ShopStream_Connect_US.exe
This report is generated from a file or URL submitted to this webservice on March 13th 2017 21:33:56 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 3/60 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
Suspicious Indicators 24
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
- OpenServiceW@ADVAPI32.dll at 7118-1080-10013C3A
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to open/control a service
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"VMware, Inc." (Indicator: "vmware")
"VMware Virtual Platform" (Indicator: "vmware") - source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
FindResourceExW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
LockResource@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
FindResourceW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
FindResourceW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
FindResourceW@KERNEL32.dll at 41995-1954-10012C6F - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
- "<Input Sample>" read file "%USERPROFILE%\Users\PSPUBWS\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"MSI9E42.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI9E23.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI9DC8.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI9D12.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"16.4.0.10"
Heuristic match: "System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
"4.08.02.0134"
"4.08.00.0000"
"16.4.0.2"
"12.4.0.0" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
- "ROOT\CIMV2" (Indicator: "root\cimv2")
- source
- String
- relevance
- 10/10
-
Contains references to WMI/WMIC
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.dll at 12700-71-1000B5AB - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Contains ability to elevate privileges
- details
-
SetSecurityDescriptorDacl@ADVAPI32.dll at 7118-1056-1000AFEE
SetSecurityDescriptorDacl@ADVAPI32.dll at 41995-1637-1001B099 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to lookup privileges
- details
-
GetSecurityDescriptorDacl@ADVAPI32.dll at 7118-1056-1000AFEE
GetSecurityDescriptorDacl@ADVAPI32.dll at 41995-1637-1001B099 - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables" - source
- String
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "40535b7758585c77186a5c77653c5d770000000000bf67760000000056cc6776000000007cca677600000000376898756a2c5d77d62d5d7700000000206998750000000029a6677600000000a48d987500000000f70e677600000000" to virtual address "0x776D1000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 10 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 22
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API DllGetVersion@COMCTL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
Found reference to API LoadIconMetric@COMCTL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetSystemTime@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetSystemTime@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetSystemTime@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetLocalTime@KERNEL32.dll at 41995-2556-1001B5C4 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
DllGetVersion@COMCTL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetVersionExW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.dll at 12700-146-10007904 - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetProcessHeap@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
GetProcessHeap@KERNEL32.dll at 7118-2776-10020507
GetProcessHeap@KERNEL32.dll at 41995-2600-1002ACC5 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
-
"C:\Branch\win\Release\stubs\x86\setup.pdb"
"C:\Branch\win\Release\custact\x86\AICustAct.pdb"
"C:\Branch\win\Release\custact\x86\SoftwareDetector.pdb"
"C:\SSCSource\Utilities\SSCAutoStartHelper\obj\x86\Release\SSCAutoStartHelper.pdb"
"C:\Branch\win\Release\custact\x86\ResourceCleaner.pdb"
"!"#$%&'()*+,-./0123456789:;<=>?@aicustact.dllAI_AuthorSinglePackageAI_ResolveKnownFoldersAI_SearchOfficeAddinsAddCaspolSecurityPolicyBrowseForFileCheckFreeTCPPortCheckIfUserExistsChooseTextStylesCloseApplicationCollectFeaturesWithoutCabComputeReplaceProductsListConfigureServFailActionsCreateExeProcessDeleteEmptyDirectoryDeleteFromComboBoxDeleteFromListBoxDeleteShortcutsDetectModernWindowsDetectProcessDetectServiceDisableFeaturesDoEventsDpiContentScaleEnumStartedServicesExtractComboBoxDataExtractListBoxDataGetArpIconPathGetFreeTCPPortGetLocalizedCredentialsGetPathFreeSpaceInstanceMajorUpgradeJoinFilesLaunchAppLaunchLogFileLoadShortcutDirsLogOnAsAServiceMixedAllUsersInstallLocationMsgBoxMsmTrialMessagePlayAudioFilePopulateComboBoxPopulateListBoxPrepareUpgradePreserveInstallTypePreventInstancesUpgradePrintRTFProcessFailActionsRemoveCaspolSecurityPolicyResolveKnownFolderResolveServicePropertiesRestoreLocationRunAllExitActionsRunAsAdminRunFinishActionsSetLatestVersionPathStopProcessStopWinServiceTrialMessageUninstallPreviousVersionsUpdateFeatureStatesUpdateInstallModeUpdateMsiEditControlsValidateInstallFolderViewReadMeWarningMessageBoxRSDSFSF@MC:\Branch\win\Release\custact\x86\AICustAct.pdb=GCTL.text$mn.idata$5R.rdata$P.edata ,X.rdata$zzzdbgx-.idata$2T..idata$3h..idata$4 1.idata$6@$.data(@0.bssP.rsrc$01P.rsrc$020 1/1\01/82l0X2/|506.", "` e {!!!~o!)19AIQ Yaiq%+06:IN(R0PX`^fhy.s...#.+s.3.;.K.S.c.k.s.{ ?b)<E<Module>SSCAutoStartHelper.exeProgramSSCAutoStartHelpermscorlibSystemObjectMainSSCAUTOSTARTisSSCAutoStartRunningstartSSCAutoStartstopSSCAutoStart.ctorargsSystem.ReflectionAssemblyTitleAttributeAssemblyDescriptionAttributeAssemblyConfigurationAttributeAssemblyCompanyAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyCultureAttributeSystem.Runtime.InteropServicesComVisibleAttributeGuidAttributeAssemblyVersionAttributeAssemblyFileVersionAttributeSystem.DiagnosticsDebuggableAttributeDebuggingModesSystem.Runtime.CompilerServicesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeProcessGetProcessesget_ProcessNameStringContainsExceptionProcessStartInfoget_StartInfoEnvironmentget_CurrentDirectorySystem.IOPathCombineset_FileNameProcessWindowStyleset_WindowStyleStartGetProcessesByNameKill.cctor5ShopStreamConnectAutoStartG|%9D<z\V4 = I II U a IISSCAutoStartHelperSnap-on Incorporated+&Copyright Snap-on Incorporated 2011)$e145b3de-4961-46af-b546-5ee123dce2371.0.0.0TWrapNonExceptionThrowskENi)RSDS^Dp8jOM4C:\SSCSource\Utilities\SSCAutoStartHelper\obj\x86\Release\SSCAutoStartHelper.pdbT*n* `*_CorExeMainmscoree.dll% @ 8Ph@tDt4VS_VERSION_INFO?DVarFileInfo$TranslationStringFileInfo000004b0LCompanyNameSnap-on IncorporatedPFileDescriptionSSCAutoStartHelper0FileVersion1.0.0.0PInternalNameSSCAutoStartHelper.exep&LegalCopyrightCopyright Snap-on Incorporated 2011XOriginalFilenameSSCAutoStartHelper.exeHProductNameSSCAutoStartHelper4ProductVersion1.0.0.08Assembly Version1.0.0.0<?xml version="1.0" encoding="UTF-8" standalone="yes"?>", "U>'~dDdQX3kO|@P!GKnETW0+ /InvokeMainViaCRT"Main Invoked."FileName .ExitMainViaCRT"Main Returned."FileName+Microsoft.CRTProvidersPOGvRSDSEn8QA$^C:\Branch\win\Release\custact\x86\ResourceCleaner.pdbVV/GCTL_.text_.text$di[.text$mnKY?.text$x .text$ydd.idata$5d.00cfgh.CRT$XCAl.CRT$XCCx.CRT$XCL.CRT$XCU.CRT$XCZ.CRT$XIA.CRT$XIC.CRT$XIZ.CRT$XPA.CRT$XPX.CRT$XPXA.CRT$XPZ.CRT$XTA.CRT$XTZ.rdata`.rdata$r@.rdata$sxdata.rdata$zETW0w.rdata$zETW1
.rdata$zETW2.rdata$zETW9p.rdata$zzzdbg.rtc$IAA .rtc$IZZ$.rtc$TAA(.rtc$TZZ0PQ.xdata$x3`.didat$23 .didat$348.didat$484.didat$658.didat$7@5k.edata7d.idata$28.idata$3$8d.idata$4:.idata$6P.data_.data$rf8.didat$5gh.bss.gfids$x.gfids$y.rsrc$01.rsrc$02"TK"nv""$
"DYg"""""0-3"dT"u""@+"@"l"5"X`kv" "L"5"b" 0@~@@?"d"@K@K""p"@HPX`""8W_7?G" - source
- String
- relevance
- 1/10
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
- CreateNamedPipeW@KERNEL32.DLL from ShopStream_Connect_US.exe (PID: 2704) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\MSILOG_a0dbd2801d29c82GOL.b5e95ISM_pmeT_lacoL_ataDppA_yrJUPKR_sresU_:C"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MSI9E42.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI9E23.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI9DC8.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI9D12.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6A840000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%APPDATA%\Snap-on Incorporated\ShopStream Connect\install\ShopStream_Connect_16.4.0.2_EN.msi" AI_SETUPEXEPATH="C:\ShopStream_Connect_US.exe" SETUPEXEDIR="C:\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " AI_FOUND_PREREQS=".NET Framework 3.5 SP1 (web installer)|.NET Framework 4.0 (web installer)"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Tar8521.tmp" has type "data"
"MSI9E42.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI9E23.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ECF3006D44DA211141391220EE5049F4" has type "data"
"EA618097E393409AFA316F0F87E2C202_57B56417B31990B0C7F6BB709E100F89" has type "data"
"MSI9DC8.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" has type "data"
"ShopStream_Connect_16.4.0.2_EN.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.2 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {04AF0F75-8689-4E7C-85B2-0558B1A3F1C5} Number of Words: 2 Subject: ShopStream Connect Author: Snap-on Incorporated Name of Creating Application: Advanced Installer 12.8 build 69285 Template: ;1033 Comments: This installer database contains the logic and data required to install ShopStream Connect."
"MSI9D12.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Cab8516.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\system32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\msiexec.exe" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://sv.symcb.com/sv.crl0f"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Pattern match: "http://t2.symcb.com0"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0"
Pattern match: "http://tl.symcb.com/tl.crl0"
Pattern match: "https://www.thawte.com/cps0/"
Pattern match: "https://www.thawte.com/repository0"
Pattern match: "http://tl.symcd.com0&"
Pattern match: "http://tl.symcb.com/tl.crt0"
Pattern match: "http://www.advancedinstaller.com0"
Heuristic match: "x9-=5aL.Bj"
Pattern match: "www.google.com"
Pattern match: "http://www.yahoo.com"
Pattern match: "http://www.example.com"
Pattern match: "http://www.google.com"
Pattern match: "KS.KKK/KCK"
Heuristic match: "Y.YqZqmsx~q7qa/S.S<!Gh!SS.Tz"
Pattern match: "I.eIW/[7rv3j%k"
Pattern match: "ONIwa.gY/$q4x_L;h23%H@O65V"
Heuristic match: "$]c+Np*s{d,xiw\9D=Ny&N4uMo8[|Pwgfu\ x,NW:q]pndKppQ8lz6>a0+K*n.vI"
Heuristic match: ".:e[gm]L%^9D')}@Ico%2iX(zPyZ)5ypgX>VqBT{1'1{SET*a>;sAKj{v:;M52=gFAFk{}>C~Cr]M^^_<gIS'NJ!<]-.AE7,IKs2>\>6@/s.MP"
Pattern match: "D.Wj/byk3'SW%DQ5HfDu`aO%Dc/"
Pattern match: "c.vxF/U#"
Pattern match: "SV7Mbi.tU/E~p'5Zy}W*fn~}R5T"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://sv.symcb.com/sv.crl0fU"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0U8k`s0"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Heuristic match: ")-IyY\]#5sjI#whAAAAAC.]< A++.SY"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0U%0++0U0"
Pattern match: "http://tl.symcb.com/tl.crl0U0U%0"
Pattern match: "https://www.thawte.com/cps0/+0#!https://www.thawte.com/repository0U000"
Pattern match: "tl.symcb.com/tl.crt0`HB0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0U%0"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0U#0_n\t}?L.0"
Pattern match: "PuuMUY.tVth/MEPMMEPEEPEPSEPuSMHEMI9uHEEx~pMQEEEEx~pM4EE3ENMMU`jVl`PM*ePMEOthju"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0U00"
Pattern match: "long334FeatureL4TScheduleSYSTEM.job/cmdloc" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
ShopStream_Connect_US.exe
- Filename
- ShopStream_Connect_US.exe
- Size
- 14MiB (15061408 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 14678b83b8f46884b40036aa99d5f1dc13a931d59a6703ca844d8c2afe09d92b
- MD5
- 115e4be65009e7c0f3581548eaef6714
- SHA1
- be8198352396de58d113f5ae392d891dd8a4bae1
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
ShopStream_Connect_US.exe
(PID: 2704)
- msiexec.exe /i "%APPDATA%\Snap-on Incorporated\ShopStream Connect\install\ShopStream_Connect_16.4.0.2_EN.msi" AI_SETUPEXEPATH="C:\ShopStream_Connect_US.exe" SETUPEXEDIR="C:\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " AI_FOUND_PREREQS=".NET Framework 3.5 SP1 (web installer)|.NET Framework 4.0 (web installer)" (PID: 2796)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.yahoo.com | Domain/IP reference | 00034191-00002704-47845-847-00B1A01A |
http://www.example.com | Domain/IP reference | 00034191-00002704-47845-847-00B1A01A |
http://www.google.com | Domain/IP reference | 00034191-00002704-47845-847-00B1A01A |
Extracted Strings
Extracted Files
Displaying 10 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.
-
Clean 4
-
-
MSI9D12.tmp
- Size
- 96KiB (97864 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- ca367c9fd5fb936729b4b6dcd78b003a
- SHA1
- a1a7079208047d8d77949223bee1564c2f46a7ce
- SHA256
- 287610819c64c5c5d0da75c8691046cffaa4538dd5f4ccdd14997b804d34f705
-
MSI9DC8.tmp
- Size
- 96KiB (97864 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- ca367c9fd5fb936729b4b6dcd78b003a
- SHA1
- a1a7079208047d8d77949223bee1564c2f46a7ce
- SHA256
- 287610819c64c5c5d0da75c8691046cffaa4538dd5f4ccdd14997b804d34f705
-
MSI9E23.tmp
- Size
- 323KiB (330824 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/55
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- 98542f7a19b24166cd784a1682846385
- SHA1
- f2ac4290b51660dca0c2fdc09919aff11c9299f8
- SHA256
- 16d6e9011d3c6b107d64466e8f09b41f7788b88e6a6f6d73071dd3468de0224d
-
MSI9E42.tmp
- Size
- 293KiB (299520 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/59
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- d3563a1d1c9b5b805ae7e1c28ab91d11
- SHA1
- 28eadd71e3c994708b251f2fee7007ec7d5b88b8
- SHA256
- 6aad8ab908b1cca96e1bee839f88580ac3eef0b2b423b609341d38922b375865
-
-
Informative Selection 1
-
-
ShopStream_Connect_16.4.0.2_EN.msi
- Size
- 2MiB (2133504 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {04AF0F75-8689-4E7C-85B2-0558B1A3F1C5}, Number of Words: 2, Subject: ShopStream Connect, Author: Snap-on Incorporated, Name of Creating Application: Advanced Installer 12.8 build 69285, Template: ;1033, Comments: This installer database contains the logic and data required to install ShopStream Connect.
- Runtime Process
- ShopStream_Connect_US.exe (PID: 2704)
- MD5
- 6dcaa699bc7007f4beb98e8d686ab457
- SHA1
- be91d683e7e5c07dd66e642a4f312ca3a3df8149
- SHA256
- c0954fc4a59956f29ad3a2676bb30687a2c93b43fca22eb58b2754ba945f459c
-
-
Informative 5
-
-
C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
- Size
- 398B (398 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- 751eca161f7a0012ddd3819f35482111
- SHA1
- 7cc1fdb2c27ef2a087ff23f1a0cbef7039aca107
- SHA256
- 19373d313c2af311d439e2a342f61c8043777360749a7ed5eb3d18a9b47e1da2
-
EA618097E393409AFA316F0F87E2C202_57B56417B31990B0C7F6BB709E100F89
- Size
- 398B (398 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- e227a730354642495b5b1f27653c0ad3
- SHA1
- ceafe68d7a32d39de80905dad67fbc76cf9f65c0
- SHA256
- 1d15a8320690fe839aa734fb69197ce11ada3ccf0dd585f40cd6e75294129582
-
ECF3006D44DA211141391220EE5049F4
- Size
- 262B (262 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- ddb4375ffa75f5a8760deed18aca5101
- SHA1
- 172fdffd5c8074db5a9f67e6db20c0f3c6c2d09d
- SHA256
- f7befdd8f3618d756b2381ef40b9bb326b35b5b1b1c9852fa4db0ae6cddb2361
-
Cab8516.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Tar8521.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2796)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- Extracted file "ShopStream_Connect_16.4.0.2_EN.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c0954fc4a59956f29ad3a2676bb30687a2c93b43fca22eb58b2754ba945f459c/analysis/1489437849/")
- No static analysis parsing on sample was performed
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)