SetupGLSU60.zip
This report is generated from a file or URL submitted to this webservice on September 13th 2017 17:24:56 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.91 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- ad8ad1cf49c6851eccb577b5064f2a87968cd69beb4e1962d65eccce635851e3
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/56 Antivirus vendors marked dropped file "GLSU.msi" as malicious (classified as "HEUR_VBA.OE" with 1% detection rate)
1/83 Antivirus vendors marked dropped file "MSIE1B6.tmp" as malicious (classified as "Adware.AddLyrics.BB.rsuo.dll" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 360)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 360)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 360)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 360) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Suspicious Indicators 19
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "4KvR/l:&?-i59\I*Y`hHFOTP3Dw?PU%Y4iBP35QeMU1(JJ|V]b-lVl5I?PZh'enUyxx;x(~>7)" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Opened the service control manager
- details
-
"msiexec.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"msiexec.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"msiexec.exe" called "OpenService" to access the "CryptSvc" service
"msiexec.exe" called "OpenService" to access the "cryptsvc" service
"msiexec.exe" called "OpenService" to access the "" service
"msiexec.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"msiexec.exe" called "OpenService" to access the "gpsvc" service
"msiexec.exe" called "OpenService" to access the "WinHttpAutoProxySvc" service - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"msiexec.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
"msiexec.exe" called "ControlService" and sent control code "0X24" to the service "cryptsvc"
"msiexec.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"msiexec.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc" - source
- API Call
- relevance
- 10/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "MSIE1B6.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
- "Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")" (Indicator: "root\cimv2")
- source
- File/Memory
- relevance
- 10/10
-
Contains references to WMI/WMIC
-
System Security
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
GetTempPathW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
LoadLibraryExW
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
OpenProcess
GetStartupInfoW
DeleteFileW
GetProcAddress
GetTempFileNameW
CreateFileW
Process32NextW
GetCommandLineA
Process32FirstW
GetModuleHandleW
WriteFile
Sleep
ShellExecuteW
ShellExecuteExW
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "4053337758583477186a3477653c35770000000000bf9f750000000056cc9f75000000007cca9f7500000000376856756a2c3577d62d357700000000206956750000000029a69f7500000000a48d567500000000f70e9f7500000000" to virtual address "0x77441000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 16
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetLocalTime@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.dll (Target: "SetupGLSU.exe.bin"; Stream UID: "37137-6966-00485F83")
which is directly followed by "cmp dword ptr [ebp-00000108h], 01h" and "jne 00486015h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000118h
+9 mov eax, dword ptr [004EC8D0h]
+14 xor eax, ebp
+16 mov dword ptr [ebp-04h], eax
+19 mov eax, dword ptr [ebp+08h]
+22 push ebx
+23 xor ebx, ebx
+25 push esi
+26 mov esi, dword ptr [ebp+0Ch]
+29 mov dword ptr [eax], ebx
+31 lea eax, dword ptr [ebp-00000118h]
+37 push eax
+38 mov dword ptr [esi], ebx
+40 mov dword ptr [ebp-00000118h], 00000114h
+50 call dword ptr [004B52CCh] ;GetVersionExW
+56 cmp dword ptr [ebp-00000108h], 01h
+63 jne 00486015h" ... (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/62 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\{2D670CD8-BFE1-4E22-80DD-C658F5977253}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{2D670CD8-BFE1-4E22-80DD-C658F5977253}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\{2D670CD8-BFE1-4E22-80DD-C658F5977253}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\~7E1C.tmp"
"<Input Sample>" created file "%TEMP%\~7E27.tmp"
"<Input Sample>" created file "%TEMP%\{2D670CD8-BFE1-4E22-80DD-C658F5977253}\GLSU.msi"
"<Input Sample>" created file "%TEMP%\~82B1.tmp" - source
- API Call
- relevance
- 1/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%WINDIR%\Downloaded Installations\{FFF7BAA0-05BA-4318-9712-6A7753E2E089}\GLSU.msi" SETUPEXEDIR="C:" SETUPEXENAME="SetupGLSU.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Dropped files
- details
-
"GLSU.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: GLSU 6.0 build 170524 Keywords: General Ledger Spreadsheet Excel SAP GL AP AR FI Subject: General Ledger Spreadsheet Uploader Author: Z Option Security: 1 Number of Pages: 200 Name of Creating Application: InstallShieldr 2016 - Professional Edition 23 Last Saved Time/Date: Wed May 24 12:08:16 2017 Create Time/Date: Wed May 24 12:08:16 2017 Last Printed: Wed May 24 12:08:16 2017 Revision Number: {FFF7BAA0-05BA-4318-9712-6A7753E2E089} Code page: 1252 Template: Intel;1033"
"MSIE1B6.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"CabCBEA.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"66AE3BFDF94A732B262342AD2154B86E_1CB9E8F39EA84925D31BF28BF8A5D9BA" has type "data"
"~7E1C.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~7E27.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"TarCBEB.tmp" has type "data"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~82B1.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\rsaenh.dll"
"<Input Sample>" touched file "%WINDIR%\Downloaded Installations"
"<Input Sample>" touched file "%WINDIR%\Downloaded Installations\{FFF7BAA0-05BA-4318-9712-6A7753E2E089}"
"<Input Sample>" touched file "%WINDIR%\Downloaded Installations\{FFF7BAA0-05BA-4318-9712-6A7753E2E089}\GLSU.msi"
"<Input Sample>" touched file "%WINDIR%\system32\msiexec.exe"
"msiexec.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.digicert.com1$0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "www.digicert.com110/"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl05"
Pattern match: "http://crl4.digicert.com/sha2-assured-cs-g1.crl0L"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://ocsp.digicert.com0N"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA2H9Lqt8rUu6JMQOAVr%2F5M%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com"
Pattern match: "www.ZOption.com/support.htmPROGMSG_IIS_ROLLBACKWEBSERVICEEXTENSIONSCEBB504FD9FCF018AEACE0E8BEEB978F3EFBD08FDEECE7BFCE9CA0CF09FB479F9E5CD0EFBEACDWUSLINKhttp://www.ZOption.comARPHELPLINK{&TahomaBold10}Welcome"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl0531/http://crl4.digicert.com/sha2-assured-cs-g1.crl0LU"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0Uz0x0:864http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0OU"
Pattern match: "https://@DS,XS,333"
Pattern match: "http://logo.verisign.com/vslogo.gif0Ue0C93130"
Pattern match: "http://sv.symcb.com/sv.crl0fU"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0UF'Sbk!,0`HB0"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Pattern match: "http://www.flexerasoftware.com0"
Heuristic match: "~W2+pj?sMM{[-~0A?]3Ep]%nT~L-!NS`0qaBFV3j|54a7D+5/VVC9~!*-b202.bT"
Pattern match: "https://\W%V%V4&V848%toys::file"
Pattern match: "s.uU/,fF`v/H#gBD:RY"
Heuristic match: ">jVUt1d7<*w<#aoGyIk#mP^qww.BG"
Pattern match: "mqi3PWux9.PyeY/DjzwPkPSP|0"
Pattern match: "z.mi/Vzjy??-w:ooa"
Pattern match: "7.fg/~GtR_&!&//os}x~@9^is17"
Heuristic match: "=OepMJ#qHk7Ve(.TL"
Pattern match: "z.QxF/Q/A{.A{O8"
Pattern match: "6.vV/-rqMiFYug=f;Ok?zvXAdYufyeb1}.DO\J*:zu"
Heuristic match: "Dq)}@,n\p,z?b}>cR<\Vg(2tx<Ac|0c><tqxQjLlM>9i1RD0,WJyPB[}%c#0{Jy|J>-_k@`JA;s18aZ5@ar;?.BE"
Pattern match: "2U.gtJL/=Wo2ei3}|&i7k"
Pattern match: "Qa.NGZ/~_sK|+/#X]cF/:VLJx?b@raBGOjv4p"
Heuristic match: "/ew%OC$I=.IqaHPV&>K'qOi'i0!*A$h0=rz>Ox6p:Z`R:tV-x}/Rx}~u6s4hh#.cX"
Heuristic match: "_K[PDl6vM75@s{H~u??sss~[VC,+cB~(..uy"
Heuristic match: "D6z[|0AuwI}8^5 QuL+ck/4,#i~>XyTyrI!!Pn$74c3P2Iae^@J_'q>+fH@G+CYkez2} |VY>)-&H?,GOt J~Z<J/,Z`VNsBX[Q{.De"
Pattern match: "A38.LNUU/\0tP-W}Za`1tjhh"
Heuristic match: "?5k@sj? Ul>_hM,Di#r+<N5AX5UsStg@zD.kh"
Heuristic match: "l6IeCzcirAh4D54g0.az"
Heuristic match: "S|7y7f++oD9<;9{;rFOQ6)4IQ]rb>9>593'o?~~_e~_O~I\?O/eK%{9y.?_CwKVcaf3k\q;l)k3-['g&)ENO5=~A._/X*s.dm"
Heuristic match: "~+%i]o)'&Z+|DZ+frCi;gn1.#h,~{WzOU|hxJK<>?f1.|v.bm"
Heuristic match: "a%F7,hMq)+37\r`.{3^:0.f@2!%^Y8h:wCe`Q4(Jf `]MGuPXY`.Ci"
Pattern match: "iQ.MbdA/e@!I'{IHeGi9zsc"
Heuristic match: "?GZ+`Ct{$7Y%qpP)yb&) o7CrT<Mt{z,=`Q<0SMvV<9DZG\.sH"
Heuristic match: "^uZ(R\R}0p@x dE?wGuGl<rnU77xjYK'0J$v4+KP*5O5a{+kQi0kR^YG`G|D`8p4SbR%uAch56jX-n`NUXW;9MG;zn7yAvjZG~9.HR"
Heuristic match: "&Vy7Sh3\{RkfIqk+0]xc[O+..WS"
Heuristic match: "vdF:)M|nT6RBc%o9S2GmA*3bM=LqseH$EP:,*}S%#YY<j. T-=3TuTmC/A<>yO.GL"
Pattern match: "Qp.sz/P8r"
Heuristic match: "gZ$.0CgZ$.sb"
Pattern match: "J.Wj/un"
Pattern match: "E.eY/S@.B-r9;MIU9s?{OtePWt$;}2X"
Pattern match: "6cZ.qv/m+0[FxLml/o0H3|SmV:Z"
Heuristic match: "=bxB}a0<YKcebxlcxs00,1bXRg1,%5cxS+,cD]30,VcebxSkZ,?1<aq)f,^.ax"
Pattern match: "q-zY.aJte/3=c|*FNeLOFNJ{n2Z?@yzc2Z]L-W%qv~5z'Wpyy@d&&}#?_?OI|cYA_"
Pattern match: "Az.ujr/wwg$lpd\Z;eTHHO~0hJOmW\#m^~Jz-Yh]?Y"
Heuristic match: "QXz >j.$mkZP~xsJhj- rMiDQ@].0lc't?E?CJIT^c0<|t^9s8b]_>{[_ ZPx7&/+l|zfd]j ]|u5QzuU, CDp6WC+zO;AtS)+`<j|T'&-)$iO-8YY+L)Y0*L7e>LW9SOVNW:JI3j)@v #P@Ab@|RHJ,&](JkyYrrKvg@84EK}V^L%\<)R%8&90|.cy"
Pattern match: "Dj6QRSgeej.Oj/yjS@Pdi!3`QEjm-7[z{aad#%k]~7-[^du.V$7bwt"
Pattern match: "h.HmY/[3-{B"
Pattern match: "j.TB/|vJZ^~a$g'9s|/p|pX"
Heuristic match: "2oBq<g /-Y|E3$!GJ=7V3[}|&m+wtW*<lPF?(gt,I42H^wJx?jx?RZ_&{`j.K)s{xnQIJ:>FW*xkonL]E}PeE/EsUJGO%haZ9<MLzD.SA"
Pattern match: "n.zg/!5`?8Q:A64YvC?]J;9YGIgFt&"
Heuristic match: "_P_KXmwscr>}KP_0Gk/4~_nz7x@:;c/K_bp/!`Cr6I_u/rbRB|_Upm_H~:`@Yz-`K}0~@R@Y{*Q)FI@#9J@~^@)\m6L#a.Tp"
Pattern match: "zy.SED/zyVwEH$Z6VS=7p*{{Q;r?JSE1`X"
Pattern match: "qt.Ly/gexkMc'F^"
Pattern match: "Li9.ES/`5zO&GbwU2'ZUaC]!6,-8y8\V_Le;B"
Heuristic match: ";JQTvIsFTE<$ZI?HT;$R)K~Ax:1U| jU!twr3)<y8nN~yZPQ>OTJ!I=cQ!uIcId<<T[QCN5;78(a{>b}#`(jpT^49=jcFvb8yM^WaT+r40@zqSEM$bMLe[T;i>*[A'PjtMds{tixCy~,2<}H0cH_y:W/EUo#5?Efe`z[cV`-|x#9zP D-h!sY*V3@M=$-]r&o{A*r*J4=~k?p1+HVjq9=6W.glUWbWY8^T9m.ye"
Pattern match: "Xw2zTo.qs/fhz`EIe"
Pattern match: "1k5XF7.Ovy/{f,uo?/"
Heuristic match: "/'}JCc.1k_~6Q*kPnC!v-412D7mHd8tY.bA"
Pattern match: "aFL.Wv/l6Ztz^bGN*k,h]BA0"
Pattern match: "4.Tlm/\ZyriZ4b~zwp:%y{0b5@5Jxb"
Heuristic match: "HXZ-C&Wti7YgT+S.IT"
Pattern match: "FE.Ec/fNMRX:XZ]%y2h2nr}Am%DY*.$@C@[yEHbBL&sE;#7~Qjq==\I\"
Pattern match: "eMqAD7Lxf.Rd/`;Adge^9@q$R^6C&KSmN.d{nX]~At~"
Heuristic match: "b5mjgaWY+Dizau^c1SnY?U@#*lQW?50OrTI:^z'M}x%;9s}w.Pk"
Pattern match: "C3M7Wt.alQ/yDy6Ll1^}`q=o"
Pattern match: "k.kG/NZfO[/[Ie9mN"
Pattern match: "v.qy/X|qU/X;Qj\QM:.jr_Dtx~~M9IWMU+5oKbD]=LY"
Pattern match: "Cph.wvt/rm'zy#4S]5E'3"
Pattern match: "7C.nvTI/ekuNxe"
Pattern match: "z3c.yDTW/WWhevAI'pEOHULzcl"
Pattern match: "y.bo/H*z"
Pattern match: "qWU.Im/~~~Pcz{Zu]9BHSaE.ktq\t3sJ'|xWiwv=`4oT"
Heuristic match: "c/Ou^I'MM,i7Qy>v$Y'gxi%j'3POK?@B%j\%Pbwxu2*][x3T@GE:JZU4&d'9e&!2mQ9n4'8kF=7{!l5TjQIq.fi"
Pattern match: "V.Ot/W};xO.[fNqy~IKOd:f"
Pattern match: "I.RPn/9bCz"
Pattern match: "7y.gD/!12JZ`xIY0@:Et~1mK!_+?'A'g'G" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "MSIE1B6.tmp" was detected as "Borland Delphi 3.0 (???)"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
SetupGLSU.exe
- Filename
- SetupGLSU.exe
- Size
- 7.2MiB (7590768 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- ec8e4d2f9846ac6166036802bb9e1b3c57c31944e6dd2827bd8eede8a43a61ec
- MD5
- b8cba8a45626bbc5e73be1faef205688
- SHA1
- e9288740e00dc6030452d1cb6127f0edb171493f
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
SetupGLSU.exe
(PID: 3676)
- msiexec.exe /i "%WINDIR%\Downloaded Installations\{FFF7BAA0-05BA-4318-9712-6A7753E2E089}\GLSU.msi" SETUPEXEDIR="C:" SETUPEXENAME="SetupGLSU.exe (PID: 2500)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 37137-1065-00432C4B |
2.0.0.0 | Domain/IP reference | 37137-1065-00432C4B |
2.5.4.3 | Domain/IP reference | 37137-7326-004951CF |
2.9.0.0 | Domain/IP reference | 37137-1066-00445F53 |
2.5.4.11 | Domain/IP reference | 37137-7326-004951CF |
2.5.4.10 | Domain/IP reference | 37137-7326-004951CF |
49.1.9.1 | Domain/IP reference | 37137-7326-004951CF |
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 37137-741-0041A8B0 |
Extracted Strings
Extracted Files
Displaying 12 extracted file(s). The remaining 2 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
MSIE1B6.tmp
- Size
- 153KiB (156928 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Adware.AddLyrics.BB.rsuo.dll" (1/83)
- Runtime Process
- msiexec.exe (PID: 2500)
- MD5
- 69e9bb71d4d394e87f0109734d328371
- SHA1
- 82fbef8f36aecefbca489d58c09cdf4b0386f787
- SHA256
- c3a87617d5ba229a62da7fd4e0929be26cac33c58470fd5e5f0b54c30ff4d172
-
GLSU.msi
- Size
- 5MiB (5196800 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: GLSU 6.0 build 170524, Keywords: General Ledger, Spreadsheet, Excel, SAP, GL, AP, AR, FI, Subject: General Ledger Spreadsheet Uploader, Author: Z Option, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShieldr 2016 - Professional Edition 23, Last Saved Time/Date: Wed May 24 12:08:16 2017, Create Time/Date: Wed May 24 12:08:16 2017, Last Printed: Wed May 24 12:08:16 2017, Revision Number: {FFF7BAA0-05BA-4318-9712-6A7753E2E089}, Code page: 1252, Template: Intel;1033
- AV Scan Result
- Labeled as "HEUR_VBA.OE" (1/56)
- Runtime Process
- SetupGLSU.exe (PID: 3676)
- MD5
- cac2ad08c6477871903ecc66790761d1
- SHA1
- 475fd7a1f5aea46f63ae81631eb216b2ca09cc4f
- SHA256
- 863c93fde5b911bf2669cc49b30f7c97d4c0717f8bbaedac68d772c570263f55
-
-
Informative Selection 3
-
-
Setup.INI
- Size
- 5.4KiB (5526 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- SetupGLSU.exe (PID: 3676)
- MD5
- 35c4de8c8d60c86e7e99243a98e057f5
- SHA1
- a9896c27cadca888e2533b92fa2efc5688070fa5
- SHA256
- 0b983eb751d7abf980f37d4169b9e77ecc8be3de64ce7badf7af2b90a1c85bec
-
~7E27.tmp
- Size
- 5.4KiB (5526 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- SetupGLSU.exe (PID: 3676)
- MD5
- 35c4de8c8d60c86e7e99243a98e057f5
- SHA1
- a9896c27cadca888e2533b92fa2efc5688070fa5
- SHA256
- 0b983eb751d7abf980f37d4169b9e77ecc8be3de64ce7badf7af2b90a1c85bec
-
~82B1.tmp
- Size
- 5.4KiB (5526 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- SetupGLSU.exe (PID: 3676)
- MD5
- 35c4de8c8d60c86e7e99243a98e057f5
- SHA1
- a9896c27cadca888e2533b92fa2efc5688070fa5
- SHA256
- 0b983eb751d7abf980f37d4169b9e77ecc8be3de64ce7badf7af2b90a1c85bec
-
-
Informative 7
-
-
42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
- Size
- 471B (471 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2500)
- MD5
- de2de7ca4c449f4e0b64a8161ecfe79f
- SHA1
- 902aca8c2cdf7c414ab716032ff64e17a121a1d2
- SHA256
- b24fea919d36d52e0a5d021e093f258df4090ac75c0ec7b4f5cc58600c3610e6
-
66AE3BFDF94A732B262342AD2154B86E_1CB9E8F39EA84925D31BF28BF8A5D9BA
- Size
- 434B (434 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2500)
- MD5
- 63557a7710795460b5a6e0ee0667406a
- SHA1
- da2f3b2af6b92f9baa4f839f6b4d0a56c7d5e916
- SHA256
- 8f6b5e66248b6f833fb54a6835e77a04e3083be0dffea7bacaf8a801cbd6962a
-
CabCBEA.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 2500)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
TarCBEB.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2500)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
0x0409.ini
- Size
- 22KiB (22480 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- SetupGLSU.exe (PID: 3676)
- MD5
- a108f0030a2cda00405281014f897241
- SHA1
- d112325fa45664272b08ef5e8ff8c85382ebb991
- SHA256
- 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
-
_ISMSIDEL.INI
- Size
- 596B (596 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- SetupGLSU.exe (PID: 3676)
- MD5
- 952a403d4b915ae6a92887c83202be67
- SHA1
- 29f2b191e392b4743308327fb6e68d958d00e3f3
- SHA256
- 516653af008ec419265c5614d2d352fba9af3ec713f20526f6b17c038fac60f3
-
~7E1C.tmp
- Size
- 5.4KiB (5526 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- SetupGLSU.exe (PID: 3676)
- MD5
- 35c4de8c8d60c86e7e99243a98e057f5
- SHA1
- a9896c27cadca888e2533b92fa2efc5688070fa5
- SHA256
- 0b983eb751d7abf980f37d4169b9e77ecc8be3de64ce7badf7af2b90a1c85bec
-
Notifications
-
Runtime
- Added comment to Virus Total report
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)