analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Downloaded093.msi

Full analysis: https://app.any.run/tasks/a87e0b88-40ec-4d4f-9f87-6839c16a832f
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: September 11, 2019, 03:59:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
trojan
banload
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {5E720F7C-17F8-4670-A9F0-704B42FD4A4B}, Number of Words: 10, Subject: Google Crash Handler, Author: Google Crash Handler, Name of Creating Application: Advanced Installer 12.3 build 64631, Template: ;1046, Comments: Google Crash Handler Google Crash Handler.
MD5:

7AC62D9BFBA8887DEDC6E2686EB08464

SHA1:

715A870A0B356E5BF6DEF5765FF1177E4D4EB117

SHA256:

D09BC288923966F6D93A2C2DC0FA794B37610E78101CA49BD61368ABA8D3FAD6

SSDEEP:

12288:aXBGcY5AUrxiOH/t2S4TuHJTEl3SdQshdkP77GqUTqp4nb0j:aXBGcY5AUrv/t2S/HJTEl3S2shd47qWn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • GCYBYRISYHGW.exe (PID: 3452)
    • Loads dropped or rewritten executable

      • GCYBYRISYHGW.exe (PID: 3452)
      • SearchProtocolHost.exe (PID: 752)
    • BANLOAD was detected

      • MsiExec.exe (PID: 4020)
    • Changes the autorun value in the registry

      • reg.exe (PID: 2908)
    • Writes to a start menu file

      • GCYBYRISYHGW.exe (PID: 3452)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2976)
      • MsiExec.exe (PID: 4020)
      • GCYBYRISYHGW.exe (PID: 3452)
    • Creates files in the user directory

      • MsiExec.exe (PID: 4020)
      • GCYBYRISYHGW.exe (PID: 3452)
    • Reads Environment values

      • GCYBYRISYHGW.exe (PID: 3452)
    • Uses REG.EXE to modify Windows registry

      • MsiExec.exe (PID: 4020)
  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 4020)
    • Application launched itself

      • msiexec.exe (PID: 2976)
    • Creates files in the program directory

      • MsiExec.exe (PID: 4020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Title: Installation Database
Keywords: Installer, MSI, Database
LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Pages: 200
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {5E720F7C-17F8-4670-A9F0-704B42FD4A4B}
Words: 10
Subject: Google Crash Handler
Author: Google Crash Handler
LastModifiedBy: -
Software: Advanced Installer 12.3 build 64631
Template: ;1046
Comments: Google Crash Handler Google Crash Handler.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
6
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe #BANLOAD msiexec.exe reg.exe gcybyrisyhgw.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3384"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Downloaded093.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2976C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
4020C:\Windows\system32\MsiExec.exe -Embedding 0EA0AD5251DB491789D9C0AAD0475E1CC:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2908"C:\Windows\System32\reg.exe" add "HKCU\software\Microsoft\Windows\CurrentVersion\Run" /v GCYBYRISYHGW /t reg_sz /d C:\Users\Public\Documents\GCYBYRISYHGW\GCYBYRISYHGW.exeC:\Windows\System32\reg.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3452"C:\Users\Public\Documents\GCYBYRISYHGW\GCYBYRISYHGW.exe" C:\Users\Public\Documents\GCYBYRISYHGW\GCYBYRISYHGW.exe
MsiExec.exe
User:
admin
Company:
Disc Soft Ltd
Integrity Level:
MEDIUM
Description:
Disc Soft Bus Service Pro
Version:
8.2.1.0709
752"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
859
Read events
806
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
4
Text files
13
Unknown types
3

Dropped files

PID
Process
Filename
Type
2976msiexec.exeC:\Windows\Installer\MSI9E78.tmp
MD5:
SHA256:
2976msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFD24CDD6BB451AD2C.TMP
MD5:
SHA256:
2976msiexec.exeC:\Windows\Installer\MSI9F55.tmp
MD5:
SHA256:
4020MsiExec.exeC:\Users\Public\Documents\GCYBYRISYHGW\imgengine.dll
MD5:
SHA256:
2976msiexec.exeC:\Windows\Installer\MSIDD79.tmp
MD5:
SHA256:
4020MsiExec.exeC:\Users\Public\Documents\GCYBYRISYHGW_GCYBYRISYHGW_GCYBYRISYHGW.zipcompressed
MD5:F7085BDEA1B9C8FAC9F8BE125D3B3BCC
SHA256:CAF6114102115C349D1C5EEAF8C048C55EF8C7403A5B8222330B91C3BA20A77B
2976msiexec.exeC:\Windows\Installer\169d50.ipibinary
MD5:7434111C81ABE95BC268BA0EA41D4797
SHA256:5A57127A7F641B7CFB5801D2F22F8F4328F2F0F193FFDDE74288DDC6C3395864
2976msiexec.exeC:\Windows\Installer\169d4e.msiexecutable
MD5:7AC62D9BFBA8887DEDC6E2686EB08464
SHA256:D09BC288923966F6D93A2C2DC0FA794B37610E78101CA49BD61368ABA8D3FAD6
2976msiexec.exeC:\Windows\Installer\MSI9F44.tmpbinary
MD5:0D03A275D9A80A9784E2B8A611D9264F
SHA256:E70E37A767FA7CF9ED65C7DD2F2E967B50EA16D683C6F4516ABACD85F9C95B9D
2976msiexec.exeC:\Config.Msi\169d51.rbs
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3452
GCYBYRISYHGW.exe
POST
5.57.226.202:80
http://natalsemfome2019.webcindario.com/avisos/
ES
malicious
4020
MsiExec.exe
GET
200
15.222.6.255:80
http://15.222.6.255/puma.zip
US
compressed
13.0 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3452
GCYBYRISYHGW.exe
5.57.226.202:80
natalsemfome2019.webcindario.com
ServiHosting Networks S.L.
ES
malicious
4020
MsiExec.exe
15.222.6.255:80
Hewlett-Packard Company
US
malicious

DNS requests

Domain
IP
Reputation
natalsemfome2019.webcindario.com
  • 5.57.226.202
malicious

Threats

PID
Process
Class
Message
4020
MsiExec.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
4020
MsiExec.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan.Loader (Trojan.Agent.DDSA) Requesting Zip Archive
1 ETPRO signatures available at the full report
No debug info