SQL_RS_LOC.MSI
This report is generated from a file or URL submitted to this webservice on December 22nd 2017 11:30:27 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Spreading
- Tries to access unusual system drive letters
- Network Behavior
- Contacts 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "2.16.4.178": ...
File SHA256: 5600cd77fddc8cde5ab682ecc07446804ec7c7210805fd87f9ea4af7bd0545c9 (AV positives: 26/67 scanned on 12/22/2017 06:40:58)
File SHA256: b6dc9253a5fa8610297f2d46aba2947b92dc7f47b123c5d935a7efa9e333019f (Date: 12/22/2017 10:58:28)
File SHA256: a0393fb27e87806d1441f464a5c8362dfef9369b5381bd34a203d91d54623a58 (Date: 12/22/2017 10:57:13)
File SHA256: f9489283da1c52ec0940d886adf8ca6a9f07d0bb3a9384e102e110d0bbc69db5 (Date: 12/22/2017 10:56:46)
File SHA256: 6ebb54bf21e8d3655ebef4950858ab7b81ad0e5975e801f4e93852c1bf17d21d (Date: 12/22/2017 10:55:55)
File SHA256: 24d59f30866df37399e08827fba3bf0d0e9b6bd6d890ec8790f3e34c7b55a349 (Date: 12/22/2017 10:55:40)
File SHA256: bab6e37d7757631255cd6114484db16e729ebe57467c1a239bcb3cfe196f7517 (AV positives: 59/68 scanned on 11/22/2017 10:03:13)
File SHA256: fd0724c299ce9a6575f8cb52eee4741878aae9e2e956d5bfc15a1a03bd3537d2 (AV positives: 61/66 scanned on 11/21/2017 10:35:36)
File SHA256: 452d489977d51a53a61ec7f10a764e4dce4b03ce3995cb715ffc3801fd44cc4c (AV positives: 62/67 scanned on 11/21/2017 10:28:42)
File SHA256: 02c17f5f4c6b14136bdcf28fda081fc26357c529c12eadb506c54f9b2b8a4557 (AV positives: 60/68 scanned on 11/21/2017 10:28:10) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Suspicious Indicators 3
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "}QMEPjM:QjM:lRjM9PMQMEUUEEPlEMCQURMEEEEMQlEMBlmjlQn1u}PQvhEREpPbhMpJnP>nP,uDu%nPh8DEMp;BE,BMRP]#u8RPC#uRlP)#Uuh|DBEnmPBOmPBl0mPB4QjM7jM<u4PPqPQjM74lPPPlPBQDqR2qlP qEMu;h@" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
Installation/Persistance
-
Scans for the windows taskbar (often used for explorer injection)
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 5/10
-
Scans for the windows taskbar (often used for explorer injection)
-
Unusual Characteristics
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:\"
"msiexec.exe" touched "L:\"
"msiexec.exe" touched "M:\"
"msiexec.exe" touched "N:\"
"msiexec.exe" touched "O:\"
"msiexec.exe" touched "P:\"
"msiexec.exe" touched "Q:\"
"msiexec.exe" touched "R:\"
"msiexec.exe" touched "S:\"
"msiexec.exe" touched "T:\"
"msiexec.exe" touched "U:\"
"msiexec.exe" touched "V:\"
"msiexec.exe" touched "W:\" - source
- API Call
- relevance
- 9/10
-
Tries to access unusual system drive letters
-
Informative 31
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "msiexec.exe" at 00044982-00003436-00000105-101296548
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Queries volume information
- details
- "msiexec.exe" queries volume information of "C:\" at 00044982-00003436-0000010C-101431379
- source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00044982-00003436-0000010C-101431379
- source
- API Call
- relevance
- 8/10
-
Reads the active computer name
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Queries volume information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/57 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts server
- details
- "2.16.4.178:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"sqlservr.iniHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_PERFORMANCE_DATAHKEY_CURRENT_CONFIGHKEY_DYN_DATA@dword:%08xhex:hex(%d):%08x Version:Loaded DLL:GetModuleFileName failed so DLL version could not be retrieved for :EDIncorect parameter passed to Process::CreateNot enough memory to copy command lineNot enough memory to copy command line <%s>Executing External CommandExecuting External Command: %s(null)Error: Failed to create process App <%s>, CurDir <%s>. Error: %uError: Failed to create process App <%s>, Cmd <%s> CurDir <%s>. Error: %uGetExitCodeProcess failed error %u\\.\pipe\sqlsetupFailed to create event. Error: %uFailed to create named pipe %s. Error %uFailed to open named pipe %s. Error: %uFailed to connect to named pipe %sFailed to connect to named pipe %s. Error: %uFailed to sign event. Error: %uFailed to read from pipe error %uFailed to wait for reading event. Error %uReadFileEx failed to read from pipe error %u\Microsoft.Net\Framework\v\Microsoft.Net\Framework64\vRegDeleteKeyExWadvapi32.dllRegDisableReflectionKeyLECHE`ERSDSOQF1sqlca.pdbEpEEEE@pEE@EEEE@EEEEEEE@E(EE`EE(E@EEEETE$E`EEE@"
"UILevelProduct uninstall was terminated because the following products depend on it: %sFailed to get UILevel property.Failed to query refcount registry info.Failed to get EXISTINGAPPGUID property.Invalid guid (%s)Failed to get APPGUID property.{11111111-1111-1111-1111-111111111111}Failed to query Uninstall value from registry.Failed to get the dependent application guids.vector<T> too longC/@bad locale namefalsetrueios_base::badbit setios_base::failbit setios_base::eofbit setSELECT `Feature` FROM `Feature` features.Feature state notification for {C3679EB1-9693-4da9-AEE6-A903BD34D035}NotifyFeatureStatesWed Feb 19 11:04:45 2014e:\sql12_main_t\sql\setup\redist\sqlmsirc\notifyfeaturestate.cppldluLdLu%pinvalid string positionstring too longEebad castdCv@`@a@i@l@Pa@m@a@b@`c@n@`q@ e@@e@@C0U@|APXC v@\C T@|A8C`v@C@@@ @`@@(C@@p@0@@@@@@Cv@Sqlmsirc_ValidateAppGuidSqlmsirc_RefCountAppGuidSqlmsirc_BackupAppGuidSqlmsirc_RegisterAppGuidSqlmsirc_CheckAppDependencySqlmsirc_RestoreAppGuidSqlmsirc_CheckFeatureDependencySqlmsirc_NotifyFeatureStatesSqlmsirc_Write_UpdateFeatureRefcountSqlmsirc_UpdateFeatureRefcountSqlmsirc_Write_UpdatePackageRefcountSqlmsirc_UpdatePackageRefcountProductVersionUpgradeCodeMDAC_SetLocalAccountPropertySQLREDISTERRORCROSSLANGUAGESQL Redist: failed to get major version from ProductVersionVersionMajorLanguageSQL Redist: Result=%d, UILevel=%d, OS LangID=%d, Installed LangID=%d, Installed Major Version=%d, Msi LangID=%d, Msi Major Version=%dSQL Redist: Result=%d, UILevel=%d, OS LangID=%d, Msi LangID=%d, Msi Major Version=%dRedist Warning: cross language is not allowed in this scenario. Setup will quit but return as successSQLREDISTERRORCROSSLANGUAGEUPGRADESqlmsirc_CheckBrowserDependencyProductCodeFailed to get ProductCode property.{2E86FD41-C179-456E-8E6A-5157ED427228}{FCDF53AD-9D3F-45E5-82C9-CCD35A934414}{542ECEB9-D2D4-4C5A-88A9-F5F551B1F7F5}Sqlmsirc_BrowserRunningSQLBrowserSQLBrowser service status is %d1SBRedistStartServiceFailed to query SQLBrowser service status error %d. SBRedistStartService is not setSQLBrowser service is not installed SBRedistStartService is not setFailed to open SQLBrowser service error %d. SBRedistStartService is not setFailed to open SCM manager error %d. SBRedistStartService is not setSqlmsirc_RemoveBrowserGroupSQLServer2005SQLBrowserUser$Failed to remove local group %s error %dFailed to get computer name error %d.Feature %s cannot be removed because there is still dependent feature(s):Product %s feature %sFeatureRefcountKeyNo ref-count registry data found in %sAll features still have ref-count skipping the package.core1033Property %s is not defined and it is require to set language ref-countLangugeMap::getLanguagePropertyThu Feb 6 12:56:41 2014e:\sql12_main_t\sql\setup\redist\sqlmsirc\refcountupdate.cppCURRENTSKULANGUAGEALLLANGUAGES_sqlFeatureDependencySELECT `Feature_`, `RequiredFeature`, `OS64BitRequest`, `LangRequest`, `FeatureKey` FROM `_sqlFeatureDependency`PlatformExtensionSqlmsirc_Do_UpdateFeatureRefcountSqlmsirc_Rollback_UpdateFeatureRefcountCustomActionDataUpdateFeatureRefcountActionDependent FeatureRequired FeatureOS64BitRequestLangRequestRef-count registry path0Failed to remove ref-count data for feature %s under registry key %s. Error %uCannot open feature ref-count registry key %s. Error %uFailed to create feature ref-count registry key %s. Error %uopenKeyFailed to open feature ref-count registry key %s. Error %uCannot read ref-count data for feature %s under registry key %s. Error %uFailed to set ref-count data for feature %s under registry key %s. Error %usetRegcountDataFailed to get %s parameter for action %s.ensureParameter_sqlPackageDependencySELECT `Feature_`, `OS64BitRequest`, `PackageKey`, `PackageName` FROM `_sqlPackageDependency`Sqlmsirc_Do_UpdatePackageRefcountUpdatePackageRefcountRef-count registry nameFailed to set ref-count data for %s under registry key %s. Error %uC1AC6A@7A@8A7A9A`8A@:Ap:AxC5AProperty name: Failed to get installer propertysqls::SessionInstaller::getPropertyThu Feb 6 12:56:06 2014e:\sql12_main_t\sql\setup\darwin\darlib\sessioninstaller.cppFailed to allocate memoryFailed to free memoryFailed to set installer propertysqls::SessionInstaller::setPropertyFailed to launch installer action: sqls::SessionInstaller::doActionFailed to format recordsqls::SessionInstaller::formatRecordsqls::SessionInstaller::getFeatureStateFeature: Failed to get installer feature statesqls::SessionInstaller::setFeatureStateFailed to set installer feature statesqls::ViewInstaller::opene:\sql12_main_t\sql\setup\darwin\darlib\viewinstaller.cppFailed to open installer viewFailed to execute installer viewFailed to close view handlesqls::ViewInstaller::closeUninitialized viewsqls::ViewInstaller::fetchFailed to fetch a record from installer viewFailed to create installer recordsqls::RecordInstaller::createe:\sql12_main_t\sql\setup\darwin\darlib\recordinstaller.cppFailed to close record handlesqls::RecordInstaller::closesqls::RecordInstaller::formatRecordFailed to get a string from a record fieldsqls::RecordInstaller::getStringUninitialized recordsqls::RecordInstaller::setIntegerFailed to set an integer to a record fieldsqls::RecordInstaller::setStringFailed to set a string to a record fielde:\sql12_main_t\sql\setup\darwin\darlib\databaseinstaller.cppFailed to commit installer databasesqls::DatabaseInstaller::commitFailed to check installer table status. Table name: sqls::DatabaseInstaller::isValidTableIsWow64Processkernel32.dllCRegistry::getDataMultiStringUnexpected dwType : Wed Feb 19 11:04:47 2014e:\sql12_main_t\sql\setup\utillib\registry.cppC~A,Cp}A40410WinNTLanmanNTSmall BusinessSmall Business (Restricted)EnterpriseTerminal ServerServerNTGetNativeSystemInfo CCCCClCCClCC\.@CAmsi.dllMsiCreateRecordMsiRecordSetStringWMsiProcessMessageMsiCloseHandleMsiSetPropertyW[1]SqlLogMessagea+a+<Func Name='%s'><EndFunc Name='%s' Return='%d' GetLastError='%d'>`A Error Code: 0x) ( Error Cod%WINDIR%\Error Text: Source File Name: Compiler Timestamp: Function Name: Source Line Number: ---- Context -----------------------------------------------Exception OccurredUnknown with error Warning: GetFileVersionInfoSize failed for Error: VerQueryValue failed for \StringFileInfo\040904B0\OriginalFileNameWarning: VerQueryValue failed to get OriginalFileName for Warning: GetFileVersionInfo failed for deque<T> too longsqls::Mutex<class std::stack<unsigned int,class std::deque<unsigned int,class std::allocator<unsigned int> > > >::synchronizee:\sql12_main_t\sql\setup\include\mutex.hsqls::Mutex<class std::stack<unsigned int,class std::deque<unsigned int,class std::allocator<unsigned int> > > >::createMutexAp`Software\Microsoft\Windows\CurrentVersion\InstallerInstallerLocationSoftware\Microsoft\Microsoft SQL Server\120\BootstrapSoftware\Microsoft\Microsoft SQL Server\120BootstrapDirWYukonBootstrapDirSharedCodeGetSystemWindowsDirectoryWz8? _BMraB3G'Ce+0001#QNAN1#INF1#IND1#SNANHLDDCtRSDS\[ v@gTsqlmsirc.pdb@D|CCCC@D@|C @DCCCCC @D@C@@DC(C8CCC@@D@C|@DhCxCC|@D@hC@DCCCC@D@C@DCCCC@D@C@DHCXChCCC@D@HC$ADCCC,C$AD@CLADCCCCLAD@C,C8C,CAD@CADhCxCC8C,CAD@hChRD,C$SDCCCC$SD@C0BDC(C0C0BD@C$DD`CpC|CC$DD@`ChRD@,CCCRD@CCDRD@PCCDRDPCC$CRDCCUD@CRD@LCSD`CRDCCRD@CCCC,CC,C|C,C,CLCSDCxCC|SDlCTTDPCSD@CTTDCCCxCCTTD@CTDCUD@CSD@C`pUD<C`CCUDCUD@CC,C|CCSD@`C\CRD@CCCCCpCCC$CPCpUD@<C UD@,C|SD@lCC4C`CRDLCCHCCTD@C4C`CUDPCTD\C"
"Number of parameters: [5]CixisilogExceptionRecord Parameter [1]: [2]CiiUnknownError occurred in [1]. The Error code is [2]CsxexceptionHandlersqlCreateDirectory()sqlCreateDirectorye:\sql12_main_t\sql\setup\darwin\sqlcastub\catarget.cppsISINFO: Creating directory [1]xSsissqlEnsureDirectorygetBootStrapDirectory()getBootStrapDirectoryBootstrapDirINFO: [1] registry key is undefined or an error occurred (Error Code: [2]). Using default shell ProgramFiles folder for install directory.CsiCSIDL_PROGRAM_FILES\Microsoft SQL Server\120\Setup Bootstrap\Property(SQL): Setup Bootstrap Directory = [1]getCADllFullPath()getCADllFullPathBin\SisProperty(SQL): CA DLL Path = [1]H8A@RSDS_z'AtC/{9sqlcastub.pdbA@@@@A@@A@@@@A@@AD@T@\@@A@D@sH@@@@A:I@AO@K@M@&M@MQ@nd@}d@?f@Kf@k@x@B}@~@@R@3@@@@@[@n@z@@\@(@@@c@@@2@f*@5@5@4@4@5@)5@"
"msiexec.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"msiexec.exe" created file "%TEMP%\Cab2D68.tmp"
"msiexec.exe" created file "%TEMP%\Tar2D69.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Opened the service control manager
- details
-
"msiexec.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"msiexec.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Requested access to a system service
- details
-
"msiexec.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"msiexec.exe" called "OpenService" to access the "gpsvc" service
"msiexec.exe" called "OpenService" to access the "WinHttpAutoProxySvc" service
"msiexec.exe" called "OpenService" to access the "CryptSvc" service
"msiexec.exe" called "OpenService" to access the "cryptsvc" service
"msiexec.exe" called "OpenService" to access the "���" service - source
- API Call
- relevance
- 10/10
-
Scanning for window names
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"msiexec.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"msiexec.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc"
"msiexec.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
"msiexec.exe" called "ControlService" and sent control code "0X24" to the service "cryptsvc" - source
- API Call
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "msiexec.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Tar2D69.tmp" has type "data"
"C0018BB1B5834735BFA60CD063B31956" has type "data"
"37C951188967C8EB88D99893D9D191FE" has type "data"
"Cab2D68.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Monitors specific registry key for changes
- details
-
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4; Subtree: 0)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4; Subtree: 0)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 1) - source
- API Call
- relevance
- 4/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "msiexec.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\System32\msiexec.exe"
"msiexec.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "C:\Windows\AppPatch\AcGenral.dll"
"msiexec.exe" touched file "C:\Windows\System32\en-US\msiexec.exe.mui"
"msiexec.exe" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"msiexec.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"msiexec.exe" touched file "C:\Windows\System32\rsaenh.dll"
"msiexec.exe" touched file "C:\Windows\System32\msimsg.dll"
"msiexec.exe" touched file "C:\Windows\System32\en-US\msimsg.dll.mui"
"msiexec.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"msiexec.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"msiexec.exe" touched file "C:\Windows\System32\en-US\crypt32.dll.mui"
"msiexec.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"msiexec.exe" touched file "C:\Windows\System32\en-US\winhttp.dll.mui"
"msiexec.exe" touched file "C:\Windows\AppPatch\msimain.sdb" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.microsoft.com"
Pattern match: "kLr0Q.QvX/P~Lmv4K6L3V'GJ\"
Pattern match: "c.Ml/1f}Q]biQT"
Pattern match: "I8.tn/[HeyWy=.F@}h[9@Z%`\yUFX_vuVl_c*DhKU[B"
Heuristic match: "lYdddgwKEt[DUw5p=+2w?t+4FB-0S7XpQ($B4?=>GC'ON;v!NN}28rx{'|r85e.so"
Heuristic match: "ov>}'II%]=:IjT3/*y_k cM(}W'[$<5M3<w.vC"
Heuristic match: "w+n_@Op~Brh(z&1j;Nb]d:[wp D]_O&;v7y\Qhyt.MY"
Pattern match: "9Wll.ODP/,P|"
Heuristic match: "$lDDnD`PVjmj*U[ZU@DE>*jofv6$\_/_y730TIl;\.Q 7N.IT"
Heuristic match: ";c(!\[fr1z3z,12`Tr.lK"
Pattern match: "aejK.Xs/#7"
Heuristic match: "E,PHmE}tEEEQP[TEUUE@sDPMQ@sDRhDEPXsDPzKsDEcPQqh,EREP.Md"
Heuristic match: "YM3]$UQMMHMHM8HMT.HE]UQMMT\IM8aMVMN]UQMM]UQMMM]UjhxNDdP<E3EPEdMEEMQURMWEEEEMQURMWEM.Md"
Heuristic match: "/MURLP.PE"
Pattern match: "6SDASD.LSD/WSD0bSD1mSDxSD3SD4SD5SD6SD,_ESDX_ETD_E_EPTD_E@nC_ETD`ETDTDTDTDTDTDTDTDUD"
Pattern match: "crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X+L0J0H+0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z+N0L0J+0"
Pattern match: "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T+H0F0D+08http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0"
Pattern match: "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T+H0F0D+08http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0U%0"
Pattern match: "www.microsoft.com/sql0"
Pattern match: "www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a+U0S0Q+0Ehttp://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0U00"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^+R0P0N+0Bhttp://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0U"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z+N0L0J+0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z+N0L0J+0"
Heuristic match: ";sMPGEH@u2Mt&MM;wMU9B<wRPMM9A<sMUB<EH<QMWPM.PM"
Pattern match: "go.microsoft.com/fwlink/?LinkId=154582ARPSYSTEMCOMPONENTASPNetVersion2.0.50727ButtonTextStyle{\ButtonTextStyle}DlgTextStyle{\DlgTextStyle}DlgTextStyleB{\DlgTextStyleB}DlgTitleStyle{\DlgTitleStyle}DlgTitleStyleB{\DlgTitleStyleB}INSTALLLEVEL80FixedStyle{\Fix"
Pattern match: "SqlRun28.mstOQ.FE/E/SqlRun29.mst"
Pattern match: "InstId48.mstF//InstId49.mstF//InstId50.mst5F//@HYEDhE7G{@HDDrDhD7HZ@@H??wElDj;E$Hd@H??wElDj"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl"
Pattern match: "http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\Cab2D68.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\Tar2D69.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"msiexec.exe" opened "%TEMP%\Cab2D68.tmp" with delete access
"msiexec.exe" opened "%TEMP%\Tar2D69.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "msiexec.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
Drops cabinet archive files
- details
- "Cab2D68.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"msiexec.exe" wrote bytes "7739317779a83577be723577d62d35771de2307705a23577c868347757d13b77bee33077616f3577684133770050337700000000ad3745778b2d4577b641457700000000" to virtual address "0x74E81000" (part of module "WSHIP6.DLL")
"msiexec.exe" wrote bytes "4053337758583477186a3477653c35770000000000bf9f750000000056cc9f75000000007cca9f7500000000376856756a2c3577d62d357700000000206956750000000029a69f7500000000a48d567500000000f70e9f7500000000" to virtual address "0x77441000" (part of module "NSI.DLL")
"msiexec.exe" wrote bytes "92e6307779a83577be723577d62d35771de2307705a23577bee33077616f3577684133770050337700000000ad3745778b2d4577b641457700000000" to virtual address "0x749B1000" (part of module "WSHTCPIP.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Drops cabinet archive files
File Details
SQL_RS_LOC.MSI
- Filename
- SQL_RS_LOC.MSI
- Size
- 3.9MiB (4050944 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Installation Database, Subject: SQL Server 2014 Reporting Services, Author: Microsoft Corporation, Keywords: Installer, Comments: Microsoft SQL Server, Create Time/Date: Fri Feb 21 15:39:06 2014, Name of Creating Application: Windows Installer XML v0.0.0.0, Security: 2, Template: Intel;1033, Last Saved By: Intel;1033, Revision Number: {EF4E42AF-F3AD-4F79-A7A4-847EF0693CCA}12.0.2000.8;{37245D64-7439-4076-890
- Architecture
- WINDOWS
- SHA256
- 5fee60080d0467593ef89c42034a22196bc610dc6a048e204613271c8a85a123
- MD5
- 61c7dc124068ded9f2a053614708c1f0
- SHA1
- 3de96c5195063e13ddaa08a735de6ab65755e027
Classification (TrID)
- 98.6% (.MSI) Microsoft Windows Installer
- 1.3% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- msiexec.exe /i "C:\5fee60080d0467593ef89c42034a22196bc610dc6a048e204613271c8a85a123.msi" (PID: 3436)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
2.16.4.178 |
80
TCP |
msiexec.exe PID: 3436 |
European Union |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 4 extracted file(s). The remaining 2 file(s) are available in the full version and XML/JSON reports.
-
Informative 4
-
-
37C951188967C8EB88D99893D9D191FE
- Size
- 264B (264 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3436)
- MD5
- 968aeae3646d3fede4509a82fe127eb2
- SHA1
- b80a162c0aa93e76e7edde4a5736a018575b05f6
- SHA256
- ed1c447ebb1033b84a87b6699c64f2cdd54efe7c62858829512340fd805cfc58
-
C0018BB1B5834735BFA60CD063B31956
- Size
- 813B (813 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3436)
- MD5
- c64ff8e72f00883e044fb6354428f582
- SHA1
- 6cedbfc27683499111c384f2af52a64ae83476c8
- SHA256
- ec300b04349fe6fed98d7097c03e2d296f9b6633339fe2f472f3c49c328b8da7
-
Cab2D68.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3436)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Tar2D69.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3436)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-12" are available in the report
- Not all sources for signature ID "api-31" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report