File name:

SophosConnect_2.3.2_IPsec_and_SSLVPN.msi

Full analysis: https://app.any.run/tasks/618afa4b-0026-4437-93b5-d79c37c52504
Verdict: Malicious activity
Analysis date: October 17, 2024, 16:31:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Sophos Connect , Author: Sophos Ltd, Keywords: Installer, Comments: This installer database contains the logic and data required to install Sophos Connect., Create Time/Date: Mon Sep 30 15:42:36 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Template: Intel;1033, Last Saved By: Intel;1033, Revision Number: {0596D786-CC21-44C5-BE09-52DDCDB6EC47}2.3.2.0927;{EC141CBD-B3C6-4860-B341-22FB7E99E4EF}2.3.2.0927;{5A9E3376-BF41-425C-B0E8-318388686A58}, Number of Pages: 200, Number of Characters: 0
MD5:

6C6F4B88D531EF7057F8FAAFC16C48A0

SHA1:

F4A8A23C1703AA8C13B3BD6ECD5E637D0953A389

SHA256:

E40DCCBF21FACA80496B84E2533C10D911DACD2D89D80D80631751D833B126F1

SSDEEP:

98304:C6IdjRfW0SHBkV385I55sFUufSyFNq/Iy8RiTneBrgRTLraWtu+hyR4hIcHojvHs:8Rr+Aiw65Kr+y2bioAank4C+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 8024)

    • Executes as Windows Service

      • scvpn.exe (PID: 7316)
      • charon-svc.exe (PID: 4464)
      • openvpnserv.exe (PID: 6308)
      • VSSVC.exe (PID: 7080)

    • Drops a system driver (possible attempt to evade defenses)

      • drvinst.exe (PID: 6556)
      • msiexec.exe (PID: 6044)
      • drvinst.exe (PID: 6272)

    • Executable content was dropped or overwritten

      • drvinst.exe (PID: 6272)
      • drvinst.exe (PID: 6556)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6044)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6044)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 6508)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6508)

    • Create files in a temporary directory

      • msiexec.exe (PID: 6508)

    • Reads the software policy settings

      • msiexec.exe (PID: 6508)

    • Manages system restore points

      • SrTasks.exe (PID: 7680)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6044)
      • msiexec.exe (PID: 6508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Sophos Connect Installer
Author: Sophos Ltd
Keywords: Installer
Comments: This installer database contains the logic and data required to install Sophos Connect.
RevisionNumber: {BFD4050E-9881-4FB7-9DF2-E45AEDF65670}
CreateDate: 2024:09:30 15:41:32
ModifyDate: 2024:09:30 15:41:32
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
Template: Intel;1033,1031,1034,1036,1040,1041,1042,1046,2052,1028
LastModifiedBy: Intel;1033
Characters: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
22
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe vssvc.exe no specs sppextcomobj.exe no specs slui.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs taskkill.exe no specs conhost.exe no specs msiexec.exe no specs tapinstall.exe no specs conhost.exe no specs drvinst.exe drvinst.exe charon-svc.exe no specs slui.exe no specs openvpnserv.exe no specs scvpn.exe no specs msiexec.exe no specs scgui.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3276C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
4088C:\Windows\syswow64\MsiExec.exe -Embedding A72E689CBA7B6E82361C9B22AE46A8C2 CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
4464"C:\Program Files (x86)\Sophos\Connect\charon-svc.exe"C:\Program Files (x86)\Sophos\Connect\charon-svc.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
5332"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
6044C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetapinstall.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
6272DrvInst.exe "4" "1" "c:\program files (x86)\sophos\connect\tapdriver\win10amd64\oemvista.inf" "9" "4da5a64bf" "0000000000000174" "WinSta0\Default" "00000000000001D0" "208" "c:\program files (x86)\sophos\connect\tapdriver\win10amd64"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
6308"C:\Program Files (x86)\Sophos\Connect\openvpnserv.exe"C:\Program Files (x86)\Sophos\Connect\openvpnserv.exeservices.exe
User:
SYSTEM
Company:
The OpenVPN Project
Integrity Level:
SYSTEM
Description:
OpenVPN Service
Version:
2.6.10.0
6508"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\SophosConnect_2.3.2_IPsec_and_SSLVPN.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6556DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:3beb73aff103cc24:tapSophos.ndi:1.0.0.0:tapsophos," "4da5a64bf" "00000000000001F4"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Total events
2 634
Read events
2 634
Write events
0
Delete events
0

Modification events

No data
Executable files
30
Suspicious files
43
Text files
50
Unknown types
6

Dropped files

PID
Process
Filename
Type
6044msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6044msiexec.exeC:\Windows\Installer\91939.msi
MD5:
SHA256:
6508msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:65E2192E4DC04FC206F436F9A86E1023
SHA256:8DF5FB73B8F3F863F2829E3911CD5446C5426437EC869BB87309C639EDE8AEC8
6044msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:2B14FD45FD0592973EABC8B7D5B0861B
SHA256:7916918D4008692DDCAE54DE120A50346DBA8DB332FB0D07C904072527272E35
6508msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_BD99E049BBF0D523D53FBF6DBA488755binary
MD5:48FD74BFA4E17F1CF849565DD6818B97
SHA256:E37CCE42F1613F6B4F8BB47AEADA403D04B9F2F12A252E70FF4C18DEE43F262D
6044msiexec.exeC:\Windows\Temp\~DFF8EB5EE4CA084ED7.TMPbinary
MD5:F927DBC8B5F77744EEF76A8215AEA1DD
SHA256:AE312CE6CD3A2C0CAFC5911FE4D5CD7396018A7DB9D5D576F87F9B0F1731C42C
6508msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:3E767A542E45C079AFA67D0D42DEEDD7
SHA256:96B415C6427547B88E9C6169ABCB1F9F827AA81F67CC3BA98855BE872465E540
6044msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{f94cae49-1624-44b6-97c0-ee092e21c95b}_OnDiskSnapshotPropbinary
MD5:2B14FD45FD0592973EABC8B7D5B0861B
SHA256:7916918D4008692DDCAE54DE120A50346DBA8DB332FB0D07C904072527272E35
6044msiexec.exeC:\Windows\Installer\MSI20BC.tmpbinary
MD5:CF745279D4FF3B58765A7EC49DAFC052
SHA256:B5A56788754258FAD2D81D0413E4ACC1AD4762B9F2CDE762636B8B73EE0ED2C1
6044msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:F927DBC8B5F77744EEF76A8215AEA1DD
SHA256:AE312CE6CD3A2C0CAFC5911FE4D5CD7396018A7DB9D5D576F87F9B0F1731C42C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
63
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcFTiM6sUruh9Hy26bb9vo%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
GET
200
2.16.164.82:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.164.82:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.23.9.218:80
www.microsoft.com
AKAMAI-AS
CZ
whitelisted
23.212.110.187:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.158:443
th.bing.com
Akamai International B.V.
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.16.164.82
  • 2.16.164.18
  • 2.16.164.89
  • 2.16.164.120
  • 2.16.164.114
  • 2.16.164.107
  • 2.16.164.51
  • 2.16.164.81
whitelisted
www.microsoft.com
  • 2.23.9.218
  • 88.221.169.152
whitelisted
www.bing.com
  • 23.212.110.187
  • 23.212.110.184
  • 23.212.110.200
  • 23.212.110.179
  • 23.212.110.201
  • 23.212.110.178
  • 23.212.110.186
  • 23.212.110.202
  • 23.212.110.185
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.73
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.68
whitelisted
th.bing.com
  • 2.23.209.158
  • 2.23.209.179
  • 2.23.209.181
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.150
  • 2.23.209.185
  • 2.23.209.177
  • 2.23.209.176
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SophosConnect_2.3.2_IPsec_and_SSLVPN.msi