analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

apkcombovpn-x86-0.1.1.msi

Full analysis: https://app.any.run/tasks/4177ed5a-16d9-4943-ad74-2a3e2304e134
Verdict: Malicious activity
Analysis date: May 30, 2020, 01:09:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: APKCombo VPN: Fast, Modern, Secure VPN Tunnel, Author: APKCombo.com, Keywords: Installer, Comments: This installer database contains the logic and data required to install APKCombo VPN., Template: Intel;1033, Revision Number: {B2F6B482-5670-4F7A-B557-94116B5F789A}, Create Time/Date: Thu Apr 9 02:29:58 2020, Last Saved Time/Date: Thu Apr 9 02:29:58 2020, Number of Pages: 400, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 4
MD5:

3670C1D3595609CCC3DB00404652D8A5

SHA1:

1F27433DCC8CF58057EC0C8BFA97ABC4992943DE

SHA256:

DCC870BA4EB76D1F3B3F3BCC84CF4807709EB4C74BCD5BEC5C94723618A33CB9

SSDEEP:

98304:lvOFaSszWhQRYhgX6u8MVB6WFbay0bEiklTJPLk:l2FZ2WXhMVBpbaLAiQT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • MsiExec.exe (PID: 1724)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 1820)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1580)
      • MsiExec.exe (PID: 1724)
      • DrvInst.exe (PID: 1592)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 1580)
      • MsiExec.exe (PID: 1724)
      • DrvInst.exe (PID: 1592)
      • rundll32.exe (PID: 2368)

    • Creates files in the driver directory

      • MsiExec.exe (PID: 1724)
      • DrvInst.exe (PID: 1592)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 1592)
      • rundll32.exe (PID: 2368)

    • Executed via COM

      • DrvInst.exe (PID: 1592)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 1592)

    • Adds / modifies Windows certificates

      • MsiExec.exe (PID: 1724)

  • INFO

    • Creates files in the program directory

      • msiexec.exe (PID: 1580)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1820)

    • Application launched itself

      • msiexec.exe (PID: 1580)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3472)
      • MsiExec.exe (PID: 1724)

    • Reads settings of System Certificates

      • MsiExec.exe (PID: 1724)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 1592)

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 1592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: APKCombo VPN: Fast, Modern, Secure VPN Tunnel
Author: APKCombo.com
Keywords: Installer
Comments: This installer database contains the logic and data required to install APKCombo VPN.
Template: Intel;1033
RevisionNumber: {B2F6B482-5670-4F7A-B557-94116B5F789A}
CreateDate: 2020:04:09 01:29:58
ModifyDate: 2020:04:09 01:29:58
Pages: 400
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only enforced
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2188"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\apkcombovpn-x86-0.1.1.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1580C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1820C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3472C:\Windows\system32\MsiExec.exe -Embedding E1BADDDBC734D0B252A4D9FC47E924A0C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1724C:\Windows\system32\MsiExec.exe -Embedding F58DCEDCF45E762B39C3279D34FC4EDC M Global\MSI0000C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1592DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{0b63d14d-1348-724e-9864-e515aa05d364}\wintun.inf" "0" "6f4a17203" "00000064" "WinSta0\Default" "00000060" "208" "C:\Windows\Temp\a5bc6555e5fd4af041215a3390b9f6074b72dbc68db8bba3282c6626e03378c3"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2368rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5d966622-69cf-4e0f-f3e8-f857a8575129} Global\{7b9a228a-c015-5cb2-66d8-065767f86f06} C:\Windows\System32\DriverStore\Temp\{4023595c-e5f0-24a9-e2a2-e31b76c2d97a}\wintun.inf C:\Windows\System32\DriverStore\Temp\{4023595c-e5f0-24a9-e2a2-e31b76c2d97a}\wintun.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 860
Read events
496
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
7
Text files
44
Unknown types
46

Dropped files

PID
Process
Filename
Type
1580msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1580msiexec.exeC:\Windows\Installer\MSIE042.tmp
MD5:
SHA256:
1580msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFE1100F6165D078BA.TMP
MD5:
SHA256:
1580msiexec.exeC:\Windows\Installer\MSIE288.tmp
MD5:
SHA256:
1820vssvc.exeC:
MD5:
SHA256:
1580msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:45CF32C4DE714781205E7DFB4318D124
SHA256:7FB9FB00EAE14FE01470AB04093BB7B720260C5D9E5B3D8103AB7E5F444E8849
1580msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{68d6c5df-a2fa-48cc-83ab-2d8db692c15a}_OnDiskSnapshotPropbinary
MD5:45CF32C4DE714781205E7DFB4318D124
SHA256:7FB9FB00EAE14FE01470AB04093BB7B720260C5D9E5B3D8103AB7E5F444E8849
1724MsiExec.exeC:\Windows\System32\DriverStore\FileRepository\netefe32.inf_x86_neutral_9590f3b23d1d64f3\netefe32.PNFpnf
MD5:F3DC42E3947A78C619D4C3C33436D3B3
SHA256:F13AFAA7654D94F04BF14B1F32428385BE2D3049C4FA0EB234A33D0F81E2A8D9
1724MsiExec.exeC:\Windows\System32\DriverStore\FileRepository\netr28u.inf_x86_neutral_b42b25ec42f762c2\netr28u.PNFpnf
MD5:2C44789099F59066490D5DB666E25389
SHA256:A3CDE11A801B17119AE71BE811330811DFE37D485117DD9CD65E3A62D9EFE7EA
1580msiexec.exeC:\Windows\Installer\MSIE1AA.tmpbinary
MD5:7783EF933DF1324BD98D7F6740B596ED
SHA256:036AECD8BEEF46233969E6232BD5B8FE6448FBE7028204F55ACC9D6896655349
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
apkcombovpn-x86-0.1.1.msi