Loading ...

Analysis Report http://esko7.cf/1/pt.msi

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123501
Start date:15.04.2019
Start time:21:12:55
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://esko7.cf/1/pt.msi
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean3.win@6/2@1/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: msiexec.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold30 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media1Windows Remote ManagementWinlogon Helper DLLProcess Injection11Process Injection11Credential DumpingPeripheral Device Discovery11Replication Through Removable Media1Data from Local SystemData CompressedStandard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior

Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /1/pt.msi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: esko7.cfConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: esko7.cf
Urls found in memory or binary dataShow sources
Source: msiexec.exe, 00000004.00000002.6151419201.0000000006D00000.00000002.sdmp, pt.msi.2.drString found in binary or memory: http://crl.comodoca.com/COMODOSHA256CodeSigningCA.crl0w
Source: wget.exe, 00000002.00000002.4890740109.00000000000D0000.00000004.sdmp, cmdline.out.2.drString found in binary or memory: http://esko7.cf/1/pt.msi
Source: wget.exe, 00000002.00000002.4892310262.00000000011C0000.00000004.sdmpString found in binary or memory: http://esko7.cf/1/pt.msiep
Source: wget.exe, 00000002.00000002.4892310262.00000000011C0000.00000004.sdmpString found in binary or memory: http://esko7.cf/1/pt.msijp
Source: wget.exe, 00000002.00000002.4892310262.00000000011C0000.00000004.sdmpString found in binary or memory: http://esko7.cf/1/pt.msilp
Source: wget.exe, 00000002.00000002.4892310262.00000000011C0000.00000004.sdmpString found in binary or memory: http://esko7.cf/1/pt.msimp
Source: pt.msi.2.drString found in binary or memory: http://llvm.org/git/clang.git
Source: pt.msi.2.drString found in binary or memory: http://llvm.org/git/llvm.git
Source: msiexec.exe, 00000004.00000002.6151419201.0000000006D00000.00000002.sdmp, pt.msi.2.drString found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 00000004.00000002.6151419201.0000000006D00000.00000002.sdmp, pt.msi.2.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/
Source: msiexec.exe, 00000004.00000002.6151419201.0000000006D00000.00000002.sdmp, pt.msi.2.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/%s
Source: wget.exe, 00000002.00000002.4892310262.00000000011C0000.00000004.sdmp, msiexec.exe, 00000004.00000002.6151419201.0000000006D00000.00000002.sdmp, pt.msi.2.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4988:120:WilError_01
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\Installer\MSI8637.tmpSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean3.win@6/2@1/1
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://esko7.cf/1/pt.msi' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://esko7.cf/1/pt.msi'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\download\pt.msi'
Source: unknownProcess created: C:\Windows\Installer\MSI8637.tmp C:\Windows\Installer\MSI8637.tmp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://esko7.cf/1/pt.msi' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)Show sources
Source: C:\Windows\Installer\MSI8637.tmpWindow detected: Number of UI elements: 20

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://esko7.cf/1/pt.msi' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: msiexec.exe, 00000004.00000002.6127041267.0000000003530000.00000002.sdmp, MSI8637.tmp, 00000005.00000002.6155681293.0000000001220000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000004.00000002.6127041267.0000000003530000.00000002.sdmp, MSI8637.tmp, 00000005.00000002.6155681293.0000000001220000.00000002.sdmpBinary or memory string: Progman
Source: msiexec.exe, 00000004.00000002.6127041267.0000000003530000.00000002.sdmp, MSI8637.tmp, 00000005.00000002.6155681293.0000000001220000.00000002.sdmpBinary or memory string: Program ManagerUR

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 123501 URL: http://esko7.cf/1/pt.msi Startdate: 15/04/2019 Architecture: WINDOWS Score: 3 5 cmd.exe 2 2->5         started        7 msiexec.exe 2 2->7         started        9 MSI8637.tmp 2->9         started        process3 11 wget.exe 2 5->11         started        14 conhost.exe 5->14         started        dnsIp4 16 esko7.cf 95.216.33.53, 49797, 80 unknown Germany 11->16

Simulations

Behavior and APIs

TimeTypeDescription
21:13:45API Interceptor3x Sleep call for process: cmd.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
http://esko7.cf/1/pt.msi6%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
esko7.cf2%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://esko7.cf/1/pt.msiep0%Avira URL Cloudsafe
http://esko7.cf/1/pt.msilp0%Avira URL Cloudsafe
http://esko7.cf/1/pt.msi6%virustotalBrowse
http://esko7.cf/1/pt.msi0%Avira URL Cloudsafe
http://esko7.cf/1/pt.msijp0%Avira URL Cloudsafe
http://esko7.cf/1/pt.msimp0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.