analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FAT#Q5VHKWX03 .msi

Full analysis: https://app.any.run/tasks/bdb4c7b5-68c9-46a6-9d35-53a7312ddbc8
Verdict: Malicious activity
Analysis date: September 10, 2019, 22:49:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {9F4AD185-A744-443F-8238-BAAB0691AFF0}, Number of Words: 10, Subject: Windows Installer, Author: Windows Installer, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Windows Installer.
MD5:

FA8B0B867B1C0D30ACE0E3E63BB35C0E

SHA1:

403882F86D074BC30700FBDE0A5CE9C0F1371628

SHA256:

E7D224387B5A531F45592DEF4030F6C7B4EBC3E1BE373223460E93CE3B2A15A0

SSDEEP:

3072:rm2kc9/3DaYIA5wgz88ereWn/7w05g0546PMcB3RUN46ILJ9+ZB5yOanYG:rmC3DaYIA08er1nzTv4XrPG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SMCSvMoOg.pif (PID: 2672)

    • Loads dropped or rewritten executable

      • SMCSvMoOg.pif (PID: 2672)
      • SearchProtocolHost.exe (PID: 980)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2960)

  • SUSPICIOUS

    • Creates files in the user directory

      • cmd.exe (PID: 3372)

    • Starts CMD.EXE for commands execution

      • MsiExec.exe (PID: 3356)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2352)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2244)
      • MsiExec.exe (PID: 3356)

    • Starts Internet Explorer

      • cmd.exe (PID: 3372)

  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3356)

    • Application launched itself

      • iexplore.exe (PID: 3120)
      • msiexec.exe (PID: 2244)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3752)

    • Creates files in the program directory

      • MsiExec.exe (PID: 3356)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3120)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3752)

    • Changes internet zones settings

      • iexplore.exe (PID: 3120)

    • Creates files in the user directory

      • iexplore.exe (PID: 3752)

    • Starts application with an unusual extension

      • MsiExec.exe (PID: 3356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Comments: This installer database contains the logic and data required to install Windows Installer.
Template: ;1033
Software: Advanced Installer 12.2.1 build 64247
LastModifiedBy: -
Author: Windows Installer
Subject: Windows Installer
Words: 10
RevisionNumber: {9F4AD185-A744-443F-8238-BAAB0691AFF0}
CodePage: Windows Latin 1 (Western European)
Security: None
Pages: 200
ModifyDate: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
LastPrinted: 2009:12:11 11:47:44
Keywords: Installer, MSI, Database
Title: Installation Database
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
10
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe cmd.exe no specs iexplore.exe iexplore.exe searchprotocolhost.exe no specs cmd.exe no specs reg.exe smcsvmoog.pif no specs

Process information

PID
CMD
Path
Indicators
Parent process
2868"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\FAT#Q5VHKWX03 .msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2244C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3356C:\Windows\system32\MsiExec.exe -Embedding D9AA18CE5753176E17A18C7DE9DC85B2C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3372"C:\Windows\System32\cmd.exe" /C start /MIN http://google.com.br/C:\Windows\System32\cmd.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3120"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3752"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3120 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
980"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2352"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 69_SMCSvMoOg /t reg_sz /d "C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif"C:\Windows\System32\cmd.exeMsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2960reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 69_SMCSvMoOg /t reg_sz /d "C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif"C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2672"C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pif" C:\Users\admin\Documents\ad9a435e-dda5-83cd-588ab17311b1\106E5AD18D45175374212\{C49249F5-B9A4-F7F9DA622BB}\Common\SMCSvMoOg.pifMsiExec.exe
User:
admin
Company:
Disc Soft Ltd
Integrity Level:
MEDIUM
Description:
Disc Soft Bus Service Pro
Version:
8.2.1.0709
Total events
1 522
Read events
1 405
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
56
Text files
14
Unknown types
7

Dropped files

PID
Process
Filename
Type
2244msiexec.exeC:\Windows\Installer\MSIB1F0.tmp
MD5:
SHA256:
2244msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFFCF4595C875F6F17.TMP
MD5:
SHA256:
3120iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3120iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3752iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
MD5:
SHA256:
3752iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJYTIH3P\google_com_br[1].txt
MD5:
SHA256:
2244msiexec.exeC:\Windows\Installer\16b088.msiexecutable
MD5:FA8B0B867B1C0D30ACE0E3E63BB35C0E
SHA256:E7D224387B5A531F45592DEF4030F6C7B4EBC3E1BE373223460E93CE3B2A15A0
3752iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:3E759210110FB89E9D58050191C4F1BC
SHA256:0A256F572AD83710652DE6FAA5499C77910CDD57433967E90F0A95AA0B518444
3752iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txttext
MD5:FD6D6FF85CAEDD4C2F26054E5F12E192
SHA256:1F51B5718B2C018C897EC671D144C1F396A8E41ACC3742944B43615D814D1316
3752iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:CEAEDE0658C2D03BFCA8341800B8C6D3
SHA256:B99E0A9A7A50CEB96AAE3682CBED27F4AE6F1F2360182F659D457D3AFE5C2D47
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3356
MsiExec.exe
GET
200
52.95.164.60:80
http://0909-app-brasil-mais-poder.s3-sa-east-1.amazonaws.com/NEWWWWWWWWWWWWWWZIP%20%285%29.zip
US
compressed
7.93 Mb
shared
3356
MsiExec.exe
GET
200
77.222.62.31:80
http://zfwbfurusa.temp.swtest.ru/001/
RU
malicious
3752
iexplore.exe
GET
302
172.217.23.131:80
http://www.google.com.br/
US
html
234 b
whitelisted
3120
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3752
iexplore.exe
GET
301
172.217.21.227:80
http://google.com.br/
US
html
222 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3752
iexplore.exe
172.217.23.131:443
www.google.com.br
Google Inc.
US
whitelisted
3752
iexplore.exe
172.217.21.227:80
google.com.br
Google Inc.
US
whitelisted
3120
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3752
iexplore.exe
172.217.23.131:80
www.google.com.br
Google Inc.
US
whitelisted
3120
iexplore.exe
172.217.23.131:443
www.google.com.br
Google Inc.
US
whitelisted
3356
MsiExec.exe
52.95.164.60:80
0909-app-brasil-mais-poder.s3-sa-east-1.amazonaws.com
US
shared
3356
MsiExec.exe
77.222.62.31:80
zfwbfurusa.temp.swtest.ru
SpaceWeb Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
0909-app-brasil-mais-poder.s3-sa-east-1.amazonaws.com
  • 52.95.164.60
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
google.com.br
  • 172.217.21.227
whitelisted
www.google.com.br
  • 172.217.23.131
whitelisted
zfwbfurusa.temp.swtest.ru
  • 77.222.62.31
malicious

Threats

PID
Process
Class
Message
3356
MsiExec.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
FAT#Q5VHKWX03 .msi