analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

m.msi

Full analysis: https://app.any.run/tasks/ef3f7d11-f857-4bf5-b642-467ca364d4ed
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: September 18, 2019, 15:26:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exe-to-msi
keylogger
stealer
agenttesla
evasion
trojan
rat
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5:

E1187446B82007244423DB661D42C75B

SHA1:

88E248A6A7DE40018016AE30E3078EF306F51A8D

SHA256:

D09B1EFF231E9C63F4C08977BE903BF5BF59749D7FF09A53C83B1B2DD6F67F55

SSDEEP:

12288:QETB1wFG2PfpUv+27iFfcAsrybKzMOXKqxDacvZIfXgR:QETB+ziv+20fzKyGzJKKacv2fXq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • MSIDAA7.tmp (PID: 3156)
    • AGENTTESLA was detected

      • MSIDAA7.tmp (PID: 3156)
    • Actions looks like stealing of personal data

      • MSIDAA7.tmp (PID: 3156)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2996)
    • Executed via COM

      • DrvInst.exe (PID: 3272)
    • Drop ExeToMSI Application

      • msiexec.exe (PID: 2996)
    • Executed as Windows Service

      • vssvc.exe (PID: 2844)
    • Checks for external IP

      • MSIDAA7.tmp (PID: 3156)
  • INFO

    • Application was dropped or rewritten from another process

      • MSIDAA7.tmp (PID: 3156)
      • MSIDAA7.tmp (PID: 3028)
    • Searches for installed software

      • msiexec.exe (PID: 2996)
    • Application launched itself

      • MSIDAA7.tmp (PID: 3028)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 2996)
      • MSIDAA7.tmp (PID: 3028)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
Words: -
Pages: 100
ModifyDate: 2013:05:21 11:56:44
RevisionNumber: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
LastModifiedBy: devuser
Template: ;0
Comments: -
Keywords: -
Author: www.exetomsi.com
Subject: -
Title: Exe to msi converter free
Software: Windows Installer
CreateDate: 2012:09:21 09:56:09
LastPrinted: 2012:09:21 09:56:09
CodePage: Windows Latin 1 (Western European)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msidaa7.tmp no specs #AGENTTESLA msidaa7.tmp

Process information

PID
CMD
Path
Indicators
Parent process
3548"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\m.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2996C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2844C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3272DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005B8" "000002D4"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3028"C:\Windows\Installer\MSIDAA7.tmp"C:\Windows\Installer\MSIDAA7.tmpmsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
4.00.0003
3156"C:\Windows\Installer\MSIDAA7.tmp"C:\Windows\Installer\MSIDAA7.tmp
MSIDAA7.tmp
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
4.00.0003
Total events
562
Read events
375
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
8
Text files
31
Unknown types
1

Dropped files

PID
Process
Filename
Type
2996msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2996msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF44FD150016733E28.TMP
MD5:
SHA256:
2844vssvc.exeC:
MD5:
SHA256:
2996msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF02174F2FFDB5A471.TMP
MD5:
SHA256:
3272DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:8F761032829FB6121AEE77E26DC667A6
SHA256:F83E1592023B7C8F6C15847F26D30770C0A52E6C7304DBA951EEA437E2737649
3272DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:C9E61D51F3405E9D2C38DA06643E17CB
SHA256:9E514DA32089D29795125724F7AB4F5CD8BE0FB31902818C0776BDBF1C063A0D
2996msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{ded73bc9-cedc-4bb3-8990-421982d72687}_OnDiskSnapshotPropbinary
MD5:34B175118678FB5D34110BD740F05D91
SHA256:41207C3FEE9E34D474D456EB7A289836480DB95001E444A3E9BEDFB119DBD451
3156MSIDAA7.tmpC:\Users\admin\AppData\Local\Temp\637044208737607500_d51e3681-ad01-4127-8c4f-757119576d1d.dbsqlite
MD5:0B3C43342CE2A99318AA0FE9E531C57B
SHA256:0CCB4915E00390685621DA3D75EBFD5EDADC94155A79C66415A7F4E9763D71B8
3028MSIDAA7.tmpC:\Users\admin\AppData\Local\Temp\~DFF7E8CA6FC28CB377.TMPbinary
MD5:C2F41702C4363264B40EA6753EAFA2EC
SHA256:2C1552C0FD2DB6621D747645AED52AB748C5BEF4C1D111BAF708139211426B7D
2996msiexec.exeC:\Config.Msi\16d47e.rbsbinary
MD5:4D8302B0389FD56258E6D138C1A2B989
SHA256:C557B894585EA4A99762F99E171BD8D8D9B2027374456715F55D94FECF6CD103
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3156
MSIDAA7.tmp
GET
200
34.196.181.158:80
http://checkip.amazonaws.com/
US
text
14 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3156
MSIDAA7.tmp
34.196.181.158:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared

DNS requests

Domain
IP
Reputation
checkip.amazonaws.com
  • 34.196.181.158
  • 52.55.255.113
  • 18.214.132.216
  • 18.205.71.63
  • 3.224.145.145
  • 52.44.169.135
shared

Threats

PID
Process
Class
Message
3156
MSIDAA7.tmp
A Network Trojan was detected
MALWARE [PTsecurity] AgentTesla IP Check
2 ETPRO signatures available at the full report
No debug info