File name:

SophosConnect_2.3.2IPsec_and_SSLVPN.msi

Full analysis: https://app.any.run/tasks/d0d7d095-816a-41a9-a3c8-8ede90fba250
Verdict: Malicious activity
Analysis date: November 07, 2024, 18:57:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Sophos Connect , Author: Sophos Ltd, Keywords: Installer, Comments: This installer database contains the logic and data required to install Sophos Connect., Create Time/Date: Mon Sep 30 15:42:36 2024, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Template: Intel;1033, Last Saved By: Intel;1033, Revision Number: {0596D786-CC21-44C5-BE09-52DDCDB6EC47}2.3.2.0927;{EC141CBD-B3C6-4860-B341-22FB7E99E4EF}2.3.2.0927;{5A9E3376-BF41-425C-B0E8-318388686A58}, Number of Pages: 200, Number of Characters: 0
MD5:

6C6F4B88D531EF7057F8FAAFC16C48A0

SHA1:

F4A8A23C1703AA8C13B3BD6ECD5E637D0953A389

SHA256:

E40DCCBF21FACA80496B84E2533C10D911DACD2D89D80D80631751D833B126F1

SSDEEP:

98304:C6IdjRfW0SHBkV385I55sFUufSyFNq/Iy8RiTneBrgRTLraWtu+hyR4hIcHojvHs:8Rr+Aiw65Kr+y2bioAank4C+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 1452)
      • charon-svc.exe (PID: 824)
      • openvpnserv.exe (PID: 7088)
      • scvpn.exe (PID: 3396)

    • Uses TASKKILL.EXE to kill process

      • msiexec.exe (PID: 3792)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5644)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 5644)
      • drvinst.exe (PID: 6464)
      • drvinst.exe (PID: 2420)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 5644)

    • Executable content was dropped or overwritten

      • drvinst.exe (PID: 6464)
      • drvinst.exe (PID: 2420)

  • INFO

    • Reads the software policy settings

      • msiexec.exe (PID: 6268)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6268)

    • An automatically generated document

      • msiexec.exe (PID: 6268)

    • Create files in a temporary directory

      • msiexec.exe (PID: 6268)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5644)
      • msiexec.exe (PID: 6268)

    • Manages system restore points

      • SrTasks.exe (PID: 1168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Sophos Connect Installer
Author: Sophos Ltd
Keywords: Installer
Comments: This installer database contains the logic and data required to install Sophos Connect.
RevisionNumber: {BFD4050E-9881-4FB7-9DF2-E45AEDF65670}
CreateDate: 2024:09:30 15:41:32
ModifyDate: 2024:09:30 15:41:32
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
Template: Intel;1033,1031,1034,1036,1040,1041,1042,1046,2052,1028
LastModifiedBy: Intel;1033
Characters: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
18
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs taskkill.exe no specs conhost.exe no specs msiexec.exe no specs tapinstall.exe no specs conhost.exe no specs drvinst.exe drvinst.exe charon-svc.exe no specs openvpnserv.exe no specs scvpn.exe no specs msiexec.exe no specs scgui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
692"C:\WINDOWS\SysWOW64\\taskkill.exe" /F /IM scgui.exeC:\Windows\SysWOW64\taskkill.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
824"C:\Program Files (x86)\Sophos\Connect\charon-svc.exe"C:\Program Files (x86)\Sophos\Connect\charon-svc.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
1168C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1452C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2420DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\WINDOWS\INF\oem1.inf" "oem1.inf:3beb73aff103cc24:tapSophos.ndi:1.0.0.0:tapsophos," "4da5a64bf" "0000000000000178"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
3396"C:\Program Files (x86)\Sophos\Connect\scvpn.exe"C:\Program Files (x86)\Sophos\Connect\scvpn.exeservices.exe
User:
SYSTEM
Company:
Sophos
Integrity Level:
SYSTEM
Description:
Sophos Connect Service
Version:
2.3.2.0927
3792C:\Windows\syswow64\MsiExec.exe -Embedding AD0197E16CB2570B18B7AB6BD33810E8C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
5644C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetapinstall.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
5660"C:\Program Files (x86)\Sophos\Connect\GUI\scgui.exe" C:\Program Files (x86)\Sophos\Connect\GUI\scgui.exemsiexec.exe
User:
admin
Company:
Sophos
Integrity Level:
MEDIUM
Description:
Sophos Connect GUI
Version:
2.3.2.0927
Total events
4 855
Read events
4 821
Write events
25
Delete events
9

Modification events

(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000008CAAB4F74631DB010C1600007C110000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000008CAAB4F74631DB010C1600007C110000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000092C656F84631DB010C1600007C110000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000092C656F84631DB010C1600007C110000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000CB2959F84631DB010C1600007C110000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000023F15DF84631DB010C1600007C110000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000F3C92FF94631DB010C1600007C110000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5644) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000E01932F94631DB010C16000004170000E8030000010000000000000000000000BD600028C367F14B8EECE5FF61F562A200000000000000000000000000000000
(PID) Process:(1452) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000043A83BF94631DB01AC050000040C0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
29
Suspicious files
35
Text files
48
Unknown types
15

Dropped files

PID
Process
Filename
Type
5644msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
5644msiexec.exeC:\Windows\Installer\945c7.msi
MD5:
SHA256:
6268msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:4E832AD8B3CE854F0D2A6AC70A8CA59F
SHA256:00C0B7A9494C14BB6CB8DBA53765B9AEDA71A9EB8E12B1FABE132083DB5ACF0C
6268msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:85E4EF53DAF9D74A4F483E3575E0182E
SHA256:A155EDDD3FEFEB549E9A57DF0FE3910F7F66CF43E310DC81FC4A59E2E9529AF4
5644msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{280060bd-67c3-4bf1-8eec-e5ff61f562a2}_OnDiskSnapshotPropbinary
MD5:635F3B8D38638575F1676B6EF69321DF
SHA256:BF00CCAD2AA3498CDB8FAEF901DAD215FF52B0AE118A26B3CC69AA499686535E
6268msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_BD99E049BBF0D523D53FBF6DBA488755der
MD5:5F48793DC9034318E7D7DDE9A8B74AA9
SHA256:83F8271B99DF74F99C7A9A65AF6DB9FBE8548972998A4AEC16C8FB85DA4345D0
6268msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_BD99E049BBF0D523D53FBF6DBA488755binary
MD5:AE49E66D2BBF35A232E87E7BBA0625B1
SHA256:1BBB277AFD8B810ADF3542BB609E27F02B32E877D64A938D423A1A14E78BB5A4
6268msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:A3EFC5265DEEE0BE55111672DBA88530
SHA256:1DA3C6284B8A9FAC3BD87AC47FE16C8EE01629ABAE98239D626A627A8024DE8F
5644msiexec.exeC:\Windows\Installer\MSI575D.tmpexecutable
MD5:A3AE5D86ECF38DB9427359EA37A5F646
SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
5644msiexec.exeC:\Windows\Installer\MSI51CD.tmpexecutable
MD5:A3AE5D86ECF38DB9427359EA37A5F646
SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
27
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
95.101.54.128:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1744
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6268
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6268
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6268
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcFTiM6sUruh9Hy26bb9vo%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcFTiM6sUruh9Hy26bb9vo%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1744
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.179:443
Akamai International B.V.
GB
unknown
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
95.101.54.128:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1744
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 95.101.54.128
  • 95.101.54.122
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
sftelemetry.sophos.com
  • 18.66.95.190
unknown
self.events.data.microsoft.com
  • 52.168.117.169
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SophosConnect_2.3.2IPsec_and_SSLVPN.msi