Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Installer.msi

Overview

General Information

Sample name:Installer.msi
Analysis ID:1362406
MD5:1e3ff8672dd9df37ac5696222fd0bec7
SHA1:5437218f7389925a7ea5bc780d1351d6ce3ea067
SHA256:0e81a36141d196401c46f6ce293a370e8f21c5e074db5442ff2ba6f223c435f5
Tags:msipikabot
Infos:

Detection

PikaBot
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected PikaBot
Contains functionality to check for running processes (XOR)
Sample uses process hollowing technique
Writes to foreign memory regions
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • msiexec.exe (PID: 6832 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Installer.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6948 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7100 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FB72CBA66D1B5B7C2EC1EC7FC50D4B55 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • SearchProtocolHost.exe (PID: 4488 cmdline: C:\Windows\System32\SearchProtocolHost.exe MD5: 727FE964E574EEAF8917308FFF0880DE)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
PikabotIntroducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot
No configs have been found
SourceRuleDescriptionAuthorStrings
00000003.00000002.2893816873.0000000000B10000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PikaBotYara detected PikaBotJoe Security
    SourceRuleDescriptionAuthorStrings
    3.2.SearchProtocolHost.exe.b10000.0.unpackJoeSecurity_PikaBotYara detected PikaBotJoe Security
      3.2.SearchProtocolHost.exe.b10000.0.raw.unpackJoeSecurity_PikaBotYara detected PikaBotJoe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results
        Source: Binary string: NtPrint.pdbGCTL source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr
        Source: Binary string: NtPrint.pdb source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.dr
        Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: unknownTCP traffic detected without corresponding DNS query: 172.232.186.251
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
        Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
        Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CF8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: SearchProtocolHost.exe, 00000003.00000003.1831622723.000000000583A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?16b8e16730ac9
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://ocsps.ssl.com0
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://ocsps.ssl.com0?
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
        Source: Installer.msi, 44d548.msi.1.dr, 44d546.msi.1.drString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
        Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://172.232.186.251/
        Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://172.232.186.251/9
        Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002C86000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002C50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://172.232.186.251:5632/Unsqueamishness/P1WaaAvbipOgTBhh7?Regild=ArbutaseCasketlike
        Source: SearchProtocolHost.exe, 00000003.00000002.2893855055.0000000002CB1000.0