analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

JPEGView32_en-us_1.0.40.msi

Full analysis: https://app.any.run/tasks/a037dd43-c96e-4b09-a43c-5ba64c782bce
Verdict: Malicious activity
Analysis date: June 27, 2022, 08:32:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Lightweight Image Viewer, Author: Kevin M (sylikc), Keywords: Installer, Comments: Installs JPEGView 1.0.40.0, Template: Intel;1033, Revision Number: {3C8C42B3-F86B-4B98-98C4-3152596FE2F3}, Create Time/Date: Wed Mar 30 21:13:02 2022, Last Saved Time/Date: Wed Mar 30 21:13:02 2022, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

0D5449BCFE9EC6327BA435294A6ACAE4

SHA1:

6150002FA671E9C19734376E5D682FA55CCA3768

SHA256:

E04F98B991A4A5BC497F968A78A990BDD3C22966388AED6CC57BEF457C01F428

SSDEEP:

24576:ec0uIH3vdktehimWpUGWeR+689jTqTbSZjI4EXnEQBE1RbeP5Ab5t:ecrIH/djhimWphWS+6EmfSZjMn+YA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • msiexec.exe (PID: 1288)
    • Loads dropped or rewritten executable

      • JPEGView.exe (PID: 2040)
      • JPEGView.exe (PID: 3192)
    • Application was dropped or rewritten from another process

      • JPEGView.exe (PID: 2040)
      • JPEGView.exe (PID: 3192)
  • SUSPICIOUS

    • Reads the computer name

      • msiexec.exe (PID: 1288)
      • JPEGView.exe (PID: 2040)
      • JPEGView.exe (PID: 3192)
    • Checks supported languages

      • msiexec.exe (PID: 1288)
      • JPEGView.exe (PID: 2040)
      • JPEGView.exe (PID: 3192)
    • Executed as Windows Service

      • vssvc.exe (PID: 4064)
    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 2908)
      • msiexec.exe (PID: 1288)
    • Reads the Windows organization settings

      • msiexec.exe (PID: 2908)
      • msiexec.exe (PID: 1288)
    • Reads Environment values

      • vssvc.exe (PID: 4064)
    • Creates a directory in Program Files

      • msiexec.exe (PID: 1288)
    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 1288)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1288)
    • Changes default file association

      • msiexec.exe (PID: 1288)
    • Reads default file associations for system extensions

      • JPEGView.exe (PID: 2040)
      • JPEGView.exe (PID: 3192)
  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 2908)
      • vssvc.exe (PID: 4064)
    • Reads the computer name

      • msiexec.exe (PID: 2908)
      • vssvc.exe (PID: 4064)
    • Creates files in the program directory

      • msiexec.exe (PID: 1288)
    • Manual execution by user

      • JPEGView.exe (PID: 2040)
      • JPEGView.exe (PID: 3192)
    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 1288)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 1288)
    • Searches for installed software

      • msiexec.exe (PID: 1288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Lightweight Image Viewer
Author: Kevin M (sylikc)
Keywords: Installer
Comments: Installs JPEGView 1.0.40.0
Template: Intel;1033
RevisionNumber: {3C8C42B3-F86B-4B98-98C4-3152596FE2F3}
CreateDate: 2022:03:30 20:13:02
ModifyDate: 2022:03:30 20:13:02
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs jpegview.exe jpegview.exe

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\JPEGView32_en-us_1.0.40.msi"C:\Windows\System32\msiexec.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1288C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
4064C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2040"C:\Program Files\JPEGView\JPEGView.exe" C:\Program Files\JPEGView\JPEGView.exe
Explorer.EXE
User:
admin
Company:
David Kleiner
Integrity Level:
MEDIUM
Description:
JPEGView
Exit code:
0
Version:
1.0.40.0
3192"C:\Program Files\JPEGView\JPEGView.exe" C:\Program Files\JPEGView\JPEGView.exe
Explorer.EXE
User:
admin
Company:
David Kleiner
Integrity Level:
MEDIUM
Description:
JPEGView
Version:
1.0.40.0
Total events
12 756
Read events
12 207
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
6
Text files
32
Unknown types
6

Dropped files

PID
Process
Filename
Type
1288msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1288msiexec.exeC:\Windows\Installer\1086e5.msiexecutable
MD5:0D5449BCFE9EC6327BA435294A6ACAE4
SHA256:E04F98B991A4A5BC497F968A78A990BDD3C22966388AED6CC57BEF457C01F428
1288msiexec.exeC:\Windows\Installer\MSI8B5A.tmpbinary
MD5:1D09F809077ABB1CB1F2266C8F8660CA
SHA256:D344BDD73080A37AA37B8092E74F30C657BD0917E8A57DBF934D59DCBF1F410A
1288msiexec.exeC:\Program Files\JPEGView\JPEGView.initext
MD5:531DCECF828CD2A69123CDC82E1706A8
SHA256:D0B1DC9CA3BF8C768F905F05BE7B3589CCE46A19C47AD7DD2050963D2B8915E1
1288msiexec.exeC:\Program Files\JPEGView\strings_bel.txttext
MD5:D9E3708BD1F2925BBF025B993A3BAD10
SHA256:8DB414416AC5B9E14A756A8C5FAD4B4981388BC86AEC4B3D732C47F94CC4B30D
1288msiexec.exeC:\Program Files\JPEGView\JPEGView_ru.ini.tplini
MD5:6A4FF48E249F0EFA9C49A1F624CC3152
SHA256:A85E5EC1F9908C0F6100BE7367CDEA9A6F0BF782F1DCB555AB84B5DC6480E9AA
1288msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{c06ba9a0-7a5a-45f7-b0a8-e9bdf4259518}_OnDiskSnapshotPropbinary
MD5:9779BCC25C333D541EF9C92CE2B404A6
SHA256:D69AE28C1E8E2C971562DEDAF53A566B8BD4F071415E7315FABFFDFD545A383A
1288msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:9779BCC25C333D541EF9C92CE2B404A6
SHA256:D69AE28C1E8E2C971562DEDAF53A566B8BD4F071415E7315FABFFDFD545A383A
1288msiexec.exeC:\Program Files\JPEGView\KeyMap_ru.txttext
MD5:E9E8F8D01988B2BA0E582F1B3DFCA2D7
SHA256:C892C119594B2CD318FF175676D4F848D19BDE71E305C98002B1DFD09DAE615F
1288msiexec.exeC:\Windows\Installer\1086e6.ipibinary
MD5:C930184DF45CF6637391CE53E4D496F4
SHA256:09869A33D80C42FB286C62D817B5BB2E200348BD217E864C05E3C5142C857C10
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
JPEGView.exe
Start new request:
JPEGView.exe
C:\Program Files\JPEGView\NavPanel.png
JPEGView.exe
JPEGView.exe
Waiting for request:
JPEGView.exe
C:\Program Files\JPEGView\NavPanel.png
JPEGView.exe
JPEGView.exe
Finished request:
JPEGView.exe
C:\Program Files\JPEGView\NavPanel.png
JPEGView.exe
JPEGView.exe
Start new request: