vecpak100win-en.exe
This report is generated from a file or URL submitted to this webservice on March 5th 2018 15:57:50 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
- Writes data to a remote process
- Fingerprint
- Reads the cryptographic machine GUID
- Network Behavior
- Contacts 4 domains. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 324)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 324)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 324)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 324) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Suspicious Indicators 15
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"<Input Sample>" at 00014961-00002572-00000105-42869247
"msiexec.exe" at 00015565-00001992-00000105-42936740 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.1887684779
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the cryptographic machine GUID
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.DLL from vecpak100win-en.exe (PID: 2572) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\_is5219\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\_is5219\Setup.INI"
"<Input Sample>" read file "%TEMP%\_is5219\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "%PROGRAMFILES%\ACD Systems\Setups\{267D8835-4B73-421B-8C61-358624FA96E7}\2D Vector Pak.msi", Handle: 324)
- source
- API Call
- relevance
- 8/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Creates new processes
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"2.5.29.15"
Heuristic match: "8.8.8.8.in-addr.arpa"
Heuristic match: "255.56.168.192.in-addr.arpa"
Heuristic match: "252.0.0.224.in-addr.arpa"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\vecpak100win-en.exe" marked "%TEMP%\~51BE.tmp" for deletion
"C:\vecpak100win-en.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\vecpak100win-en.exe" marked "%TEMP%\_is5219.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\~51BE.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\_is5219.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegOpenKeyA
RegCloseKey
OpenProcessToken
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
GetFileAttributesA
GetDriveTypeA
UnhandledExceptionFilter
GetTempPathA
WriteFile
CopyFileA
GetModuleFileNameA
CreateThread
TerminateProcess
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
GetProcAddress
FindFirstFileA
GetTempFileNameA
CreateFileMappingA
CreateFileA
LockResource
GetCommandLineA
MapViewOfFile
GetModuleHandleA
CreateProcessA
Sleep
FindResourceA
VirtualAlloc
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 14
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.DLL from vecpak100win-en.exe (PID: 2572) (Show Stream)
GetVersionExA@KERNEL32.DLL from vecpak100win-en.exe (PID: 2572) (Show Stream)
GetVersionExA@KERNEL32.DLL from vecpak100win-en.exe (PID: 2572) (Show Stream)
GetVersionExA@KERNEL32.DLL from vecpak100win-en.exe (PID: 2572) (Show Stream)
GetVersionExA@KERNEL32.DLL from vecpak100win-en.exe (PID: 2572) (Show Stream)
GetVersionExA@KERNEL32.DLL from vecpak100win-en.exe (PID: 2572) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceA@KERNEL32.DLL from vecpak100win-en.exe (PID: 2572) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.DLL (Target: "vecpak100win-en.exe"; Stream UID: "00014961-00002572-38413-77-0040FCC0")
which is directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "ret ". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000094h+9 lea eax, dword ptr [ebp-00000094h]+15 mov dword ptr [ebp-00000094h], 00000094h+25 push eax+26 call dword ptr [004200C0h] ;GetVersionExA+32 xor eax, eax+34 cmp dword ptr [ebp-00000084h], 01h+41 sete al+44 leave +45 ret " ... from vecpak100win-en.exe (PID: 2572) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "vecpak100win-en.exe"; Stream UID: "00014961-00002572-38413-217-0040FCEE")
which is directly followed by "cmp dword ptr [ebp-00000084h], 02h" and "ret ". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000094h+9 lea eax, dword ptr [ebp-00000094h]+15 mov dword ptr [ebp-00000094h], 00000094h+25 push eax+26 call dword ptr [004200C0h] ;GetVersionExA+32 xor eax, eax+34 cmp dword ptr [ebp-00000084h], 02h+41 sete al+44 leave +45 ret " ... from vecpak100win-en.exe (PID: 2572) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the active computer name
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Contains ability to query the machine version
-
General
-
Contacts domains
- details
-
"8.8.8.8.in-addr.arpa"
"3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa"
"255.56.168.192.in-addr.arpa"
"252.0.0.224.in-addr.arpa" - source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\~51BE.tmp"
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\_is5219\Setup.INI"
"<Input Sample>" created file "%TEMP%\_is5219\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\_is5219\0x0409.ini"
"<Input Sample>" created file "%TEMP%\_is5219\2D Vector Pak.msi" - source
- API Call
- relevance
- 1/10
-
Process launched with changed environment
- details
- Process "msiexec.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="VistaSetup""
- source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%PROGRAMFILES%\ACD Systems\Setups\{267D8835-4B73-421B-8C61-358624FA96E7}\2D Vector Pak.msi" SETUPEXEDIR="C:"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"2D Vector Pak.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.0 MSI Installer Last Saved By: InstallShield Number of Characters: 0 Security: 1 Number of Words: 0 Title: Installation Database Comments: This installer database contains the logic and data required to install ACD Systems Ltd 2D Vector Pak Keywords: InstallerMSIDatabase Subject: 2D Vector Pak for ACDSee Author: ACD Systems Ltd Number of Pages: 200 Name of Creating Application: InstallShield Developer 7.0 Revision Number: {267D8835-4B73-421B-8C61-358624FA96E7} Last Saved Time/Date: Wed Nov 20 14:12:15 2002 Create Time/Date: Wed Nov 20 14:12:15 2002 Last Printed: Wed Nov 20 14:12:15 2002 Code page: 1252 Template: Intel;1033"
"~51BE.tmp" has type "ASCII text with CRLF line terminators"
"Setup.INI" has type "ASCII text with CRLF line terminators"
"0x0409.ini" has type "ASCII text with CRLF line terminators"
"_ISMSIDEL.INI" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\System32\msi.dll"
"<Input Sample>" touched file "%WINDIR%\System32\rsaenh.dll"
"<Input Sample>" touched file "%WINDIR%\System32\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "%WINDIR%\System32\rsaenh.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.acdsystems.comARPCONTACT1-250-544-6700ARPHELPLINKARPHELPTELEPHONEARSearch"
Pattern match: "http://www.acdsystems.com/"
Heuristic match: "8.8.8.8.in-addr.arpa"
Heuristic match: "3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa"
Heuristic match: "255.56.168.192.in-addr.arpa"
Heuristic match: "252.0.0.224.in-addr.arpa"
Pattern match: "http://files.acdsystems.com/english/downloads/supporting-files/instmsiw.exe"
Pattern match: "http://files.acdsystems.com/english/downloads/supporting-files/instmsia.exe"
Pattern match: "http://www.acdsystems.com"
Pattern match: "http://www.ACDSYSTEMS.com"
Pattern match: "Mk.TtR/w0drch@"
Pattern match: "H6Rn.abhH/|8;u,Q64%@"
Heuristic match: ":/i8arC'>81g''qgNAC*WY-\.Aq"
Heuristic match: "[[{%/Ox0M;t_dw`3])gH@{q* QQWJUiIKb_d@ffwgf%3qjcI^pl-@Ihp`!E-Q@kP~%Q8~0B?>%y6IXjhF^o@Gg`5Ap$5]Dt]Tb.ZW"
Heuristic match: "T8#yQE:q`z|p!4<.eG"
Pattern match: "Ff.JY/xsz^y#\JIzNMqY%m&;,+i"
Pattern match: "XHb.vf/qiz{D=[];Pr'{t;Ak"
Pattern match: "O8.dW/T*#yzg.*`,W.*'I?DB\" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "vecpak100win-en.exe.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
vecpak100win-en.exe
- Filename
- vecpak100win-en.exe
- Size
- 1.4MiB (1470039 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 8829edc56ba31b29fec7ae02ba9795925e68d0b3f5609f182213bc9bb84c101b
- MD5
- 70ec830116cb36735d43211a1f51c2c3
- SHA1
- 39d1d8d768c7c55b80ed09cb72fdf57f18ff252e
- ssdeep
- 24576:ZSdLDTxPH4Q0Yy9C36a9/LIsQJ+bijclkW6adb7x2:ZSTPH4Q0Yy9C3BqXjcntdb7Q
- imphash
- 3df1cad47b0f4f27a8eb25481d61d147
- authentihash
- 7515d7add8a34fc8f5a432622ca777becc8b1feb63eb326e0696017d7871f8aa
- Compiler/Packer
- Microsoft visual C++ 5.0
- PDB Pathway
Version Info
- LegalCopyright
- Copyright (c) 2000 - 2001 ACD Systems Ltd
- FileVersion
- 1.00.0000
- CompanyName
- ACD Systems Ltd
- Comments
- -
- ProductName
- 2D Vector Pak
- ProductVersion
- 1.00.0000
- FileDescription
- Setup Launcher
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 42.0% (.EXE) InstallShield setup
- 30.4% (.EXE) Win32 Executable MS Visual C++ (generic)
- 12.7% (.SCR) Windows Screen Saver
- 6.4% (.DLL) Win32 Dynamic Link Library (generic)
- 4.3% (.EXE) Win32 Executable (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
vecpak100win-en.exe
(PID: 2572)
- msiexec.exe /i "%PROGRAMFILES%\ACD Systems\Setups\{267D8835-4B73-421B-8C61-358624FA96E7}\2D Vector Pak.msi" SETUPEXEDIR="C:" (PID: 1992)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
8.8.8.8.in-addr.arpa | - | - | - |
3.0.0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa
OSINT |
- | - | - |
255.56.168.192.in-addr.arpa | - | - | - |
252.0.0.224.in-addr.arpa | - | - | - |
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative Selection 2
-
-
2D Vector Pak.msi
- Size
- 1.2MiB (1243136 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Last Saved By: InstallShield , Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Comments: This installer database contains the logic and data required to install ACD Systems Ltd 2D Vector Pak, Keywords: Installer,MSI,Database, Subject: 2D Vector Pak for ACDSee, Author: ACD Systems Ltd, Number of Pages: 200, Name of Creating Application: InstallShield Developer 7.0, Revision Number: {267D8835-4B73-421B-8C61-358624FA96E7}, Last Saved Time/Date: Wed Nov 20 14:12:15 2002, Create Time/Date: Wed Nov 20 14:12:15 2002, Last Printed: Wed Nov 20 14:12:15 2002, Code page: 1252, Template: Intel;1033
- Runtime Process
- msiexec.exe (PID: 1992)
- MD5
- b903ac2c649a3ac27a407c600acd8f2c
- SHA1
- e26bf0b41cb177eb2b3c02b957768cbb0911f340
- SHA256
- 8cac1218508ad6d89ec77e47acf850e0fd88b597bba1ea732cf69a00133af31c
-
Setup.INI
- Size
- 1.3KiB (1342 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- vecpak100win-en.exe (PID: 2572)
- MD5
- 62cf0a075effaaa4920234b2bee11936
- SHA1
- 0e67b06f61fd950a0a0ed8c87dbeadc35964679d
- SHA256
- 7267a03b284596d088c354cb9ae90238fd70a46ba862b3cb483116ae0b6b169b
-
-
Informative 3
-
-
0x0409.ini
- Size
- 4KiB (4107 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- vecpak100win-en.exe (PID: 2572)
- MD5
- 47b8151455bc54356bd8eab2d9656dff
- SHA1
- 077fce613856628b7144db497c38283d733ff0d1
- SHA256
- ddc0262ecaf411329b7d6b0510696e934f7f15887a9b81084ef3b1d07c7f3824
-
_ISMSIDEL.INI
- Size
- 222B (222 bytes)
- Type
- data
- Runtime Process
- vecpak100win-en.exe (PID: 2572)
- MD5
- 1bd6290f810a69d296241fcbcfa2865f
- SHA1
- d3ff8aee241a4282b50923b5ed2cffe152815573
- SHA256
- f269ff86c5f0f4eb05f393ab8af9327a0bcad7b911019ac1a0ba86a857571f45
-
~51BE.tmp
- Size
- 1.3KiB (1342 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- vecpak100win-en.exe (PID: 2572)
- MD5
- 62cf0a075effaaa4920234b2bee11936
- SHA1
- 0e67b06f61fd950a0a0ed8c87dbeadc35964679d
- SHA256
- 7267a03b284596d088c354cb9ae90238fd70a46ba862b3cb483116ae0b6b169b
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)