analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Win10-11_System_Upgrade_Software.msi

Full analysis: https://app.any.run/tasks/34d76413-b1d3-44dd-93da-c6d6ced7858b
Verdict: Malicious activity
Analysis date: June 27, 2022, 07:49:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Installer, Author: Corporation, Keywords: Installer, Comments: Installer Package, Template: Intel;1033, Revision Number: {323ACFE5-7C97-4597-A9FE-8A49A51E8C26}, Create Time/Date: Sun May 1 19:49:30 2022, Last Saved Time/Date: Sun May 1 19:49:30 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4993), Security: 2
MD5:

2B48B51F91A115230DBA7030DAACBA7D

SHA1:

70F26D8E84EED67ACAE9A527B081E79CDA6B02C1

SHA256:

CEBDB409042982A38E58542510D3A5316CF16C191649EAF1C18E00C963900EE2

SSDEEP:

1536:B80S9FvvdT38jyGT2qY4QSDk00Dg1V75fmDoDuNp/+0D80Dc7fx:I9Jlz8jyGT/+uLx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msiexec.exe (PID: 3236)

  • SUSPICIOUS

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 2848)
      • msiexec.exe (PID: 3236)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 2848)
      • msiexec.exe (PID: 3236)

    • Executed as Windows Service

      • vssvc.exe (PID: 584)

    • Reads the computer name

      • msiexec.exe (PID: 3236)
      • MsiExec.exe (PID: 2852)

    • Reads Environment values

      • vssvc.exe (PID: 584)

    • Checks supported languages

      • msiexec.exe (PID: 3236)
      • MsiExec.exe (PID: 2852)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 3236)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3236)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 2848)
      • vssvc.exe (PID: 584)

    • Reads the computer name

      • msiexec.exe (PID: 2848)
      • vssvc.exe (PID: 584)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 2848)
      • msiexec.exe (PID: 3236)

    • Reads settings of System Certificates

      • msiexec.exe (PID: 2848)
      • msiexec.exe (PID: 3236)

    • Application launched itself

      • msiexec.exe (PID: 3236)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3236)

    • Searches for installed software

      • msiexec.exe (PID: 3236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: Read-only recommended
Software: Windows Installer XML Toolset (3.11.2.4993)
Words: 10
Pages: 200
ModifyDate: 2022:05:01 18:49:30
CreateDate: 2022:05:01 18:49:30
RevisionNumber: {323ACFE5-7C97-4597-A9FE-8A49A51E8C26}
Template: Intel;1033
Comments: Installer Package
Keywords: Installer
Author: Corporation
Subject: Installer
Title: Installation Database
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2848"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\Win10-11_System_Upgrade_Software.msi"C:\Windows\System32\msiexec.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3236C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
584C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2852C:\Windows\system32\MsiExec.exe -Embedding 0E819103D9B68E86DBDBDF89ADCF3329C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
7 990
Read events
7 734
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
6
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
3236msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3236msiexec.exeC:\Users\admin\AppData\Local\vf5oc48d7
MD5:
SHA256:
3236msiexec.exeC:\Windows\Installer\106ce6.ipibinary
MD5:83615EFF3019035BD0EC71CB5ACB9E21
SHA256:38A458AEC2BE05DD3D0C22620963F291DF8C3BC9DCEE5124E6FB5C52B4FFAD31
3236msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{1e83cc31-63f6-4e3e-8033-164c392eb1d3}_OnDiskSnapshotPropbinary
MD5:8D93C598E4A07FC1FE4BCA5E37BAB225
SHA256:3BA511DB3B473A5ECE5E0C59CAEFEF22984A8559B6CC641C476A23A16FE6899E
3236msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:8D93C598E4A07FC1FE4BCA5E37BAB225
SHA256:3BA511DB3B473A5ECE5E0C59CAEFEF22984A8559B6CC641C476A23A16FE6899E
3236msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF668B3BC726633F95.TMPgmc
MD5:6DFC84E6DBC2C0810AF3517D196DB894
SHA256:EABBA198DD6D248CB06410851A44E12927E37E6A8CA92E575009BE397B1A5265
3236msiexec.exeC:\Config.Msi\106ce7.rbsbinary
MD5:D76A8A9ABC1DC6104367CEC7509637C1
SHA256:A1AA2B82561703A74EE183185BCFF242709D0666259E1C91426A6F907BD09161
3236msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF1F3877E376F25A93.TMPgmc
MD5:E6C50DC27706CCBE7E66FE724FE8FF65
SHA256:3D5CC6CCC72749941C8E40358382693D5E76D6CECDB6FDA7AA9BBADD3031B7A9
3236msiexec.exeC:\Windows\Installer\106ce8.msiexecutable
MD5:2B48B51F91A115230DBA7030DAACBA7D
SHA256:CEBDB409042982A38E58542510D3A5316CF16C191649EAF1C18E00C963900EE2
3236msiexec.exeC:\Windows\Installer\SourceHash{1C3CB2C0-D617-49E0-B091-FDF56D0A8A3D}binary
MD5:303C754A16186BDB1D558D135BBB714A
SHA256:65E9679D4E2C62A427B81AE432E64E437268DA24E70DC3FF7F2F7DF341F6B393
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Win10-11_System_Upgrade_Software.msi