analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Radeon_RAMDisk_4_4_0_RC36.msi

Full analysis: https://app.any.run/tasks/809c474a-0da1-48a2-889b-b51cbb5c11b0
Verdict: Malicious activity
Analysis date: August 19, 2021, 01:55:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Windows RAMDisk Software, Author: Dataram, Inc., Keywords: Windows RAM Disk, Comments: RAMDisk is a Windows utility that emulates the functionality of a hard disk using system RAM., Template: Intel;1033, Revision Number: {0D23AB23-2A02-4E66-BD44-16E39D57FC43}, Create Time/Date: Sat Feb 6 15:55:48 2016, Last Saved Time/Date: Sat Feb 6 15:55:48 2016, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1224.0), Security: 2
MD5:

50B0E5C0F00EC32A00C89AB9B213A8A5

SHA1:

62E71B4C5CB9D141971AE6E2D334BB0517AF6DB9

SHA256:

D792733F0EBC8C30D7F6778C9F0276CD5FBDE7419212D0B338744B0311D38970

SSDEEP:

196608:c/yF0eyYaa51m3FvhEsB7KGmFo1XjnMTeDZrPyJV2Ek3u:6yF0+T5atGsFqm9n4CrPybk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rdcq.exe (PID: 3440)
      • rdcq.exe (PID: 2148)
      • AMD_RAMDisk.exe (PID: 904)
      • MappedDrives.exe (PID: 2368)
      • AMD_RAMDisk.exe (PID: 3284)

    • Loads dropped or rewritten executable

      • rdcq.exe (PID: 2148)
      • rdcq.exe (PID: 3440)
      • MsiExec.exe (PID: 3972)
      • AMD_RAMDisk.exe (PID: 904)

    • Drops executable file immediately after starts

      • DrvInst.exe (PID: 3908)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 1404)
      • msiexec.exe (PID: 4036)
      • vssvc.exe (PID: 2416)
      • vds.exe (PID: 2376)

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 3480)
      • msiexec.exe (PID: 4036)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 3480)
      • msiexec.exe (PID: 4036)

    • Reads Environment values

      • vssvc.exe (PID: 1404)
      • AMD_RAMDisk.exe (PID: 904)
      • vssvc.exe (PID: 2416)

    • Checks supported languages

      • rdcq.exe (PID: 2148)
      • rdcq.exe (PID: 3440)
      • MappedDrives.exe (PID: 2368)
      • AMD_RAMDisk.exe (PID: 904)
      • DrvInst.exe (PID: 3908)
      • DrvInst.exe (PID: 2936)
      • DrvInst.exe (PID: 3688)

    • Reads the computer name

      • rdcq.exe (PID: 2148)
      • rdcq.exe (PID: 3440)
      • MappedDrives.exe (PID: 2368)
      • AMD_RAMDisk.exe (PID: 904)
      • DrvInst.exe (PID: 3908)
      • DrvInst.exe (PID: 2936)
      • DrvInst.exe (PID: 3688)

    • Creates files in the program directory

      • rdcq.exe (PID: 2148)
      • msiexec.exe (PID: 4036)
      • rdcq.exe (PID: 3440)
      • MappedDrives.exe (PID: 2368)

    • Drops a file with too old compile date

      • msiexec.exe (PID: 4036)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4036)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 4036)
      • rdcq.exe (PID: 2148)

    • Executable content was dropped or overwritten

      • rdcq.exe (PID: 2148)
      • msiexec.exe (PID: 4036)
      • msiexec.exe (PID: 3480)
      • rdcq.exe (PID: 3440)
      • DrvInst.exe (PID: 3908)
      • AMD_RAMDisk.exe (PID: 904)
      • DrvInst.exe (PID: 2936)

    • Drops a file that was compiled in debug mode

      • msiexec.exe (PID: 4036)
      • rdcq.exe (PID: 2148)
      • rdcq.exe (PID: 3440)
      • msiexec.exe (PID: 3480)
      • DrvInst.exe (PID: 3908)
      • AMD_RAMDisk.exe (PID: 904)
      • DrvInst.exe (PID: 2936)

    • Creates or modifies windows services

      • rdcq.exe (PID: 2148)
      • AMD_RAMDisk.exe (PID: 904)

    • Creates files in the Windows directory

      • pnputil.exe (PID: 2080)
      • AMD_RAMDisk.exe (PID: 904)
      • DrvInst.exe (PID: 3908)
      • DrvInst.exe (PID: 2936)

    • Searches for installed software

      • msiexec.exe (PID: 4036)

    • Application launched itself

      • msiexec.exe (PID: 4036)

    • Executed via COM

      • DrvInst.exe (PID: 3908)
      • DrvInst.exe (PID: 2936)
      • vdsldr.exe (PID: 2120)
      • DrvInst.exe (PID: 3688)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 3908)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 3908)
      • DrvInst.exe (PID: 2936)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 3908)
      • DrvInst.exe (PID: 2936)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 3480)
      • vssvc.exe (PID: 1404)
      • msiexec.exe (PID: 4036)
      • pnputil.exe (PID: 2080)
      • MsiExec.exe (PID: 3972)
      • WISPTIS.EXE (PID: 3616)
      • rundll32.exe (PID: 912)
      • vssvc.exe (PID: 2416)
      • vds.exe (PID: 2376)
      • vdsldr.exe (PID: 2120)
      • explorer.exe (PID: 1824)

    • Checks supported languages

      • msiexec.exe (PID: 4036)
      • msiexec.exe (PID: 3480)
      • vssvc.exe (PID: 1404)
      • pnputil.exe (PID: 2080)
      • WISPTIS.EXE (PID: 3616)
      • MsiExec.exe (PID: 3972)
      • rundll32.exe (PID: 912)
      • vssvc.exe (PID: 2416)
      • vds.exe (PID: 2376)
      • vdsldr.exe (PID: 2120)
      • explorer.exe (PID: 1824)

    • Reads settings of System Certificates

      • msiexec.exe (PID: 3480)
      • msiexec.exe (PID: 4036)
      • AMD_RAMDisk.exe (PID: 904)
      • DrvInst.exe (PID: 3908)
      • DrvInst.exe (PID: 2936)
      • rundll32.exe (PID: 912)
      • DrvInst.exe (PID: 3688)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 3480)
      • msiexec.exe (PID: 4036)
      • DrvInst.exe (PID: 3908)
      • AMD_RAMDisk.exe (PID: 904)
      • rundll32.exe (PID: 912)
      • DrvInst.exe (PID: 2936)
      • DrvInst.exe (PID: 3688)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 3908)

    • Searches for installed software

      • DrvInst.exe (PID: 3908)

    • Manual execution by user

      • explorer.exe (PID: 1824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Windows RAMDisk Software
Author: Dataram, Inc.
Keywords: Windows RAM Disk
Comments: RAMDisk is a Windows utility that emulates the functionality of a hard disk using system RAM.
Template: Intel;1033
RevisionNumber: {0D23AB23-2A02-4E66-BD44-16E39D57FC43}
CreateDate: 2016:02:06 15:55:48
ModifyDate: 2016:02:06 15:55:48
Pages: 200
Words: 2
Software: Windows Installer XML (3.7.1224.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
69
Monitored processes
20
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start msiexec.exe msiexec.exe vssvc.exe no specs rdcq.exe pnputil.exe rdcq.exe msiexec.exe no specs amd_ramdisk.exe no specs amd_ramdisk.exe wisptis.exe no specs wisptis.exe no specs mappeddrives.exe no specs drvinst.exe rundll32.exe no specs vssvc.exe no specs drvinst.exe vdsldr.exe no specs vds.exe no specs drvinst.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3480"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Downloads\Radeon_RAMDisk_4_4_0_RC36.msi"C:\Windows\System32\msiexec.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows� installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
4036C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows� installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1404C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft� Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2148"C:\Program Files\Radeon RAMDisk\rdcq.exe" /y install_cleanupC:\Program Files\Radeon RAMDisk\rdcq.exe
msiexec.exe
User:
admin
Company:
Dataram Corporation
Integrity Level:
MEDIUM
Description:
Dataram
Exit code:
0
Version:
4.4.0.36
2080"pnputil.exe" -eC:\Windows\system32\pnputil.exe
rdcq.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft PnP Utility - Tool to add, delete and enumerate driver packages.
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3440"C:\Program Files\Radeon RAMDisk\rdcq.exe" /y install_driver_filesC:\Program Files\Radeon RAMDisk\rdcq.exe
msiexec.exe
User:
admin
Company:
Dataram Corporation
Integrity Level:
MEDIUM
Description:
Dataram
Exit code:
0
Version:
4.4.0.36
3972C:\Windows\system32\MsiExec.exe -Embedding 7176E1814D150E27BAB64E348617C022 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows� installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3284"C:\Program Files\Radeon RAMDisk\AMD_RAMDisk.exe" C:\Program Files\Radeon RAMDisk\AMD_RAMDisk.exeMsiExec.exe
User:
admin
Company:
Dataram Corporation
Integrity Level:
MEDIUM
Description:
AMD_RAMDisk
Exit code:
3221226540
Version:
4.4.0.36
904"C:\Program Files\Radeon RAMDisk\AMD_RAMDisk.exe" C:\Program Files\Radeon RAMDisk\AMD_RAMDisk.exe
MsiExec.exe
User:
admin
Company:
Dataram Corporation
Integrity Level:
HIGH
Description:
AMD_RAMDisk
Version:
4.4.0.36
2656"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\SYSTEM32\WISPTIS.EXEAMD_RAMDisk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
30 315
Read events
29 568
Write events
0
Delete events
0

Modification events

No data
Executable files
37
Suspicious files
26
Text files
18
Unknown types
18

Dropped files

PID
Process
Filename
Type
4036msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
4036msiexec.exeC:\Windows\Installer\1cd72d.msi
MD5:
SHA256:
4036msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF807CA6508775451B.TMPgmc
MD5:F3938E6D96A9D0A6C6476DB1820F8873
SHA256:F2873B59B52BA42D352A391D5C48CC96EDBD42C09C82F1AA222F41CBED3D6126
4036msiexec.exeC:\Program Files\Radeon RAMDisk\Dataram.Diagnostics.dllexecutable
MD5:97EF689F6F9D97ABADEA70AEC2C2F2D2
SHA256:9EBF736CEA64D73EEBF0CB7AA03927D5AB56E52AEE342D6E454F6CFE09A8F219
4036msiexec.exeC:\Program Files\Radeon RAMDisk\AMD_Radeon_RAMDisk_Release_Notes.pdfpdf
MD5:0FFD435FC0F05F1F8548ADDD85547456
SHA256:715D2C09DE518A258B53D6E3234FF448ED2224770C2344D38AE341DC98EB5BA7
4036msiexec.exeC:\Program Files\Radeon RAMDisk\AMD_Radeon_RAMDisk_User_Manual.pdfpdf
MD5:576FDC3A70C59AF0971018721A52DB12
SHA256:8A4B49F5BF7D4B2315786C40D3C56665098369D6EFAAC8FFAAFE8C67E2344461
4036msiexec.exeC:\Program Files\Radeon RAMDisk\Dataram.CpuIdClrBridge.dllexecutable
MD5:32CE4C0A4DE11FABD8982C5F1764BE19
SHA256:BBFD12B1E17D22E6B1E8C6187D0EA0071D4ACFDFA3E3D194717930162CB062A9
4036msiexec.exeC:\Program Files\Radeon RAMDisk\Dataram.RAMDisk.Base.dllexecutable
MD5:BEC859434FE1E6AA92E037D415ECFBD2
SHA256:4615804C409A4A12A7AF0DAC69D8931419D2DB951513BF93E36E059B57032DE2
4036msiexec.exeC:\Windows\Installer\MSIDDF4.tmpbinary
MD5:D6BA38A95FE47340DCDD9116E0A85209
SHA256:AF14FC0FCA95C7ADC7E6FAE21B80CD4C8FCE4C2F58B831D60F540CBF6FFD1885
4036msiexec.exeC:\Program Files\Radeon RAMDisk\Dataram.RAMDisk.App.dllexecutable
MD5:89217171D660A3E4B4125A6927E1DE63
SHA256:184D7FA86B5DB61C53E0E5AAD2C73A3E43363E5F1356BA31A9D763691968789A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
904
AMD_RAMDisk.exe
GET
200
207.58.189.189:80
http://www.radeonramdisk.com/images/radeon_advert_download.bmp
US
image
746 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
904
AMD_RAMDisk.exe
54.190.249.27:443
license.dataram.com
Amazon.com, Inc.
US
unknown
904
AMD_RAMDisk.exe
207.58.189.189:80
www.radeonramdisk.com
ServInt
US
unknown

DNS requests

Domain
IP
Reputation
www.radeonramdisk.com
  • 207.58.189.189
unknown
license.dataram.com
  • 54.190.249.27
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Radeon_RAMDisk_4_4_0_RC36.msi