File name:

setup.msi

Full analysis: https://app.any.run/tasks/5261eb37-cc08-4b9b-87b2-410870c1e865
Verdict: Malicious activity
Analysis date: May 01, 2024, 17:49:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {81D895EB-E981-4AA8-B0CA-B3F3C031454C}, Number of Words: 10, Subject: DuvApp, Author: publub, Name of Creating Application: DuvApp, Template: ;1033, Comments: This installer database contains the logic and data required to install DuvApp., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Mar 31 14:47:47 2024, Last Saved Time/Date: Sun Mar 31 14:47:47 2024, Last Printed: Sun Mar 31 14:47:47 2024, Number of Pages: 450
MD5:

FFE8DD917CBDD1E27EEC86AA1F838451

SHA1:

6E094F9AB23BB0CABE68E7AEAC6FFD283BA08FC2

SHA256:

F0EFFC50B7832AC596804A6F8DF7D248C7796B5B9F8A22A6A6019C0E32BAABD4

SSDEEP:

98304:Y7C/x2aAD/2DbR8gepwIG7lEzieoeEx6V0FoDOtXlWWnmgOW9sRsjpi5/g81pt6a:5gtd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3988)
      • msiexec.exe (PID: 4024)

    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 4072)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 820)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3988)
      • msiexec.exe (PID: 4024)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4024)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 4072)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 4072)

    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 4072)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 4072)

    • Reads the Internet Settings

      • powershell.exe (PID: 820)

    • Unusual connection from system programs

      • powershell.exe (PID: 820)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 4024)
      • msiexec.exe (PID: 4072)

    • Checks supported languages

      • msiexec.exe (PID: 4024)
      • msiexec.exe (PID: 4072)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4072)
      • msiexec.exe (PID: 4024)

    • Application launched itself

      • msiexec.exe (PID: 4024)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4024)

    • Reads Environment values

      • msiexec.exe (PID: 4072)

    • Create files in a temporary directory

      • msiexec.exe (PID: 4072)
      • powershell.exe (PID: 820)
      • msiexec.exe (PID: 4024)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 820)

    • Reads settings of System Certificates

      • powershell.exe (PID: 820)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 820)

    • Reads the software policy settings

      • powershell.exe (PID: 820)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 4024)

    • Dropped object may contain TOR URL's

      • msiexec.exe (PID: 4024)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {81D895EB-E981-4AA8-B0CA-B3F3C031454C}
Words: 10
Subject: DuvApp
Author: publub
LastModifiedBy: -
Software: DuvApp
Template: ;1033
Comments: This installer database contains the logic and data required to install DuvApp.
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:04:30 14:47:47
ModifyDate: 2024:04:30 14:47:47
LastPrinted: 2024:04:30 14:47:47
Pages: 450
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe no specs powershell.exe gpg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
820 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss3211.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msi320E.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scr320F.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scr3210.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1768"C:\Users\admin\AppData\Roaming\publub\DuvApp\gpg.exe"C:\Users\admin\AppData\Roaming\publub\DuvApp\gpg.exemsiexec.exe
User:
admin
Company:
g10 Code GmbH
Integrity Level:
MEDIUM
Description:
GnuPG’s OpenPGP tool
Exit code:
3221225785
Version:
2.4.3 (d073f26d8) built on <anon> at <none>
Modules
Images
c:\users\admin\appdata\roaming\publub\duvapp\gpg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\roaming\publub\duvapp\libassuan-0.dll
c:\users\admin\appdata\roaming\publub\duvapp\libgpg-error-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3988"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\setup.msiC:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4024C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4072C:\Windows\system32\MsiExec.exe -Embedding F5ADDC7D152799B23347714918A3005FC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
12 236
Read events
12 088
Write events
136
Delete events
12

Modification events

(PID) Process:(4024) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
B80F0000EA5B61EBEF9BDA01
(PID) Process:(4024) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
280C3EBB742CC5EC2A2176B1ECC779A81E06A6B6698A5221F5D69641EEA84FE1
(PID) Process:(4024) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(820) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4024) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(4024) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\10306b.rbs
Value:
31103992
(PID) Process:(4024) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\10306b.rbsLow
Value:
(PID) Process:(4024) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\85D035D03F8AF03468D63385283E8968
Operation:writeName:865E7462FFBD28D46A755D98EA8D5F97
Value:
C:\Users\admin\AppData\Roaming\publub\DuvApp\
(PID) Process:(4024) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\0A0D7BEF79D8A4F42921746A19C94815
Operation:writeName:865E7462FFBD28D46A755D98EA8D5F97
Value:
01:\Software\publub\DuvApp\Version
(PID) Process:(4024) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\F506C236B44867A41AFD5F99ABD3FB73
Operation:writeName:865E7462FFBD28D46A755D98EA8D5F97
Value:
C:\Users\admin\AppData\Roaming\publub\DuvApp\libassuan-0.dll
Executable files
36
Suspicious files
9
Text files
31
Unknown types
3

Dropped files

PID
Process
Filename
Type
4024msiexec.exeC:\Windows\Installer\103068.msi
MD5:
SHA256:
4072msiexec.exeC:\Users\admin\AppData\Local\Temp\msi320E.txt
MD5:
SHA256:
4072msiexec.exeC:\Users\admin\AppData\Local\Temp\scr320F.ps1
MD5:
SHA256:
4072msiexec.exeC:\Users\admin\AppData\Local\Temp\scr3210.txt
MD5:
SHA256:
4072msiexec.exeC:\Users\admin\AppData\Local\Temp\pss3211.ps1
MD5:
SHA256:
4024msiexec.exeC:\Windows\Installer\MSI3193.tmpexecutable
MD5:B158D8D605571EA47A238DF5AB43DFAA
SHA256:CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
820powershell.exeC:\Users\admin\AppData\Local\Temp\kf01e2ae.tdi.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
4024msiexec.exeC:\Windows\Installer\MSI3114.tmpexecutable
MD5:B158D8D605571EA47A238DF5AB43DFAA
SHA256:CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
4024msiexec.exeC:\Windows\Installer\MSI31B3.tmpexecutable
MD5:FB4665320C9DA54598321C59CC5ED623
SHA256:9FB3156C665211A0081B189142C1D1AB18CDA601EE54D5F5D8883ECFA4177A59
820powershell.exeC:\Users\admin\AppData\Local\Temp\yg5arba5.4zi.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
1
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
820
powershell.exe
GET
301
172.67.176.123:80
http://thecurl.monster/getLicenseInfo.php?req=license&selfshw=5152
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
820
powershell.exe
172.67.176.123:80
thecurl.monster
CLOUDFLARENET
US
unknown
820
powershell.exe
172.67.176.123:443
thecurl.monster
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
thecurl.monster
  • 172.67.176.123
  • 104.21.31.116
unknown

Threats

PID
Process
Class
Message
820
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.msi