SimpleDNSCrypt64.msi
This report is generated from a file or URL submitted to this webservice on April 8th 2018 18:57:46 (UTC) and action script Random desktop files
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Network Behavior
- Contacts 2 domains and 3 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxps://github.com/bitbeans/SimpleDnsCrypt/releases/download/0.5.4/SimpleDNSCrypt64.msi
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistance
-
Contains ability to modify user account rights
- details
- LsaAddAccountRights@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 7/10
-
Contains ability to modify user account rights
-
Unusual Characteristics
-
Contains native function calls
- details
- NtQueryInformationProcess@NTDLL.DLL from msiexec.exe (PID: 4056) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
-
Suspicious Indicators 18
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
ControlService@ADVAPI32.DLL from msiexec.exe (PID: 4056) (Show Stream)
OpenServiceW@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to open/control a service
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 14 calls to GetProcAddress@KERNEL32.dll (Show Stream)
Found 26 calls to GetProcAddress@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly checks for known debuggers/analysis tools
- details
- "download.sysinternals.com" (Indicator: "sysinternals")
- source
- File/Memory
- relevance
- 2/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid (Show Stream)
cpuid (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Found a reference to a WMI query string known to be used for VM detection
- details
-
"SELECT * FROM Win32_ComputerSystem" (Indicator: "win32_computersystem"; File: "MSIAED2.tmp.2925925798")
"SELECT * FROM Win32_BIOS" (Indicator: "win32_bios"; File: "MSIAED2.tmp.2925925798") - source
- File/Memory
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
- details
-
"VMware Virtual Platform" (Indicator: "vmware")
"VMware7,1" (Indicator: "vmware")
"VirtualBox" (Indicator: "virtualbox")
"VMware, Inc." (Indicator: "vmware") - source
- File/Memory
- relevance
- 4/10
-
Contains ability to query CPU information
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "p@0.text"
Pattern match: "me3meeee@e.medeeduqued"
Pattern match: "h3@hpjh3v.q"
Pattern match: "e3h@..6"
Pattern match: "js@yyun.mi"
Pattern match: "g@t.kyhtur7"
Pattern match: "x@jyz.1"
Pattern match: "0@8ott.s"
Pattern match: "mikio@p.xojqkqpt"
Pattern match: "2i36u8ey56er9xyb@nufodyp.k8"
Pattern match: "l@v.io6m"
Pattern match: "r1r@mokz.yh0d"
Pattern match: "cp@yqu.qw"
Pattern match: "is@bfxjjq_.a"
Pattern match: "hi@-ihimqh.6u"
Pattern match: "je2bl@k.21u"
Pattern match: "ug@e.kg"
Pattern match: "a@-0n.kk"
Pattern match: "ysko3j@t.a"
Pattern match: "i@zb8i.4io" - source
- File/Memory
- relevance
- 3/10
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Contains ability to download files from the internet
- details
- InternetReadFile@WININET.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.08.02.0134"
"4.08.00.0000"
"14.7.0.0" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Pattern Matching
-
Contains ability to download files from the internet
- details
- InternetReadFile@WININET.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "v[xFvncVmKHt" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains references to WMI/WMIC
- details
- "ROOT\CIMV2" (Indicator: "root\cimv2")
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Found an instsant messenger related domain
- details
-
"*.cdn.skype.com" (Indicator: "skype.com"; File: "network.pcap")
"*.dev.skype.com" (Indicator: "skype.com"; File: "network.pcap")
"do.skype.com" (Indicator: "skype.com"; File: "network.pcap") - source
- File/Memory
- relevance
- 10/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Contains ability to elevate privileges
- details
-
SetSecurityDescriptorDacl@ADVAPI32.DLL from msiexec.exe (PID: 4056) (Show Stream)
MakeAbsoluteSD@ADVAPI32.DLL from msiexec.exe (PID: 4056) (Show Stream)
MakeAbsoluteSD@ADVAPI32.DLL from msiexec.exe (PID: 4056) (Show Stream)
SetSecurityDescriptorDacl@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to lookup privileges
- details
- GetSecurityDescriptorDacl@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Modifies System Certificates Settings
- details
-
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0")
"msiexec.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
-
Tries to access unusual system drive letters
-
Informative 42
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "msiexec.exe" at 00014667-00004056-00000033-64559171
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream)
GetVersion@KERNEL32.DLL from msiexec.exe (PID: 4056) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceW@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.DLL (Target: "msiexec.exe"; Stream UID: "00014667-00004056-7034-180-00D14A2C")
which is directly followed by "cmp dword ptr [ebp-00000108h], 02h" and "jne 00D17BECh". See related instructions: "...+66 call dword ptr [00D110D8h] ;GetVersionExW+72 cmp dword ptr [ebp-00000108h], 02h+79 jne 00D17BECh" ... from msiexec.exe (PID: 4056) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "msiexec.exe"; Stream UID: "00014667-00004056-7034-96-00D18881")
which is directly followed by "cmp dword ptr [ebp-00000108h], 02h" and "jne 00D18908h". See related instructions: "...+38 lea eax, dword ptr [ebp-00000118h]+44 push eax+45 mov dword ptr [ebp-00000118h], 00000114h+55 call dword ptr [00D110D8h] ;GetVersionExW+61 cmp dword ptr [ebp-00000108h], 02h+68 jne 00D18908h" ... from msiexec.exe (PID: 4056) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "msiexec.exe"; Stream UID: "00014667-00004056-7034-97-00D18922")
which is directly followed by "cmp dword ptr [ebp-00000108h], 02h" and "jne 00D18970h". See related instructions: "...+0 mov edi, edi+2 push ebp+3 mov ebp, esp+5 sub esp, 00000118h+11 mov eax, dword ptr [00D1E00Ch]+16 xor eax, ebp+18 mov dword ptr [ebp-04h], eax+21 lea eax, dword ptr [ebp-00000118h]+27 push eax+28 mov dword ptr [ebp-00000118h], 00000114h+38 call dword ptr [00D110D8h] ;GetVersionExW+44 cmp dword ptr [ebp-00000108h], 02h+51 jne 00D18970h" ... from msiexec.exe (PID: 4056) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00014667-00004056-00000046-64682363
"msiexec.exe" queries volume information of "C:\share" at 00014667-00004056-00000046-67113575
"msiexec.exe" queries volume information of "C:\" at 00014667-00004056-00000046-82189585 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
-
"msiexec.exe" queries volume information of "C:\" at 00014667-00004056-00000046-64682363
"msiexec.exe" queries volume information of "C:\" at 00014667-00004056-00000046-82189585 - source
- API Call
- relevance
- 8/10
-
Reads the active computer name
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE")
"msiexec.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/58 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
-
"raw.githubusercontent.com"
"aka.ms" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"92.122.53.40:80"
"68.232.34.200:443"
"151.101.0.133:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"Z PE3((@))@($0(@.f/>`SaT"""##6#X#{######$9$K$c$$$$$$$%#%5%G%%%%%&F&X&x&&&&&'5'W'q'''?((())*S***+;+U+g++-1-K-m-w-RSDS-ZB#C:\JobRelease\win\Release\custact\x86\AICustAct.pdbGCTL0.text$di0l.text$mn""
"msiexec.pdb"
"C:\JobRelease\win\Release\custact\x86\AICustAct.pdb"
"C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"msiexec.exe" created file "%TEMP%\MSIADF4.tmp"
"msiexec.exe" created file "%TEMP%\MSIAE72.tmp"
"msiexec.exe" created file "%TEMP%\MSIAE83.tmp"
"msiexec.exe" created file "%TEMP%\MSIAED2.tmp"
"msiexec.exe" created file "%TEMP%\MSIAEE3.tmp"
"msiexec.exe" created file "%TEMP%\MSIDC77.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MSIAE83.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIDC77.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIAEE3.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIADF4.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIAED2.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIAE72.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 72010000
- source
- Loaded Module
-
Opened the service control manager
- details
-
"msiexec.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"msiexec.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Reads configuration files
- details
- "msiexec.exe" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Scanning for window names
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- LookupAccountNameW@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7" has type "data"
"MSIAE83.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_A10DE0D0D53FE1A1DA4A3BEC65F7BA2A" has type "data"
"MSIDC77.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" has type "data"
"MSIAEE3.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIADF4.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIAED2.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIAE72.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "data" - source
- Binary File
- relevance
- 3/10
-
Drops executable files
- details
-
"MSIAE83.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIDC77.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIAEE3.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIADF4.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIAED2.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIAE72.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Monitors specific registry key for changes
- details
-
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4; Subtree: 1039872)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4; Subtree: 35585280)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 35578113)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 35578113)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 35585281)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 35585281) - source
- API Call
- relevance
- 4/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "msiexec.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Scans for the windows taskbar (may be used for explorer injection)
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\en-US\msiexec.exe.mui"
"msiexec.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\rsaenh.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\msimsg.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"msiexec.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\en-US\KernelBase.dll.mui"
"msiexec.exe" touched file "%WINDIR%\AppPatch\msimain.sdb"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\sxs.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\ar-SA\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "ns.adobe.com/xap/1.0/"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?296044d37a48e7f7 HTTP/1.1Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 20 Apr 2017 16:02:20 GMTIf-None-Match: 04e707defb9d21:0User-Agent: Microsoft-CryptoAPI/6.1Hos"
Pattern match: "www.aka.ms"
Pattern match: "mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl"
Pattern match: "crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl0"
Pattern match: "www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt0"
Pattern match: "http://ocsp.msocsp.com0"
Pattern match: "http://www.microsoft.com/pki/mscorp/cps0"
Pattern match: "http://ocsp.digicert.com0"
Pattern match: "http://crl3.digicert.com/Omniroot2025.crl0="
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0U%0++0U0"
Heuristic match: "*.vo.msecnd.net"
Heuristic match: "*.adn.azureedge.net"
Heuristic match: "*.ads2.msads.net"
Heuristic match: "*.aspnetcdn.com"
Heuristic match: "*.azurecomcdn.net"
Heuristic match: "*.azureedge.net"
Heuristic match: "*.azureedge-test.net"
Heuristic match: "*.cdn.skype.com"
Heuristic match: "*.cdn.skype.net"
Heuristic match: "*.cmsresources.windowsphone.com"
Pattern match: "http://tl.symcb.com/tl.crl0U0U%0"
Pattern match: "https://www.thawte.com/cps0/+0#!https://www.thawte.com/repository0W+K0I0+0http://tl.symcd.com0&+0http://tl.symcb.com/tl.crt0"
Heuristic match: "#*.cmsresources.windowsphone-int.com"
Heuristic match: "*.dev.skype.com"
Heuristic match: "*.fms.azureedge.net"
Heuristic match: "*.microsoft-sbs-domains.com"
Heuristic match: "*.secure.skypeassets.com"
Heuristic match: "*.secure.skypeassets.net"
Heuristic match: "*.wac.azureedge.net"
Heuristic match: "*.wpc.azureedge.net"
Heuristic match: "*.ec.azureedge.net"
Heuristic match: "*.wpc.ec.azureedge.net"
Heuristic match: "*.wac.ec.azureedge.net"
Heuristic match: "*.adn.ec.azureedge.net"
Heuristic match: "*.fms.ec.azureedge.net"
Heuristic match: "cdnads.msads.net"
Heuristic match: "cdn-resources.windowsphone.com"
Heuristic match: "#cdn-resources-beta.windowsphone.com"
Heuristic match: "ecnads1.msn.com"
Heuristic match: "images-cms-pn.windowsphone-int.com"
Heuristic match: "#images-cms-tst.windowsphone-int.com"
Heuristic match: "montage.msn.com"
Heuristic match: "%*.streaming.mediaservices.windows.net"
Heuristic match: "*.origin.mediaservices.windows.net"
Heuristic match: "download.sysinternals.com"
Heuristic match: "amp.azure.net"
Heuristic match: "rt.ms-studiosmedia.com"
Heuristic match: "gtm.ms-studiosmedia.com"
Pattern match: "https://www.advancedinstaller.com"
Heuristic match: "*.aisvc.visualstudio.com"
Heuristic match: "*.cdn.powerbi.com"
Heuristic match: "dist.asp.net"
Heuristic match: "embed.powerbi.com"
Heuristic match: "msitembed.powerbi.com"
Heuristic match: "dxtembed.powerbi.com"
Heuristic match: "*.cdn.powerappscdn.net"
Heuristic match: "'downloads.subscriptionsint.tfsallin.net"
Heuristic match: "download.my.visualstudio.com"
Heuristic match: "cdn.vsassets.io"
Heuristic match: "cdnppe.vsassets.io"
Heuristic match: "datafactory.azure.com"
Heuristic match: "*.cortanaanalytics.com"
Heuristic match: "do.skype.com"
Heuristic match: "prss.centralvalidation.com"
Heuristic match: "*.gallerycdn.vsassets.io"
Heuristic match: "*.gallerycdnppe.vsassets.io"
Heuristic match: "global.asazure.windows.net"
Pattern match: "www.videobreakdown.com"
Pattern match: "www.breakdown.me"
Heuristic match: "*.gallerycdntest.vsassets.io"
Heuristic match: "agavecdn.o365weve-dev.com"
Heuristic match: "agavecdn.o365weve-ppe.com"
Heuristic match: "agavecdn.o365weve.com"
Heuristic match: "download.visualstudio.com"
Heuristic match: "*.Applicationinsights.net"
Heuristic match: "*.Applicationinsights.io"
Heuristic match: "*.sfbassets.com"
Heuristic match: "*.sfbassets.net"
Heuristic match: "download.mono-project.com"
Heuristic match: "&*.streaming.media-test.windows-int.net"
Heuristic match: "&*.origin.mediaservices.windows-int.net"
Heuristic match: "cdn.wallet.microsoft-ppe.com"
Heuristic match: "*.nuget.org"
Heuristic match: "*.nugettest.org"
Heuristic match: "cdn.botframework.com"
Heuristic match: "*.streaming.media.azure.net"
Heuristic match: "*.streaming.media.azure-test.net"
Heuristic match: "cdn.cloudappsecurity.com"
Heuristic match: "*.yammer.com"
Heuristic match: "*.videoindexer.ai"
Pattern match: "mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%202.crl"
Pattern match: "crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%202.crl0"
Pattern match: "www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%202.crt0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0.+0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0@U9070531/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0U%0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(U!0010UTimeStamp-2048-50Ur)C/0U#0cNrA"
Pattern match: "EV.xP.P.xP/E/h@=/=/"
Heuristic match: "raw.githubusercontent.com"
Pattern match: "www.digicert.com1/0-"
Pattern match: "www.github.com0"
Pattern match: "www.github.com"
Heuristic match: "*.github.com"
Heuristic match: "github.com"
Heuristic match: "*.github.io"
Heuristic match: "github.io"
Heuristic match: "*.githubusercontent.com"
Pattern match: "http://crl3.digicert.com/sha2-ha-server-g5.crl04"
Pattern match: "http://crl4.digicert.com/sha2-ha-server-g5.crl0L"
Pattern match: "http://ocsp.digicert.com0M"
Pattern match: "cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0"
Pattern match: "www.digicert.com1+0"
Pattern match: "http://ocsp.digicert.com0K"
Pattern match: "http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0="
Pattern match: "Cx.Fs/m~!Gvd%W+Xkm\i"
Heuristic match: "Oooj>W=~E3GM*'5! U{+:d}b\W0@?f~m}_u\O5S8!qs:hVh4((hfIEy O.mk"
Heuristic match: "jjD~tfvv.;3Z[UggC.aC"
Pattern match: "1gPWI.Xav/!-"
Heuristic match: "$r_YFl[z'Op]=%Jwzpak_6:Om#vfj}^6'KAGYWmwL,Xm!28[up>z{a.ML"
Pattern match: "M.Afr/|iJq"
Pattern match: "b2Vz-j.WoYg/:Q"
Heuristic match: "aka.ms"
Pattern match: "ai.rd/?rk&IO"
Pattern match: "0t.RMv/iIpyk"
Heuristic match: "i,GmZl]FaZM#u54`RC8D6UjDO-qQ7+l18=nF()x@NDau!.in"
Heuristic match: "cpVo.uz"
Pattern match: "t.KP/=,+#~S`,AxG"
Heuristic match: "!{5Z',,d$x]|eg^NNwv=ge&bM^v?VYryn/ZL}EOwO\Nf6Ifs73.GH"
Heuristic match: "XG<yDn^_bJxcC.bE"
Pattern match: "9qFX.Wl/2z"
Pattern match: "ylI.Izd/LT"
Heuristic match: "OX8Z~>FO>oeB;t{/[CV&.WF"
Pattern match: "4z.KN/65"
Heuristic match: "Z%z^'Sf(,G_DX, O<3~hKf#c.is"
Heuristic match: "$60]:%NF~>Stn'ei9)+jo|G 9Am0/ o=s_X[FR-_5q0& uI>]?YNZd}nC3BN@V&vFdwWVC6Ed]y#XF;3!C2-EM_^LSGz0f,^7q!l~D/2il[9dWBO_7'RH5Lf-zZ:a?1EkK[$;.In"
Heuristic match: "+m}x/mRIn%z^WZicA&I^jXFh,8VbqhR]v=h4g.ec"
Pattern match: "du3.Ua/{3cNZOxCnNcNFT_;$N*[YkO?v]uD&va_/f*bL$r||XL@v8WgkK3+*T"
Pattern match: "wl.tI/!h3gDB!pA"
Pattern match: "xA.nJ/9l^=c-u]I2h*ruFb#Y+8AUH=v6oDO]Xy+'~U.VY~wNlj\GWg`6HeQB:z~6v{%h1"
Pattern match: "W.fu/d-a"
Heuristic match: "C; dA.79/7/jUX0=>.b@_FKh4Jb'.hR"
Heuristic match: ",01-j}_-kqrwgCg#>adsJ4N.Lv"
Pattern match: "fg.fm/KzDI|nLuoY%dE{~C#m-NY|"
Heuristic match: "0wr}Rbjb)mcW4UQs+(ZIg|.@ahfRtsEZ!*;9=3SL=LA5]gk-S4!a~.<BK~<>~NkavqO:uj%ue_BA~bH7l9M}b#_|01l|dYI2H*JCB;}~iKl!.uZ"
Pattern match: "bryok.XR/TQRc"
Heuristic match: "J5D#xWmpnR8*vv4DCTt,9).NF"
Pattern match: "fZ.sH/bfmL"
Pattern match: "up.gp/zP}];~WI8EKbD"
Heuristic match: "Z%u$%fwnh7tlV4$;$)O>X.tT"
Pattern match: "YXO.cL/V!%Lwq],eFdJtp#ZNbn`bn,FtJ\?9MrclDRx"
Heuristic match: "4d[s+@TNw/Fdr_x.kG"
Heuristic match: "\.*lt$f*&?n^^;ce9.}h%~whY.RwSE\Bq`IcUl;V 8# eB}7[?nFFwCX0:.ad"
Heuristic match: "&L\t;K7;cS:Kwn{n7EA.ch"
Pattern match: "Rv.ZY/:GT|\"
Heuristic match: "mc.U6B.KM"
Pattern match: "kZGT.oFgP/aLn"
Heuristic match: "uOWMv=&X#\8Na0:Vt4WZ]{6>2.so"
Pattern match: "V.VC/`d?4x0^"
Heuristic match: "o[Pi$Zbe.Mz"
Heuristic match: "%Jn}?(oKY9T&9.wS"
Pattern match: "e6.okz/x*,Foo%bqDmtkvx*lOO/yn"
Pattern match: "p.Cuw/x~TizPJ*-CdIa/\Dq2I/90"
Heuristic match: "P$V${~.ge"
Heuristic match: "t%37d+n_WT(H(?&}X.ZM"
Pattern match: "oJD.zNj/p[J+x#RF|"
Pattern match: "5.AzdZ/VWJkZ^dV6BuH\{i=kWe1o{g+z.mbsNs3_+0P"
Heuristic match: "xc7UIpo=YVgGm]luq1//3MJ7F%+Ni@?2'v|.rE"
Pattern match: "nL.mL/v~7~"
Pattern match: "O.fEb/fsilv{SS/-Ts[O"
Heuristic match: "94/^|{s\!omy3ZZ]c.|%y&Zg_'k35CN~sTyuR;S&3-3S[Y,)>o5eD,7D Cz?B0f]iLKxb!iQ_5g:;H.g^y{q?\8Y7dMd5/R]6;eI_=^a)BuitYb>^s*'&Ff,3 Ryz0iGn<UI<=z{.e.Tz"
Heuristic match: "Dsc{!yEes43!C3$NY2bnFvK4xX`t5EM1[ JdU8.v~t/W,]44}sN5iMgan'%a8'_{E^iVe-PHCh4eefaB(XprG5V&A7Yl.kH"
Heuristic match: "Rif_9vqQ/K45 %y6 >'a~s1_<tfp`5K9ft\Z.sI"
Heuristic match: "i=)?^gK(.@.cU"
Pattern match: "xu.gwcx/iD"
Pattern match: "lofGufiB.RE.LHJ/7$"
Heuristic match: "9Hk19c)c{'A!8old\@`v.VA"
Pattern match: "bt.sT/Za;Us=L2Z(L'nbZtP/&PplFl4u_hl1bi97-ACX^cH)C:8Pob\0*d"
Heuristic match: "n<s+o/rex^n>~_|*sr+uv$d`q~4caCOK'u/t}4M.sR"
Pattern match: "ep.dk/s19|s@y73v4^"
Pattern match: "a.Wm/,6YUd`VGwmL/g/v9ze"
Pattern match: "CHCfCpN.yhG/#B5C*APBhC"
Pattern match: "D.cE/{/h,vY+HRh"
Pattern match: "LsN.dd/a$w*lS$EajMWU3P2GS*kUv"
Heuristic match: "AM&ssi.bT"
Pattern match: "5eL.HO/tzx];_J]lT:k"
Pattern match: "S.JZyY/u^Wj123Na\$a&pao"
Pattern match: "1.qz/UCz@@kd9Uz\dA"
Pattern match: "8.Mc/r_"
Pattern match: "5k.fbtt/k1OrYN:g4hwC"
Heuristic match: "`[%~Q.W 2c?O`7Q4o.pe"
Heuristic match: "/l>._:%Y8Set(^%1{h?d#yC!L1b!W,?ry!G]3v+jhw3 qqKa~-=}7gOX<}nXYbP;6V#UxwSjn7|cQaE<ef(6JyeZnGf@6WN8-9fXY>/83{<fXq{mxQmn54GG+R[QbB~S=+fH/6F~v#-w`q4v#aMfC{k.Sd"
Heuristic match: "h9peRH!1.t^6Tp_3%{9Fb\!bNgFtvv;rBW,2:dd-vMUp3~I{{S~.={(~;vb{c^l;L[AEDPn;JXfKoYPy8@'U(soXj.HM"
Pattern match: "tBG.ldu/qbShRg"
Pattern match: "7.Ey/hgh"
Pattern match: "fU-P4uaX.dO/B~U"
Heuristic match: "&{2ZK9l]vA66W]q5{F1L(.Sl"
Pattern match: "P.TZ/J8K,t"
Heuristic match: "[+O+ m7nk48Noq?JI#G;w'oHV\<}R:<x^:%G|W Wneg;-NDYiX,[,=olwz':yY\!+.CA"
Heuristic match: "sUU 6`,)BPRy`Zb_YQv[MVeg~19S5R{/Q`ne't)[zIBkl<_2f9| (U*d6#Bp&Dz%>VhN<~gqyYwgV{W,$eJ:.LS"
Pattern match: "vVxL.Te/]Oy32.DzZV~Zwu4yuqq#kG?[YMe={~/On3c_*|h"
Pattern match: "imI3m.xx/+vv8qNVlCC"
Heuristic match: "GIatKd7q^y-)}k&`soJI,,hv/#;+R=P&JLN9(~ 1I-0.SY"
Heuristic match: "x`EqB[Yi!<nB!Et_w\`d~Z:D$a2)p|d+{bKi/'>^:,Yn,twtwcks.H_GRFGYAH&?fC*>cpt=?F2|wax3{qx,[/&U=Q2+Exd!8<Q!`F!=<P@R=C:3az4IdS]Sp.H7w2^TC+WAtjT#$+Cz'z9-G.4B?&zZ4M\5Lk>1tq7yn4tya[&kNm2kL<hM#a/4,`/ww=yV9o^zU d)]/gRMUaqBfB WW84:_/oxtD#9FD7PYx)bz=*z0c!.ET"
Pattern match: "7.mPis/Nw&"
Pattern match: "pXKB.xC/%9=L8~a~gGg#@JUc*?mUT5M*I5_+hd.+&d"
Pattern match: "y-.cQ/CK=tT3$4jim"
Heuristic match: ",S6T~!,yqWiYf7{zA`^lv6|:)A~)78l+0^wev%V32jL.MC"
Pattern match: "kMHny.QA/ik44\l:0:0:auau$0:bw\Xa1=}CI:R5:m7hD"
Pattern match: "KY.bQ/Tlqr'H_}Uv.Y*.Dnn@u,t"
Pattern match: "Digk.fW/RO9Q4feo"
Heuristic match: "~IR`VHH-gYfd)TlBu>.Scj~UZ*&ZKeSAIxu cfhg+[Z<L)V\>fl|&C.+B|S3jD#.lr"
Pattern match: "n.wTZ/m&"
Pattern match: "6rh9c.PH/0_"
Pattern match: "yj.qm/sEKA.5dmja"
Heuristic match: "}N!BqD%'Q81{eCkP@9 F g.E1!40F$E7$!P(,JxA?>gEA9r3ve!w1\]?.AX"
Pattern match: "jd.bIe/ER+wZ'olo7"
Pattern match: "5t.Zx/lB]/p}WS|"
Heuristic match: "zyME<^+@g7UMx=C97A[T%_*B#v2.mV"
Heuristic match: "x ryzfyuuwM=]:6j9,AX{G&IPD A~czD;Y4fr23Wt|2uZ|z?;/%V'=PQm/X}zY@IEVi@wVT`@YR5F09R`2d!OMMQ8G5orZQkaZ|^tJoa.&qEf$x-S8l]Z1'/w5sy7W^.CG"
Pattern match: "it.pv/0YW~NE4EozEEs_~h#ZBxmXiKQao"
Pattern match: "E.te/0zNAsy1s\c}rW!qX7Vp=/$h!j"
Pattern match: "V.Pv/j:?W"
Pattern match: "Fy0.lo/}y_[WGp'k?UKB%\AyIiHQzs,h%o,Ek"
Heuristic match: "hYi?zK{/hrF>eesR|AEk\gJ 39Ax@ytHzgzzsn$'6?ohGI?AWnIO<L@{C>u^ x4t$}DMTDasI1.BJ"
Pattern match: "WIa.On/O@IuSby,5;ne5s_EaViIAGh"
Pattern match: "x.AaE/s`SDae%=X]H!@"
Pattern match: "M89zW.jSE/%h8O7w3z5WYj,I"
Heuristic match: "\B(Un.ar"
Heuristic match: "h)..^H 2(tvz`xSlw{s=P-VNK.za"
Pattern match: "https://secure.comodo.net/CPS0CU"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q+e0c0;+0/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$+0http://ocsp.comodoca.com0"
Heuristic match: "+71L0J(&Simple DNSCrypt x64https://simplednscrypt.org/ 0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(U!0010UTimeStamp-2048-60Un_;1y6{0U#0cNrA)8ub0"
Pattern match: "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dw"
Pattern match: "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2F"
Pattern match: "http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEQD0FdOaCfZ"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.google.com"
Pattern match: "http://www.yahoo.com"
Pattern match: "http://www.example.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSIADF4.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSIAE72.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSIAE83.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSIAED2.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSIAEE3.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "C:\MSI3aefe.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSIDC77.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"msiexec.exe" opened "%TEMP%\MSIADF4.tmp" with delete access
"msiexec.exe" opened "%TEMP%\MSIAE72.tmp" with delete access
"msiexec.exe" opened "%TEMP%\MSIAE83.tmp" with delete access
"msiexec.exe" opened "%TEMP%\MSIAED2.tmp" with delete access
"msiexec.exe" opened "%TEMP%\MSIAEE3.tmp" with delete access
"msiexec.exe" opened "C:\MSI3aefe.tmp" with delete access
"msiexec.exe" opened "%SAMPLEDIR%\MSI3aeff.tmp" with delete access
"msiexec.exe" opened "%TEMP%\MSIDC77.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Creates or modifies windows services
- details
- "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS") - source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "msiexec.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"msiexec.exe" wrote bytes "c0dfbc771cf9bb77ccf8bb770d64bd7700000000c011d67600000000fc3ed67600000000e013d676000000009457cb7625e0bc77c6e0bc7700000000bc6aca7600000000cf31d676000000009319cb76000000002c32d67600000000" to virtual address "0x75601000" (part of module "NSI.DLL")
"msiexec.exe" wrote bytes "7111d9017a3bd801ab8b02007f950200fc8c0200729602006cc805001ecdd5017d26d501" to virtual address "0x75E907E4" (part of module "USER32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
File Details
SimpleDNSCrypt64.msi
- Filename
- SimpleDNSCrypt64.msi
- Size
- 7.2MiB (7508992 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {7C85CA01-EB1D-45BF-8E1E-8C429AC56F74}, Number of Words: 2, Subject: Simple DNSCrypt x64, Author: bitbeans, Name of Creating Application: Advanced Installer 14.7 build 9cf640d4e3, Template: x64;1033, Comments: This installer database conta
- Architecture
- WINDOWS
- SHA256
- a1643a6467fc57a6f70d3b7d95a36de3bf64082025e046b5e9b3f31695b00859
- MD5
- 5dafe8e99335ec37b2634e3cfe442fa7
- SHA1
- 034b98262e164640a73b25095ccbef599fc1a07b
Classification (TrID)
- 89.3% (.MSI) Microsoft Windows Installer
- 9.4% (.MST) Windows SDK Setup Transform Script
- 1.2% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- msiexec.exe /i "C:\SimpleDNSCrypt64.msi" (PID: 4056)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
raw.githubusercontent.com
OSINT |
151.101.120.133
TTL: 12 |
MarkMonitor, Inc.
Organization: GitHub, Inc. Name Server: NS-1411.AWSDNS-48.ORG Creation Date: Thu, 06 Feb 2014 00:00:00 GMT |
United States |
aka.ms
OSINT |
- |
CSC Corporate Domains
Organization: Microsoft Corporation Name Server: asia1.akam.net Creation Date: Thu, 20 Jan 2011 16:48:05 GMT |
- |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
92.122.53.40 |
80
TCP |
- | European Union |
68.232.34.200 |
443
TCP |
simplednscrypt.exe PID: 4704 |
United States |
151.101.0.133 |
443
TCP |
simplednscrypt.exe PID: 4704 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 10 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.
-
Clean 6
-
-
MSIADF4.tmp
- Size
- 216KiB (221344 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- d261a064a6612a2b5f8774e55d49e8bb
- SHA1
- a4ac194b86202bc8ad412a642f42ce1aeca2c433
- SHA256
- 83a68300f22fa9f45fea46e16aada7887c3b8b09cef3faf098c30b428e6a4629
-
MSIAE72.tmp
- Size
- 216KiB (221344 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- d261a064a6612a2b5f8774e55d49e8bb
- SHA1
- a4ac194b86202bc8ad412a642f42ce1aeca2c433
- SHA256
- 83a68300f22fa9f45fea46e16aada7887c3b8b09cef3faf098c30b428e6a4629
-
MSIAE83.tmp
- Size
- 216KiB (221344 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- d261a064a6612a2b5f8774e55d49e8bb
- SHA1
- a4ac194b86202bc8ad412a642f42ce1aeca2c433
- SHA256
- 83a68300f22fa9f45fea46e16aada7887c3b8b09cef3faf098c30b428e6a4629
-
MSIAED2.tmp
- Size
- 375KiB (384160 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- 1d5bf0c2a610dd324f0e1990cdf3b65f
- SHA1
- c94c6f943b0fad5a05351a2fd62e93e75b17faad
- SHA256
- 3b16c4678f727d35db5e033883cd943e8bb0b84ee15afeb18cf796ae2372e1e9
-
MSIAEE3.tmp
- Size
- 216KiB (221344 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- d261a064a6612a2b5f8774e55d49e8bb
- SHA1
- a4ac194b86202bc8ad412a642f42ce1aeca2c433
- SHA256
- 83a68300f22fa9f45fea46e16aada7887c3b8b09cef3faf098c30b428e6a4629
-
MSIDC77.tmp
- Size
- 216KiB (221344 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- d261a064a6612a2b5f8774e55d49e8bb
- SHA1
- a4ac194b86202bc8ad412a642f42ce1aeca2c433
- SHA256
- 83a68300f22fa9f45fea46e16aada7887c3b8b09cef3faf098c30b428e6a4629
-
-
Informative 4
-
-
5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4
- Size
- 471B (471 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- 409f0eb620ed4d59cf8bf3753b313783
- SHA1
- 35a4f30d5e82069fb9395bb0e82439128a2d88a2
- SHA256
- 7afb0992edc69c3b02ef60464ca7d77ffe38fac6ac955c90988b0c51abb66566
-
57C8EDB95DF3F0AD4EE2DC2B8CFD4157
- Size
- 340B (340 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- d1eb7dbb1154a118b942362451b442fa
- SHA1
- 3352edc8ac131879d2512707448e2200b182afd9
- SHA256
- 7ede0a90ea737f8a77106cf007b78ddfacfaa429182a7d887fd9372d0645265c
-
5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7
- Size
- 727B (727 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- 9beda9d6c5dc4b54f58acf78980d4cb2
- SHA1
- 404dd8ba2c55a41c6dff33e0ad0301cf1f5c2aeb
- SHA256
- 38f897bbe4471e49ff8324284d4cd62734483070d4d078efdf96bdb2775e31f1
-
D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_A10DE0D0D53FE1A1DA4A3BEC65F7BA2A
- Size
- 408B (408 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 4056)
- MD5
- 94e97e3b17a11ab3408f03440905a45e
- SHA1
- be6559379c4d85025e09dcc2993166457b217dfd
- SHA256
- c692990c7f8b1a6ac1fc21e4de2d7e594d92b64c317477ef443881701bc31128
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report