setup.exe
This report is generated from a file or URL submitted to this webservice on December 24th 2018 22:03:11 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
-
d5cd5467cd7a77f27ebec2133c97e717ab740bb4ad8fb02a7a5a04259bd0838c
6b3ba86940a0235c47dd60b362107a733965213a3fe88ff3cd20536415fd937d
7e4b731282e0a746132f8326a67db5594781a473fa333ec263b83ac501824e8d
036839ad2eab4fc5aeb3dafddc16f549a4fae5b2747dc3745dc5a197895c19c0
7e4a609faed4e421bc90727145d6fcb4f0a70dacec4a52af3e13375335ddbf86
2bfa209f8e380928deefe19018dd13074a52b373a35a5d384694d4c324befff7
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "<Input Sample>" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 480)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 480)
"<Input Sample>" wrote 8 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 480)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 480)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 480) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from setup.exe (PID: 4076) (Show Stream)
ExitWindowsEx@USER32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
- details
-
NtdllDefWindowProc_W@NTDLL.DLL from setup.exe (PID: 4076) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from setup.exe (PID: 4076) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 26
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"msiexec.exe" at 00029172-00001804-00000033-22238911187
"msiexec.exe" at 00029290-00001496-00000033-25322158797
"msiexec.exe" at 00031076-00003724-00000033-74623519373 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.44331788902
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "setup.exe.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\C092FAC3F42F2DF4089015E173FA506F\INSTALLPROPERTIES")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\C092FAC3F42F2DF4089015E173FA506F\INSTALLPROPERTIES") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
LoadResource@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
LoadResource@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"MSI68AB.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIFB89.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIC6E9.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\setup.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\setup.exe" marked "%TEMP%\_isDF56.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\_isDF96.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\_isE034.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\~E033.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\_isE045.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\_isE101.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSIFB89.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "%TEMP%\MSI68AB.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\_isDF56.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_isDF96.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_isE034.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~E033.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_isE045.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_isE101.tmp" with delete access
"msiexec.exe" opened "%TEMP%\MSIFB89.tmp" with delete access
"msiexec.exe" opened "%TEMP%\MSI68AB.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
SetSecurityDescriptorDacl@ADVAPI32.DLL from setup.exe (PID: 4076) (Show Stream)
SetSecurityDescriptorDacl@ADVAPI32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "MSI68AB.tmp" claimed CRC 107195 while the actual is CRC 8603896
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegOpenKeyW
RegOpenKeyExA
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
LoadLibraryExW
GetThreadContext
FindResourceExW
CopyFileW
WriteProcessMemory
GetModuleFileNameW
GetVersionExA
GetModuleFileNameA
CreateThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
LoadLibraryA
GetStartupInfoA
GetFileSize
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
GetProcAddress
CreateFileW
CreateFileA
FindResourceW
LockResource
GetCommandLineW
GetCommandLineA
MapViewOfFile
GetModuleHandleA
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteW
ShellExecuteExW
FindWindowW
CreateDirectoryA
DeleteFileA
GetTempPathA
FindFirstFileA
FindNextFileA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "d83a1f75" to virtual address "0x752001E0" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "b4361f75" to virtual address "0x75200200" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "b4361f75" to virtual address "0x752001E4" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "60127e73" to virtual address "0x75C0E324" (part of module "WININET.DLL")
"<Input Sample>" wrote bytes "b840137e73ffe0" to virtual address "0x751F3AD8" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "d83a0200" to virtual address "0x751F4E38" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "d83a0200" to virtual address "0x751F4D78" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "c0df95771cf99477ccf894770d64967700000000c011397500000000fc3e397500000000e0133975000000009457247525e09577c6e0957700000000bc6a237500000000cf3139750000000093192475000000002c32397500000000" to virtual address "0x75281000" (part of module "NSI.DLL")
"<Input Sample>" wrote bytes "b8b0157e73ffe0" to virtual address "0x751F36B4" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "711151027a3b5002ab8b02007f950200fc8c0200729602006cc805001ecd4d027d264d02" to virtual address "0x754A07E4" (part of module "USER32.DLL")
"<Input Sample>" wrote bytes "d83a1f75" to virtual address "0x75200274" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "b4360200" to virtual address "0x751F4D68" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "68130000" to virtual address "0x76D71680" (part of module "WS2_32.DLL")
"<Input Sample>" wrote bytes "d83a1f75" to virtual address "0x75200258" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "b4361f75" to virtual address "0x75200278" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "b4360200" to virtual address "0x751F4EA4" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "b4361f75" to virtual address "0x7520025C" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "d83a1f75" to virtual address "0x752001FC" (part of module "SSPICLI.DLL")
"<Input Sample>" wrote bytes "b830127e73ffe0" to virtual address "0x76D71368" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 25
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API GetDiskFreeSpaceExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
Found reference to API IsProcessorFeaturePresent@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
Found reference to API GetDiskFreeSpaceExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetLocalTime@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetLocalTime@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetLocalTime@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersion@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetVersionExA@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 00443519h" (Show Stream)
Found API call GetVersionExW@KERNEL32.dll directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "jne 0044720Dh" (Show Stream)
Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jbe 0044EB72h" (Show Stream)
Found API call GetSystemTimeAsFileTime@KERNEL32.DLL directly followed by "cmp eax, esi" and "jne 0041A95Dh" from setup.exe (PID: 4076) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp word ptr [ebp-00000124h], 0001h" and "jnc 0041BCE2h" from setup.exe (PID: 4076) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000104h], 02h" and "ret " from setup.exe (PID: 4076) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "ret " from setup.exe (PID: 4076) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000210h], 05h" and "jne 0041703Bh" from setup.exe (PID: 4076) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from setup.exe (PID: 4076) (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 00443519h" from setup.exe (PID: 4076) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "jne 0044720Dh" from setup.exe (PID: 4076) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jbe 0044EB72h" from setup.exe (PID: 4076) (Show Stream)
Found API call GetSystemTimeAsFileTime@KERNEL32.DLL directly followed by "cmp eax, esi" and "jne 0041A95Dh" from setup.exe (PID: 4076) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp eax, 80000000h" and "jbe 0044EB72h" from setup.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
- "msiexec.exe" queries volume information of "C:\" at 00029172-00001804-00000046-23081700215
- source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00029172-00001804-00000046-23081700215
- source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/71 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setupW.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_isDF56.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\Setup.INI"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\_ISMSIDEL.INI"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_isDF96.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\0x0409.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_isE034.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~E033.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_isE045.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\Setup.bmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_isE101.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\Payroll 2019.msi"
"msiexec.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSIFB89.tmp"
"msiexec.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSI6fd2f.LOG"
"msiexec.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSI68AB.tmp"
"msiexec.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSIC6E9.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\MSILOG_6bb361be1d49bccGOL.f2df6ISM_pmeT_lacoL_ataDppA_SWBUPAH_sresU_:C"
"Global\MSILOG_6bb361be1d49bccGOL.f2df6ISM_pmeT_lacoL_ataDppA_SWBUPAH_sresU_:C" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "Payroll 2019.msi" as clean (type is "Composite Document File V2 Document Can't read SAT")
Antivirus vendors marked dropped file "MSI68AB.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIFB89.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIC6E9.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows") - source
- Binary File
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\WOW6432NODE\CLSID\{000C101C-0000-0000-C000-000000000046}")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{000C103E-0000-0000-C000-000000000046}")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
- Process "msiexec.exe" (Show Process) was launched with new environment variables: "__PROCESS_HISTORY="C:\setup.exe""
- source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\Payroll 2019.m ..." (Show Process), Spawned process "msiexec.exe" with commandline "-Embedding A75149B6F3DFDC5751528EDBA3343127 C" (Show Process), Spawned process "msiexec.exe" with commandline "-Embedding AA5CB2DD15BA0B9F812EC7F147467DFC C" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\Payroll 2019.m ..." (Show Process), Spawned process "msiexec.exe" with commandline "-Embedding A75149B6F3DFDC5751528EDBA3343127 C" (Show Process), Spawned process "msiexec.exe" with commandline "-Embedding AA5CB2DD15BA0B9F812EC7F147467DFC C" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"<Input Sample>" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Payroll 2019.msi" has type "Composite Document File V2 Document Can't read SAT"
"_isDF56.tmp" has type "zlib compressed data"
"~E033.tmp" has type "ASCII text with CRLF line terminators"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_isE101.tmp" has type "zlib compressed data"
"_isE034.tmp" has type "zlib compressed data"
"_isDF96.tmp" has type "zlib compressed data"
"MSI68AB.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIFB89.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIC6E9.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"_ISMSIDEL.INI" has type "data"
"_isE045.tmp" has type "zlib compressed data"
"Setup.bmp" has type "PC bitmap Windows 3.x format 447 x 303 x 24"
"Setup.INI" has type "ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\en-US\msiexec.exe.mui"
"msiexec.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\rsaenh.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\msimsg.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: ",F[`nJ.aS"
Heuristic match: "gKAE0~.Sv"
Pattern match: "XL.eJY/kzv{U8L.eJY"
Pattern match: "eniF.fbJ/JmhM//hfmMHCZ_S4.famJSb:mM!!4=1mZHZ_nE4:,mES1"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01U*0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U#0Q==d6|h[x70`HB0"
Pattern match: "www.acresso.com0"
Heuristic match: "P4:Yfhe4Fu2g5z2/VNU>iEjp&LLTO+tz(4-Suf0K3u#>]nj*!DA.Hu"
Heuristic match: "@FtV/MP]N@rg)&6f5AyU{/|\#cc~RXd#\34E@UfEitiDwD^{di%NJ u.Pf"
Pattern match: "B.oy/xxb~v'k"
Heuristic match: "P~ilF2Lr/{55T/H4GI~Q.tj"
Pattern match: "oyr.yZ/9!{;_"
Heuristic match: "D=-]JEOar}u2Y!zP2.SB"
Pattern match: "L1Sq.YuWp/{cWfNL,3FP50!0pgf;0[vmd9x!&" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"setup.exe.bin" was detected as "Microsoft visual C++ 5.0"
"MSI68AB.tmp" was detected as "Armadillo v1.xx - v2.xx" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
setup.exe
- Filename
- setup.exe
- Size
- 8.2MiB (8549196 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- a09637cfceba796fabc24f94d48e7702eac500f55143db2e47f3847a0cbab251
- MD5
- f9dc595a835447b1ce748c0c9e86afff
- SHA1
- a77ab59e46a6f483873fc8ab66e0f853b19483e8
- ssdeep
- 196608:vLuaNk4Lly4jK01TVccR/4hf5kt5MzWxbRro1:c4zK01R1/IkfMzWl9o1
- imphash
- db8d02a5592df4fb37d5932bac7d2025
- authentihash
- 1b479ab8b72ea7dbc937970f4d029f22330ddd4cc44c5dc42495b6f12a92c685
- Compiler/Packer
- Microsoft visual C++ 5.0
- PDB Timestamp
- 09/11/2008 05:56:27 (UTC)
Version Info
- LegalCopyright
- Copyright (C) 2008 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
- InternalName
- Setup
- FileVersion
- 19.0.0
- CompanyName
- Breaktru Software
- Internal Build Number
- 82160
- ProductName
- Payroll 2019
- ProductVersion
- 19.0.0
- FileDescription
- Setup Launcher Unicode
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 51 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8966)
- 19 .LIB Files generated with LIB.EXE 7.00 (Visual Studio .NET 2002) (build: 9210)
- 3 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8168)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 9178)
- 2 .OBJ Files (COFF) linked with LINK.EXE 6.20 (Visual Studio 6 SP3) (build: 8755)
- 16 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- 136 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- 30 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- 2 .OBJ Files linked with ALIASOBJ.EXE 6.00 (Internal OLDNAMES.LIB Tool) (build: 7291)
- 10 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8966)
- File contains C++ code
- File is the product of a medium codebase (51 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
setup.exe
(PID: 4076)
- msiexec.exe /i "%TEMP%\{296BBC7D-31B0-4C79-8444-BBCE4952AEC5}\Payroll 2019.msi" SETUPEXEDIR="C:" SETUPEXENAME="setup.exe" (PID: 1804)
- msiexec.exe -Embedding A75149B6F3DFDC5751528EDBA3343127 C (PID: 1496)
- msiexec.exe -Embedding AA5CB2DD15BA0B9F812EC7F147467DFC C (PID: 3724)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
49.1.9.1 | Domain/IP reference | 00028381-00004076-33330-1735-0045908E |
2.5.4.3 | Domain/IP reference | 00028381-00004076-33330-1735-0045908E |
2.5.4.10 | Domain/IP reference | 00028381-00004076-33330-1735-0045908E |
2.5.4.11 | Domain/IP reference | 00028381-00004076-33330-1735-0045908E |
2.0.0.0 | Domain/IP reference | 16139-668-00418469 |
2.9.0.0 | Domain/IP reference | 00028381-00004076-33330-660-0042A54F |
3.0.0.0 | Domain/IP reference | 16139-668-00418469 |
Extracted Strings
Extracted Files
-
Clean 4
-
-
MSI68AB.tmp
- Size
- 57KiB (58680 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/77
- Runtime Process
- msiexec.exe (PID: 1804)
- MD5
- 4990e2c6714019b91bcc07f2f98e2241
- SHA1
- a9c099a983d488517c470b1a37a2f894b6af25e0
- SHA256
- ad12108b637a3856615ab58f612954258c2581ba92d59ab339c668a603f452a8
-
MSIC6E9.tmp
- Size
- 57KiB (58680 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/77
- Runtime Process
- msiexec.exe (PID: 1804)
- MD5
- 4990e2c6714019b91bcc07f2f98e2241
- SHA1
- a9c099a983d488517c470b1a37a2f894b6af25e0
- SHA256
- ad12108b637a3856615ab58f612954258c2581ba92d59ab339c668a603f452a8
-
MSIFB89.tmp
- Size
- 57KiB (58680 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/77
- Runtime Process
- msiexec.exe (PID: 1804)
- MD5
- 4990e2c6714019b91bcc07f2f98e2241
- SHA1
- a9c099a983d488517c470b1a37a2f894b6af25e0
- SHA256
- ad12108b637a3856615ab58f612954258c2581ba92d59ab339c668a603f452a8
-
Payroll 2019.msi
- Size
- 5MiB (5229708 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- AV Scan Result
- 0/58
- Runtime Process
- msiexec.exe (PID: 1804)
- MD5
- bf09a177c438bd75d6d70a0767efc612
- SHA1
- 12972d0ab70b0532967ec669b3b8daf8069525c6
- SHA256
- 9172894480bd7790025abc5428227782076df4a320623691d7401257e2ead080
-
-
Informative Selection 1
-
-
_isE034.tmp
- Size
- 1.1KiB (1151 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- 3c80e404549ac32a876b4962169d260f
- SHA1
- 22521d8e5b6c03f09f4ea6d4a3546f843c496e7e
- SHA256
- b05225ce48dd79d5cb48ce1705ac1a9b23e51e1a8e92668d80a8652c87592992
-
-
Informative 9
-
-
_isDF56.tmp
- Size
- 1.1KiB (1151 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- 3c80e404549ac32a876b4962169d260f
- SHA1
- 22521d8e5b6c03f09f4ea6d4a3546f843c496e7e
- SHA256
- b05225ce48dd79d5cb48ce1705ac1a9b23e51e1a8e92668d80a8652c87592992
-
_isDF96.tmp
- Size
- 2.9KiB (3017 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- ae10f061af304517f6e3f3157795a5b7
- SHA1
- f80822a26461dbcaf29ed0de91fd41c2bb370c44
- SHA256
- c1c419be1398addbd82f88be6c3ff810ed04b8c970ab7349b07ec11b07368043
-
_isE045.tmp
- Size
- 15KiB (15306 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- 2df3da624c633b9d401dd8198576a9ca
- SHA1
- f3dd8a714985be986819d87aa1eda70732348a82
- SHA256
- a39d38b94e34fb480666271277f0050613736beb5f05db7fe3c8c305f5651bb1
-
_isE101.tmp
- Size
- 4.2MiB (4438639 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- af4ece5b8007f6e581359f344adaea17
- SHA1
- 38e96fad6750922c4f55f3adaa1698eb5e3292a7
- SHA256
- 13e93d02d1f28f71555e86aa1839339e15b7cb33e72208dd0d0b65902bb43d5b
-
0x0409.ini
- Size
- 13KiB (13660 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- 758747727e96a23c7c5a5bbb011656e4
- SHA1
- 51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9
- SHA256
- bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825
-
Setup.INI
- Size
- 2.7KiB (2794 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- 929c3fff605d11c76065d9a266404bb1
- SHA1
- 6bea332ceecce851e86048b9dbb788f02e9b4489
- SHA256
- 8318bd09837795bf9f5dfca63146566e892e0ef993747721cbb46a229066201e
-
Setup.bmp
- Size
- 398KiB (407286 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 447 x 303 x 24
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- a1fdf62d066116904fce48dc4bbe5e62
- SHA1
- 780414624dd85d22768485ef7c2d27f8012509b1
- SHA256
- 48f71dc7dea4b2fcf2df3b5ba81284717a33d3c9fe8709e8d7e3e32f8d35f638
-
_ISMSIDEL.INI
- Size
- 822B (822 bytes)
- Type
- data
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- f63ff0433a16ba7c38f268dbce2b04d1
- SHA1
- 3665c9cc0d9cb475aaf86e9f8373cf55c28ddaa8
- SHA256
- ed07edd548b9bd5416303c8e4a407df816232e2ba5e94ee8a2adfecd0b46b247
-
~E033.tmp
- Size
- 2.7KiB (2794 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- setup.exe (PID: 4076)
- MD5
- 929c3fff605d11c76065d9a266404bb1
- SHA1
- 6bea332ceecce851e86048b9dbb788f02e9b4489
- SHA256
- 8318bd09837795bf9f5dfca63146566e892e0ef993747721cbb46a229066201e
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "stream-3" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report