ED36C9E01CF9} |
| CreateDate: | 2024:10:05 07:09:38 |
| ModifyDate: | 2024:10:05 07:09:38 |
| Pages: | 405 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.14.1.8722) |
| Security: | Read-only recommended |
Total processes
121
Monitored processes
6
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 612 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3104 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\TortoiseSVN-1.14.8.29723-x64-svn-1.14.4.msi | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6332 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6340 | C:\Windows\syswow64\MsiExec.exe -Embedding DC02913B19CF0C9D3775AEBF2AD8F752 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6952 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7100 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
12 288
Read events
11 073
Write events
1 197
Delete events
18
Modification events
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000E2659E1BAF23DB01BC1B00001C180000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 48000000000000003EC9A01BAF23DB01BC1B00001C180000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000C101DA1BAF23DB01BC1B00001C180000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000C101DA1BAF23DB01BC1B00001C180000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 480000000000000022C9DE1BAF23DB01BC1B00001C180000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000312DE11BAF23DB01BC1B00001C180000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000E6F7421CAF23DB01BC1B00001C180000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (7100) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000C05B451CAF23DB01BC1B0000BC150000E80300000100000000000000000000005774333A8AA14B4BA5080CAB7193A50400000000000000000000000000000000 | |||
| (PID) Process: | (6952) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000B0754C1CAF23DB01281B0000F8180000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
97
Suspicious files
32
Text files
182
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7100 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 7100 | msiexec.exe | C:\Windows\Installer\9b4dd.msi | — | |
MD5:— | SHA256:— | |||
| 3104 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061 | binary | |
MD5:A7E827A2B26027E46B7FAE1A76C86857 | SHA256:67F769378226EAC6E5AD004D175E7862265F4040C9B3BF3FEFE702D1CD7143F7 | |||
| 3104 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\68FAF71AF355126BCA00CE2E73CC7374_E5F521CA60C5ED8C2B4E2BF399FE2061 | der | |
MD5:81562A24E7DD131904AB69B75196B143 | SHA256:B4692243C392FD65605F1DDF4E9BBFD49B132EB7EF4C43F194BD107369DC66CA | |||
| 3104 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\856FDBDDFEAC90A3D62D621EBF196637 | binary | |
MD5:EB82FA2AA766C8BEAAC14ABE9B294CA3 | SHA256:4A9A0C925A7D06FA256ACC2D544802FA0B84A46249D45C824F98883FB8DFF9D2 | |||
| 3104 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4 | der | |
MD5:45A6F17B04529A61F0ACD92557A7463B | SHA256:C8B74B7158CAE30F4274DB5D34188BFB378A26CAEAD435765126983086E52127 | |||
| 3104 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_87238437CEFCADF00F1385E31A888EF4 | binary | |
MD5:1E8DB346C7A2268C1675B24446F5AF89 | SHA256:72E136FC98F9E5886DAD34F3649D6F4B3696588CFEF5E3B07CB10DCDBB45FD6D | |||
| 3104 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E4160FB650E5091C535216313A4ECD3_8BE90E0BC5BE0AF1B6750750F7F7A925 | binary | |
MD5:9EC95C73514F5079003D4F9EDB6B99FB | SHA256:DA58B4536BAE78A037B45DE93F77152E31E52FAFB1083D6CC74D3770EBAD7085 | |||
| 7100 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:9A6C11E4D4FD25136E29E994C72471E7 | SHA256:F9961D6F1F8236B1A13DC13E037072139C171E55979FF6AA096782C381AD53A0 | |||
| 3104 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E4160FB650E5091C535216313A4ECD3_8BE90E0BC5BE0AF1B6750750F7F7A925 | der | |
MD5:74ECE958A2C48549A813457B0744D2EF | SHA256:7FAED2A5D82AD1F2799C9BB618603FD1B49C72D9397CBAA88E38115C3954722C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
25
DNS requests
10
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6944 | svchost.exe | GET | 200 | 23.51.49.221:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.51.49.221:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.51.49.221:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3104 | msiexec.exe | GET | 200 | 2.23.84.5:80 | http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D | unknown | — | — | whitelisted |
3104 | msiexec.exe | GET | 200 | 2.23.84.5:80 | http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEBu1jyUq3yMASSjJrj1%2B7Sc%3D | unknown | — | — | whitelisted |
3104 | msiexec.exe | GET | 200 | 173.222.105.28:80 | http://crl.certum.pl/ctnca.crl | unknown | — | — | whitelisted |
3104 | msiexec.exe | GET | 200 | 2.23.84.5:80 | http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRIH1V64SBkA%2BzJQVQ6VFBAcvLB3wQUtqFUOQLDoD%2BOirz61PgcptE6Dv0CEQCZo4AKJlU7ZavcboSms%2Bo5 | unknown | — | — | whitelisted |
3104 | msiexec.exe | GET | 200 | 2.23.84.31:80 | http://ccsca2021.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRxypYNH69rICCzQBIRXN0YAFa3AAQU3XRdTADbe5%2BgdMqxbvc8wDLAcM0CEC9HLyvaL3lkIY0RN3zihqE%3D | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.23.209.189:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 2.16.241.19:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 23.51.49.221:80 | www.microsoft.com | TM Net, Internet Service Provider | MY | whitelisted |
— | — | 23.51.49.221:80 | www.microsoft.com | TM Net, Internet Service Provider | MY | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.51.49.221:80 | www.microsoft.com | TM Net, Internet Service Provider | MY | whitelisted |
4020 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
subca.ocsp-certum.com |
| whitelisted |
crl.certum.pl |
| whitelisted |
ccsca2021.ocsp-certum.com |
| unknown |
self.events.data.microsoft.com |
| whitelisted |