GlobalProtect64-5.2.9.msi
This report is generated from a file or URL submitted to this webservice on December 16th 2021 14:04:52 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.50.2 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
- Reads the windows installation language
- Evasive
- Possibly tries to implement anti-virtualization techniques
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistence
-
Writes data to a remote process
- details
-
"msiexec.exe" wrote 1500 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 440)
"msiexec.exe" wrote 8 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 440)
"msiexec.exe" wrote 4 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 440)
"msiexec.exe" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 440)
"msiexec.exe" wrote 52 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 440) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 10
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"msiexec.exe" at 00000000-00002340-00000033-1625995
"msiexec.exe" at 00000000-00004080-00000033-1838855
"MsiExec.exe" at 00000000-00003708-00000033-13223472441606018
"dismhost.exe" at 00000000-00000924-00000033-1904903 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"vboxvideo.inf" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: %WINDIR%\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_282ccc1684d6e163\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\VBoxGuest.cat]" (Indicator: "vbox")
"2017-12-11 20:24:00, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\VBoxGuest.cat]" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_bc42bb1917d1bc65\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\VBoxGuest.cat]" (Indicator: "vbox")
"2018-02-20 09:38:55, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\VBoxGuest.cat]" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_e9f3789e40cc2499\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vbox")
"2019-01-03 17:11:42, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vbox")
"2019-01-03 17:11:43, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2019-03-21 15:34:49, Info DISM API: PID=2344 TID=1716 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_9bc3c1389d21f9ef\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox") - source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"MsiExec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"dismhost.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Found a potential E-Mail address in binary/memory
- details
- Pattern match: "rql@pkt.6e"
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistence
-
Drops executable files
- details
-
"dismhost.exe.61BB4A6D.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"MSIFA35.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Unusual Characteristics
-
Drops cabinet archive files
- details
- "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"MsiExec.exe" wrote bytes "711102027a3b0102ab8b02007f950200fc8c0200729602006cc805001ecdfe017d26fe01" to virtual address "0x755407E4" (part of module "USER32.DLL")
"MsiExec.exe" wrote bytes "c0df50771cf94f77ccf84f770d64517700000000c0113f7500000000fc3e3f7500000000e0133f75000000009457d17625e05077c6e0507700000000bc6ad07600000000cf313f75000000009319d176000000002c323f7500000000" to virtual address "0x75501000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1056.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the windows installation language
- details
- "MsiExec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LANGUAGE"; Key: "INSTALLLANGUAGEFALLBACK")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops cabinet archive files
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 32
-
Anti-Detection/Stealthyness
-
Detected MSIEXEC process execution
- details
-
Process "msiexec.exe" with commandline "/V" (Show Process)
Process "MsiExec.exe" with commandline "-Embedding DFADBA865624A7D929C2174DB6050E24 C" (Show Process) - source
- Monitored Target
- relevance
- 2/10
- ATT&CK ID
- T1218.007 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected MSIEXEC process execution
-
Environment Awareness
-
Contains ability to read software policies
- details
-
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "LEVELS")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "SAFERFLAGS")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "DEFAULTLEVEL")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "POLICYSCOPE")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "LOGFILENAME")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "AUTHENTICODEENABLED")
"MsiExec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SAFER\CODEIDENTIFIERS"; Key: "TRANSPARENTENABLED") - source
- Registry Access
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\F25DEEC27BC236A4EA0939F46860E480\INSTALLPROPERTIES")
- source
- Registry Access
- relevance
- 10/10
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00000000-00002340-00000046-13223472439343213
"msiexec.exe" queries volume information of "C:\" at 00000000-00004080-00000046-3387630 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"msiexec.exe" queries volume information of "C:\" at 00000000-00002340-00000046-13223472439343213
"msiexec.exe" queries volume information of "C:\" at 00000000-00004080-00000046-3387630 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read software policies
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/57 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\AUTOUPDATE"; Key: "DISALLOWEDCERTSYNCDELTATIME")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\MSILOG_252e20601d7f27eGOL.32aISM_pmeT_lacoL_ataDppA_Yr9HEtY_sresU_:C"
"Global\MSILOG_252e20601d7f27eGOL.32aISM_pmeT_lacoL_ataDppA_Yr9HEtY_sresU_:C" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "dismhost.exe.61BB4A6D.bin" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "MSIFA35.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\CLSID\{000C101C-0000-0000-C000-000000000046}\LOCALSERVER32")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{000C103E-0000-0000-C000-000000000046}\TREATAS")
"dismhost.exe" touched "PSSupportErrorInfo" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{DF0B3D60-548F-101B-8E65-08002B2BD119}\TREATAS")
"dismhost.exe" touched "PSDispatch" (Path: "HKLM\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "msiexec.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, PROMPT, HOMEPATH, HOMEDRIVE"
Process "MsiExec.exe" (Show Process) was launched with new environment variables: "LOGONSERVER="\\HAPUBWS-PC", PROMPT="$P$G", HOMEPATH="\Users\YtEH9rY", HOMEDRIVE="C:""
Process "MsiExec.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP"
Process "dismhost.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP"
Process "dismhost.exe" (Show Process) was launched with missing environment variables: "LOGONSERVER, PROMPT, HOMEPATH, HOMEDRIVE" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
Scanning for window names
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "MsiExec.exe" with commandline "-Embedding DFADBA865624A7D929C2174DB6050E24 C" (Show Process)
Spawned process "dismhost.exe" with commandline "{4CFF0FFB-22ED-4941-8C76-1FF01C6A2D01}" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "MsiExec.exe" with commandline "-Embedding DFADBA865624A7D929C2174DB6050E24 C" (Show Process)
Spawned process "dismhost.exe" with commandline "{4CFF0FFB-22ED-4941-8C76-1FF01C6A2D01}" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=US, S=California, L=Santa Clara, O=Palo Alto Networks, CN=Palo Alto Networks" (SHA1: 8D:D3:B0:09:E2:ED:35:64:79:E3:14:54:08:6F:B6:99:EE:97:BA:AD: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA" (SHA1: 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA" (SHA1: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1553.002 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1553.002 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses Software Policy Settings
-
Installation/Persistence
-
Connects to LPC ports
- details
- "msiexec.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"dismhost.exe.61BB4A6D.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"MSIFA35.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"66AE3BFDF94A732B262342AD2154B86E_46724C943F6B7C6A5058FD2AB6AD0E82" has type "data"
"42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5" has type "data"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"
"dism.log" has type "UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "data" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055.011 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
- details
-
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 2000749313)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 1) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scans for the windows taskbar (may be used for explorer injection)
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1055.011 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files in the Windows directory
- details
-
"msiexec.exe" touched file "%WINDIR%\AppPatch\AppPatch64\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\AppPatch\msimain.sdb"
"msiexec.exe" touched file "C:\Windows\system32\ar-SA\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\bg-BG\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\cs-CZ\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\da-DK\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\de-DE\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\el-GR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\en\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\es-ES\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\et-EE\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\fi-FI\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\fr-FR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\he-IL\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\hr-HR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\hu-HU\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\it-IT\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\ja-JP\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\ko-KR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\lt-LT\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "peType of the serviceStartNameUser or object name to run service asStartTypeCatalogSFP CatalogDependencyParent catalog - only used by SFPFile name for the catalog.ShortcutThe command-line arguments for the shortcut.Foreign key into the Component table deno"
Pattern match: "crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X"
Pattern match: "http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z"
Pattern match: "http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0"
Pattern match: "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T"
Pattern match: "www.microsoft.com/pki/certs/MicrosoftRootCert.crt0"
Pattern match: "http://microsoft.com0"
Pattern match: "www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a"
Pattern match: "www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^"
Pattern match: "www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0"
Pattern match: "www.microsoft.com/pkiops/docs/primarycps.htm0@"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z"
Pattern match: "http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0"
Pattern match: "www.microsoft.com/PKI/docs/CPS/default.htm0@"
Pattern match: "crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z"
Pattern match: "http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0"
Heuristic match: "0-lZ7k,Z.In"
Heuristic match: "iA[|/,,,..jo"
Heuristic match: "IcbQ_.mZ"
Heuristic match: "B,,cDQ.Sn"
Heuristic match: "ftHVhs.aE"
Heuristic match: "?F\4[QnE.GN"
Heuristic match: "kdCe\a.fO" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Destruction
-
Marks file for deletion
- details
- "%WINDIR%\System32\msiexec.exe" marked "%TEMP%\MSIFA35.tmp" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- "msiexec.exe" opened "%TEMP%\MSIFA35.tmp" with delete access
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1070.004 (Show technique in the MITRE ATT&CK™ matrix)
-
Marks file for deletion
-
System Security
-
Creates or modifies windows services
- details
- "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"msiexec.exe" opened "\Device\KsecDD"
"MsiExec.exe" opened "\Device\KsecDD"
"dismhost.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Reads information about supported languages
- details
-
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "DRVSTORE")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "GROUPPOLICY")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "IAS")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "INETSRV")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "IME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "ICSXML")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "MANIFESTSTORE")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "MSDTC")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "NDF")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "NETWORKLIST")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "RESTORE")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "SETUP")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "SPPUI")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "SYSPREP")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "TASKS")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "WAT")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "WFP")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "WINRM")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "WINEVT") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
File Details
GlobalProtect64-5.2.9.msi
- Filename
- GlobalProtect64-5.2.9.msi
- Size
- 41MiB (42734592 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: x64;1033, Number of Pages: 200, Revision Number: {74FE5FAF-69CF-4EFD-A8EA-304713F8C90F}, Title: GlobalProtect64, Author: Palo Alto Networks, Comments: GlobalProtect 64bit, Number of Words: 2, Last Saved Time/Date: Mon Nov 29 18:52:28 2021, Last Printed: Mon Nov 29 18:52:28 2021
- Architecture
- WINDOWS
- SHA256
- b7ed1de2cdb53a975dc7cd84e87e2bab40db1899a611359d2a3128080c055034
- MD5
- 20afaf73b1b7b18411beb9017e0753ba
- SHA1
- c0a5c151ef505f3ca60ecfa1fb4e1285da73f1a6
- ssdeep
- 786432:T+P+v+AwGcRBkwmInwgwPrwjlpo8z1W8eM8KoamfPDBA7kb4Hx5O5XBa:6GmAHezTyDopo8z1iMPmXV14R5O5R
Classification (TrID)
- 89.6% (.MSI) Microsoft Windows Installer
- 8.7% (.MSP) Windows Installer Patch
- 1.5% (.) Generic OLE2 / Multistream Compound File
File Certificates
Certificate chain was successfully validated.
Download Certificate File (16KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=US, S=California, L=Santa Clara, O=Palo Alto Networks, CN=Palo Alto Networks | C=US, S=California, L=Santa Clara, O=Palo Alto Networks, CN=Palo Alto Networks Serial: 0e7d062ff20462e6a208ed2d1945a0d9 |
05/14/2021 01:00:00 05/23/2024 00:59:59 |
8D:D3:B0:09:E2:ED:35:64:79:E3:14:54:08:6F:B6:99:EE:97:BA:AD: (1.2.840.113549.1.1.11) |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA Serial: 0409181b5fd5bb66755343b56f955008 |
10/22/2013 13:00:00 10/22/2028 13:00:00 |
92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6: (1.2.840.113549.1.1.11) |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA Serial: 0ce7e0e517d846fe8fe560fc1bf03039 |
11/10/2006 01:00:00 11/10/2031 01:00:00 |
05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
- msiexec.exe /i "C:\GlobalProtect64-5.2.9.msi" (PID: 2340)
-
msiexec.exe
/V
(PID: 4080)
- MsiExec.exe -Embedding DFADBA865624A7D929C2174DB6050E24 C (PID: 3708)
- dismhost.exe {4CFF0FFB-22ED-4941-8C76-1FF01C6A2D01} (PID: 924)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 6 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.
-
Clean 2
-
-
dismhost.exe.61BB4A6D.bin
- Size
- 95KiB (96768 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/66
- MD5
- 516a5fce06bb388499238a5f9286cb74
- SHA1
- 958be7d02fca674fb386482090b9a5024d0a1538
- SHA256
- 9a4b735603297448841758b29d3c387a4ce84e5fd0dae05622f43ce53b8c85e6
-
MSIFA35.tmp
- Size
- 247KiB (252568 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/62
- MD5
- dd2fed15306cbb7f32245077364a8fe1
- SHA1
- 57b96a29654e2ce235afcc209af63706341d2b7b
- SHA256
- 1274cca896f0fd797b330e5ea4605a080da505b7e14ffbbf4181b61ac998c649
-
-
Informative 4
-
-
66AE3BFDF94A732B262342AD2154B86E_46724C943F6B7C6A5058FD2AB6AD0E82
- Size
- 471B (471 bytes)
- Type
- data
- MD5
- bbcbb6cb26e45ff343ea7103ac36cc56
- SHA1
- 14e93850e46acfdc346111a0adc274b3e9a669b7
- SHA256
- 7161b61783a3b7ea34b43a65558647c820ad47a34c6f3030680562c120d19f41
-
42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
- Size
- 434B (434 bytes)
- Type
- data
- MD5
- 3c74b0063bc8ac44c264692d585bed15
- SHA1
- 53364116a474c5c17169819555c703646a9d6bf2
- SHA256
- 581b1edabcdc96787fa6eb092cbf761a1ca751b7ff666b133434b81ea9dc0f3c
-
57C8EDB95DF3F0AD4EE2DC2B8CFD4157
- Size
- 340B (340 bytes)
- Type
- data
- MD5
- c03510d95c69bc9e214eaa292b6c489a
- SHA1
- 7e7d44e8931f889b0a01a73999212350bac6f111
- SHA256
- 51ebedc54740e2105b4f6546645efb3743ac6627db4baea102f528f123410746
-
dism.log
- Size
- 183KiB (187729 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- MD5
- f72149e209cb0b6ca871fa03821ca794
- SHA1
- 720d829ee6851c559daf3c7f72da1d20af8ec4b7
- SHA256
- ea679659aee70df9ca960020d500e2d4b4df09082ba3d9f79404ae0e9218ce28
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "string-1" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report