| File name: | openvpn-connect-2.7.1.111_signed (1).msi |
| Full analysis: | https://app.any.run/tasks/7785db7a-a084-4557-939e-12f20f2b6521 |
| Verdict: | Malicious activity |
| Analysis date: | June 21, 2024, 15:34:51 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: OpenVPN Connect, Author: OpenVPN Technologies, Keywords: Installer, Comments: This installer database contains the logic and data required to install OpenVPN Connect., Template: Intel;1033, Revision Number: {033D05BB-D940-477B-8C73-9CF2C7D16A29}, Create Time/Date: Tue Sep 22 09:48:10 2020, Last Saved Time/Date: Tue Sep 22 09:48:10 2020, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2 |
| MD5: | 342A7EE74901F008B9B769CA05F04734 |
| SHA1: | 2EE3055D0A16910C960A1C9730F8688058BCE2D8 |
| SHA256: | F65DD0EA784DD63632BE64F89B1F83D51C199FD7319888883780CB9E975C325A |
| SSDEEP: | 196608:VaIAytTDU5hguRIf10M5QwIG/oIpB0q1EB/03wUZMFoXXfH4l:LTw5hguif10c2JIpBJw/ETXwl |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 3256)
- msiexec.exe (PID: 3332)
- tapinstall.exe (PID: 3936)
- drvinst.exe (PID: 2492)
Actions looks like stealing of personal data
- msiexec.exe (PID: 3332)
Creates a writable file in the system directory
- drvinst.exe (PID: 2492)
SUSPICIOUS
Checks Windows Trust Settings
- msiexec.exe (PID: 3332)
- tapinstall.exe (PID: 3936)
- drvinst.exe (PID: 2492)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 3332)
Executes as Windows Service
- VSSVC.exe (PID: 3428)
Process drops python dynamic module
- msiexec.exe (PID: 3332)
Process drops legitimate windows executable
- msiexec.exe (PID: 3332)
Drops a system driver (possible attempt to evade defenses)
- msiexec.exe (PID: 3332)
- tapinstall.exe (PID: 3936)
- drvinst.exe (PID: 2492)
The process drops C-runtime libraries
- msiexec.exe (PID: 3332)
Loads Python modules
- icert.exe (PID: 3336)
Executable content was dropped or overwritten
- tapinstall.exe (PID: 3936)
- drvinst.exe (PID: 2492)
Adds/modifies Windows certificates
- icert.exe (PID: 3336)
- tapinstall.exe (PID: 3936)
Creates files in the driver directory
- drvinst.exe (PID: 2492)
INFO
Reads security settings of Internet Explorer
- msiexec.exe (PID: 3256)
Reads the computer name
- msiexec.exe (PID: 3332)
- msiexec.exe (PID: 3556)
- tapinstall.exe (PID: 3936)
- drvinst.exe (PID: 2492)
Reads the machine GUID from the registry
- msiexec.exe (PID: 3332)
- icert.exe (PID: 3336)
- msiexec.exe (PID: 3556)
- tapinstall.exe (PID: 3936)
- drvinst.exe (PID: 2492)
Checks supported languages
- msiexec.exe (PID: 3332)
- msiexec.exe (PID: 3556)
- icert.exe (PID: 3336)
- tapinstall.exe (PID: 3936)
- drvinst.exe (PID: 2492)
Reads the software policy settings
- msiexec.exe (PID: 3256)
- msiexec.exe (PID: 3332)
- tapinstall.exe (PID: 3936)
- rundll32.exe (PID: 2500)
- drvinst.exe (PID: 2492)
Create files in a temporary directory
- msiexec.exe (PID: 3332)
- tapinstall.exe (PID: 3936)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3332)
Application launched itself
- msiexec.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | OpenVPN Connect |
| Author: | OpenVPN Technologies |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install OpenVPN Connect. |
| Template: | Intel;1033 |
| RevisionNumber: | {033D05BB-D940-477B-8C73-9CF2C7D16A29} |
| CreateDate: | 2020:09:22 09:48:10 |
| ModifyDate: | 2020:09:22 09:48:10 |
| Pages: | 200 |
| Words: | 2 |
| Software: | Windows Installer XML Toolset (3.11.1.2318) |
| Security: | Read-only recommended |
Total processes
48
Monitored processes
8
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2492 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{0680ea34-0230-727f-f402-9a7db504b242}\oemvista.inf" "0" "6fd423e43" "0000030C" "WinSta0\Default" "0000055C" "208" "c:\program files\openvpn technologies\openvpn client\driver\win32.6" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2500 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{06063c32-a65e-17e5-2344-8554244dda51} Global\{24d33b8f-0da2-5c4c-061c-7f78f0c4f328} C:\Windows\System32\DriverStore\Temp\{69159ecf-c37b-6e6c-c6df-da1391932c6d}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{69159ecf-c37b-6e6c-c6df-da1391932c6d}\tapoas.cat | C:\Windows\System32\rundll32.exe | — | drvinst.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3256 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\openvpn-connect-2.7.1.111_signed (1).msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3332 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3336 | "C:\Program Files\OpenVPN Technologies\OpenVPN Client\driver\..\core\icert.exe" "C:\Program Files\OpenVPN Technologies\OpenVPN Client\driver\..\etc\openvpn.crt" TrustedPublisher | C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\icert.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
| 3428 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3556 | C:\Windows\system32\MsiExec.exe -Embedding A749A8631285D91532E0A1D443335399 E Global\MSI0000 | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3936 | "C:\Program Files\OpenVPN Technologies\OpenVPN Client\driver\win32.6\tapinstall.exe" install "C:\Program Files\OpenVPN Technologies\OpenVPN Client\driver\win32.6\OemVista.inf" tapoas | C:\Program Files\OpenVPN Technologies\OpenVPN Client\driver\win32.6\tapinstall.exe | msiexec.exe | ||||||||||||
User: SYSTEM Company: Windows (R) Win 7 DDK provider Integrity Level: SYSTEM Description: Windows Setup API Version: 6.1.7600.16385 built by: WinDDK Modules
| |||||||||||||||
Total events
21 831
Read events
21 548
Write events
281
Delete events
2
Modification events
| (PID) Process: | (3256) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3332) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000E873BE95F0C3DA01040D0000C80C0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3332) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4000000000000000E873BE95F0C3DA01040D0000C80C0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3332) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 75 | |||
| (PID) Process: | (3332) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 400000000000000032A59296F0C3DA01040D0000C80C0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3332) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000008C079596F0C3DA01040D00003C080000E803000001000000000000000000000052FB8C0EC78D314494D2726F4B3CC6E70000000000000000 | |||
| (PID) Process: | (3428) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000F4909E96F0C3DA01640D0000800B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3428) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000F4909E96F0C3DA01640D00001C020000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3428) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000F4909E96F0C3DA01640D0000C8080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3428) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000F4909E96F0C3DA01640D00002C090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
98
Suspicious files
24
Text files
41
Unknown types
7
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3332 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 3332 | msiexec.exe | C:\Windows\Installer\50c7b.msi | — | |
MD5:— | SHA256:— | |||
| 3332 | msiexec.exe | C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\OpenSSL.rand.pyd | executable | |
MD5:09DF77CF28234129AB10C488C20D3B04 | SHA256:0F6A729E8F39EE17EED5AB3C6D814F69A39C1F3C5B821AAC47E3B8BAAD27B534 | |||
| 3332 | msiexec.exe | C:\Program Files\OpenVPN Technologies\OpenVPN Client\client\css\style.css | text | |
MD5:ED3BC7E09A5F92FC6C168A98D5D8EC11 | SHA256:A162EADB581EFC50911C1415522445887C5ADAAA3FC7815C9798788D9CCF8528 | |||
| 3332 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{0e8cfb52-8dc7-4431-94d2-726f4b3cc6e7}_OnDiskSnapshotProp | binary | |
MD5:84CA6C5CD6B1A843F72636CC1DC83DE3 | SHA256:2E6B61606388F0570FF4ADB400C086896E93C2D359A435EEBA4E65BC8182000B | |||
| 3332 | msiexec.exe | C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\w9xpopen.exe | executable | |
MD5:57452BE2B12676E5053DA3B1843D4C20 | SHA256:AD4BA25AFF557ADDCF036B88286A2D68160B6CB61A9A76E43D99F5D3C1A0752D | |||
| 3332 | msiexec.exe | C:\Windows\Installer\50c7c.ipi | binary | |
MD5:043FD8AF2A5101CD31ED377F9CB50D83 | SHA256:7A2DCF70F2D69002431A5B1710311CFC2DF876EB47F14E1974351C58EDD2F448 | |||
| 3332 | msiexec.exe | C:\Windows\Installer\MSI1351.tmp | binary | |
MD5:7035691244E97A7EE532A91185BFE9E1 | SHA256:E1A1FCEDF8251180021602BFF48518B27BDFC46C271162CCCBD8703D2689A023 | |||
| 3332 | msiexec.exe | C:\Program Files\OpenVPN Technologies\OpenVPN Client\client\images\openvpn.png | image | |
MD5:AA37273868444C133EA060331D2255BC | SHA256:60A177C7747E26486038D187FA2283C0A33851D9A2D0A31782DF4EAA5B79B78C | |||
| 3332 | msiexec.exe | C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\library.zip | compressed | |
MD5:DE8929218C56941C85DC8FF921FBB53B | SHA256:393BA276ED63A3D041206CF17D519C3CC0DD45101B5123A42ECF3C329FF350B3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1372 | svchost.exe | GET | 304 | 95.101.54.113:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33 | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 2.16.164.43:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1372 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1060 | svchost.exe | GET | 304 | 72.247.153.162:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1372 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1060 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1372 | svchost.exe | 20.106.86.13:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
1372 | svchost.exe | 95.101.54.113:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
1372 | svchost.exe | 2.16.164.43:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
1372 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | unknown |
1060 | svchost.exe | 72.247.153.162:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |