PLClientInstaller.exe
This report is generated from a file or URL submitted to this webservice on December 11th 2018 20:56:46 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains ability to listen for incoming connections
- Spyware
-
Contains ability to open the clipboard
Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes
Found a string that may be used as part of an injection method - Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
General
-
Contains ability to start/interact with device drivers
- details
-
DeviceIoControl@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
DeviceIoControl@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
DeviceIoControl@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
DeviceIoControl@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to start/interact with device drivers
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "PLClientInstaller.exe" allocated memory in "%TEMP%\PrinterInstallerClient.msi"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"PLClientInstaller.exe" wrote 1500 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 308)
"PLClientInstaller.exe" wrote 4 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 308)
"PLClientInstaller.exe" wrote 8 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 308)
"PLClientInstaller.exe" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 308)
"PLClientInstaller.exe" wrote 52 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 308) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
- details
-
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
NtdllDialogWndProc_W@NTDLL.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 30
-
Anti-Detection/Stealthyness
-
Possibly tries to hide a process launching it with different user credentials
- details
-
CreateProcessWithLogonW@ADVAPI32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
CreateProcessAsUserW@ADVAPI32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Queries kernel debugger information
- details
-
"msiexec.exe" at 00013038-00003728-00000033-54965689376
"msiexec.exe" at 00014351-00001872-00000033-97688182598 - source
- API Call
- relevance
- 6/10
-
Possibly tries to hide a process launching it with different user credentials
-
Anti-Reverse Engineering
-
Contains ability to block user input
- details
- BlockInput@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 7/10
-
Contains ability to block user input
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid from PLClientInstaller.exe (PID: 3352) (Show Stream)
cpuid from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read monitor info
- details
- GetMonitorInfoW@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query CPU information
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LockResource@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
FindResourceW@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Network Related
-
Contains ability to listen for incoming connections
- details
- listen@WS2_32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Found potential IP address in binary/memory
- details
-
"255.255.255.255"
"5.255.255.255"
Heuristic match: "InstallShieldInstallation Database/Version 18.2.1.89 Released 2018/07/17 15:40:31Installer,MSI,DatabasePrinter Installer" - source
- File/Memory
- relevance
- 3/10
-
Contains ability to listen for incoming connections
-
Pattern Matching
-
Contains ability to download files from the internet
- details
-
recv@WSOCK32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
InternetReadFile@WININET.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
recvfrom@WSOCK32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
OpenClipboard@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve keyboard strokes
- details
-
GetKeyboardState@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetKeyboardState@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetKeyboardState@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetAsyncKeyState@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetKeyboardState@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetKeyboardState@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1056 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
- "C:\PLClientInstaller.exe" marked "%TEMP%\aut3F9.tmp" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- "PLClientInstaller.exe" opened "%TEMP%\aut3F9.tmp" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
SetSecurityDescriptorDacl@ADVAPI32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
SetSecurityDescriptorDacl@ADVAPI32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to impersonate another user on the local machine
- details
- LogonUserW@ADVAPI32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1134 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to lookup privileges
- details
-
GetSecurityDescriptorDacl@ADVAPI32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetSecurityDescriptorDacl@ADVAPI32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"PLClientInstaller.exe" wrote bytes "b8b0151d74ffe0" to virtual address "0x74A536B4" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "d83a0200" to virtual address "0x74A54D78" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "68130000" to virtual address "0x75CB1680" (part of module "WS2_32.DLL")
"PLClientInstaller.exe" wrote bytes "d83aa574" to virtual address "0x74A601FC" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "b436a574" to virtual address "0x74A60200" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "b4360200" to virtual address "0x74A54EA4" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "60121d74" to virtual address "0x7683E324" (part of module "WININET.DLL")
"PLClientInstaller.exe" wrote bytes "711165027a3b6402ab8b02007f950200fc8c0200729602006cc805001ecd61027d266102" to virtual address "0x74BC07E4" (part of module "USER32.DLL")
"PLClientInstaller.exe" wrote bytes "b4360200" to virtual address "0x74A54D68" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "b840131d74ffe0" to virtual address "0x74A53AD8" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "d83a0200" to virtual address "0x74A54E38" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "d83aa574" to virtual address "0x74A60274" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "b436a574" to virtual address "0x74A60278" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "b436a574" to virtual address "0x74A601E4" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "d83aa574" to virtual address "0x74A60258" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "b830121d74ffe0" to virtual address "0x75CB1368" (part of module "WS2_32.DLL")
"PLClientInstaller.exe" wrote bytes "c0df1b771cf91a77ccf81a770d641c7700000000c0119c7500000000fc3e9c7500000000e0139c75000000009457d07425e01b77c6e01b7700000000bc6acf7400000000cf319c75000000009319d074000000002c329c7500000000" to virtual address "0x76041000" (part of module "NSI.DLL")
"PLClientInstaller.exe" wrote bytes "d83aa574" to virtual address "0x74A601E0" (part of module "SSPICLI.DLL")
"PLClientInstaller.exe" wrote bytes "b436a574" to virtual address "0x74A6025C" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "711165027a3b6402ab8b02007f950200fc8c0200729602006cc805001ecd61027d266102" to virtual address "0x74BC07E4" (part of module "USER32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"PLClientInstaller.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 9 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 24
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API MessageBoxW@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
Found reference to API GetSystemWow64DirectoryW@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
Found reference to API Wow64RevertWow64FsRedirection@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
Found reference to API Wow64DisableWow64FsRedirection@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
Found reference to API GetNativeSystemInfo@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
Found reference to API RegDeleteKeyExW@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
Found reference to API GetModuleHandleExW@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetLocalTime@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetLocalTime@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
- GetVersionExW@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 0130438Eh" from PLClientInstaller.exe (PID: 3352) (Show Stream)
Found API call GetLocalTime@KERNEL32.DLL directly followed by "cmp word ptr [esi], 0000h" and "je 01335A17h" from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
GetProcessHeap@KERNEL32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE AIR"; Key: "DISPLAYNAME"; Value: "000000000100000014000000410064006F006200650020004100490052000000")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER ACTIVEX"; Key: "DISPLAYNAME"; Value: "00000000010000003C000000410064006F0062006500200046006C00610073006800200050006C006100790065007200200032003700200041006300740069007600650058000000")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE SHOCKWAVE PLAYER")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE SHOCKWAVE PLAYER"; Key: "DISPLAYNAME"; Value: "000000000100000038000000410064006F00620065002000530068006F0063006B007700610076006500200050006C0061007900650072002000310032002E0033000000")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3"; Key: "DISPLAYNAME"; Value: "0000000001000000220000004100750074006F00490074002000760033002E0033002E00310034002E0032000000")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"PLClientInstaller.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO Windows OS Submitting USB Metadata to Microsoft" (SID: 2025275, Rev: 1, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contains ability to register hotkeys
- details
-
UnregisterHotKey@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
RegisterHotKey@USER32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Creates a writable file in a temporary directory
- details
-
"PLClientInstaller.exe" created file "%TEMP%\aut3F9.tmp"
"PLClientInstaller.exe" created file "%TEMP%\PrinterInstallerClient.msi" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\WOW6432NODE\CLSID\{000C101C-0000-0000-C000-000000000046}")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{000C103E-0000-0000-C000-000000000046}")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "PROCESSOR_ARCHITECTURE, CommonProgramFiles, ProgramFiles, Path"
Process "msiexec.exe" (Show Process) was launched with missing environment variables: "PROMPT, PROCESSOR_ARCHITEW6432" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "PLClientInstaller.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "msiexec.exe" with commandline "/i %TEMP%\PrinterInstallerClient.msi /passive" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding AA29C1C41B24C77124A4C2B5C01CB67D" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "msiexec.exe" with commandline "/i %TEMP%\PrinterInstallerClient.msi /passive" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding AA29C1C41B24C77124A4C2B5C01CB67D" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains ability to register hotkeys
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"PLClientInstaller.exe" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from PLClientInstaller.exe (PID: 3352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
- "aut3F9.tmp" has type "Composite Document File V2 Document corrupt: Can't read SAT"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"PLClientInstaller.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"PLClientInstaller.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"PLClientInstaller.exe" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\en-US\msiexec.exe.mui"
"msiexec.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\rsaenh.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\msimsg.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"msiexec.exe" touched file "%WINDIR%\Fonts\StaticCache.dat" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "?EA?hM.CY"
Pattern match: "www.printerlogic.comIS_PROGMSG_TEXTFILECHANGS_REPLACECE9BD06F2EEB507FCEAC902F6EBC978FA9CCD78F69FB80B8CE5CD7D8198C076FA9FB57A87EACDWUSLINKLaunchPROGRAMFILETOLAUNCHATENDPrinter"
Pattern match: "https://secure.comodo.net/CPS0CU"
Pattern match: "crl.usertrust.com/AddTrustExternalCARoot.crl05+"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q+e0c0;+0/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$+0http://ocsp.comodoca.com0"
Pattern match: "www.printerlogic.com"
Pattern match: "www.usertrust.com10UUTN-USERFirst-Object0"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05+"
Pattern match: "www.usertrust.com10UUTN-USERFirst-Object9%^ci930+0*H"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01U*0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U#0Q==d6|h[x70`HB0"
Pattern match: "www.acresso.com0"
Pattern match: "E.tzj1EEP.EVEP/E3Uh?Bd0d"
Pattern match: "hfG-hfG.hfG/hfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfGhfG" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"PLClientInstaller.exe" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
PLClientInstaller.exe
- Filename
- PLClientInstaller.exe
- Size
- 22MiB (23246336 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 16e2737f536e0c0de878c22d374729044eac021eaa774c00a2f752a4b28feefc
- MD5
- 2ef6352f4a08ddc76f35e8ccd8f9a544
- SHA1
- 653899e0175e97c2815bb5287c0921ebfbfdd8e7
Classification (TrID)
- 76.4% (.EXE) Win64 Executable (generic)
- 12.4% (.EXE) Win32 Executable (generic)
- 5.5% (.EXE) Generic Win/DOS Executable
- 5.5% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
-
PLClientInstaller.exe
(PID: 3352)
- msiexec.exe /i %TEMP%\PrinterInstallerClient.msi /passive (PID: 3728)
- msiexec.exe -Embedding AA29C1C41B24C77124A4C2B5C01CB67D (PID: 1872)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
255.255.255.255 | Domain/IP reference | 00011526-00003352-41182-1971-013480A0 |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 40.80.145.27:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 40.80.145.27:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 40.80.145.27:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 40.80.145.27:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
Extracted Strings
Extracted Files
-
Informative 1
-
-
aut3F9.tmp
- Size
- 4.9MiB (5177344 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, corrupt: Can't read SAT
- Runtime Process
- PLClientInstaller.exe (PID: 3352)
- MD5
- efa2fb8b79b0be087ea96cdce9a373e1
- SHA1
- c9f7a8072e4a3f0387fb9174fef0e48c5e5f4243
- SHA256
- bd8034fc49ef8f79f55f2a866585373cbafd43dbadc05d1996ac083eb26cc388
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report