Edit tour
Windows
Analysis Report
ClickShare-Extension-Pack-01.01.02.0007.msi
Overview
General Information
Detection
Score: | 9 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 0% |
Signatures
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Startup Folder File Write
Spawns drivers
Stores files to the Windows start menu directory
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
Sample may be VM or Sandbox-aware, try analysis on a native machine |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
- System is w10x64
- msiexec.exe (PID: 3568 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ ClickShare -Extension -Pack-01.0 1.02.0007. msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 1632 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 1408 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng E6B16BC C263E80D18 8A4984C7B2 67598 MD5: 9D09DC1EDA745A5F87553048E57620CF) - taskkill.exe (PID: 4148 cmdline:
"C:\Window s\SysWOW64 \taskkill. exe" /F /I M clicksha relauncher .exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) - conhost.exe (PID: 7088 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - msiexec.exe (PID: 5740 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng F4B6C0A C556B4BDBC A932BA8860 3FA42 MD5: E5DA170027542E25EDE42FC54C929077) - MirrorOpSetup64.exe (PID: 3356 cmdline:
"C:\Progra m Files (x 86)\Barco\ ClickShare Extension Pack\Exte nded Deskt op Driver\ IDDCx\Mirr orOpSetup6 4.exe" ins tall MD5: 28B07DC516BFC41A35A93DC1643E143F) - clicksharelauncher.exe (PID: 2072 cmdline:
"C:\Progra m Files (x 86)\Barco\ ClickShare Extension Pack\Laun cher\click sharelaunc her.exe" MD5: 5EB03B6FF6643353FE82B59F8242F1BE)
- drvinst.exe (PID: 6616 cmdline:
DrvInst.ex e "4" "0" "C:\Users\ user\AppDa ta\Local\T emp\{6d6f9 5e9-2155-c b49-8d2b-4 37f70f9d0f 7}\MirrorO pDisplay.i nf" "9" "4 208fae43" "000000000 0000154" " WinSta0\De fault" "00 0000000000 016C" "208 " "C:\Prog ram Files (x86)\Barc o\ClickSha re Extensi on Pack\Ex tended Des ktop Drive r\IDDCx" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- drvinst.exe (PID: 4824 cmdline:
DrvInst.ex e "2" "1" "ROOT\DISP LAY\0000" "C:\Window s\System32 \DriverSto re\FileRep ository\mi rroropdisp lay.inf_am d64_81a2ef 4ec907e6ad \mirroropd isplay.inf " "oem4.in f:*:*:1.1. 174.61:Roo t\VID_MIRR OROP_VIRTU AL_DISPLAY _0001," "4 208fae43" "000000000 0000168" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
- WUDFRd.sys (PID: 4 cmdline:
MD5: 0B7A5464602DA68DA6BEFC2A1B5BE4C5)
- IndirectKmd.sys (PID: 4 cmdline:
MD5: 9B943585EF2A4917E1BC2186045E4B64)
- WUDFHost.exe (PID: 6768 cmdline:
"C:\Window s\System32 \WUDFHost. exe" -Host GUID:{193a 1820-d9ac- 4997-8c55- be817523f6 aa} -IoEve ntPortName :\UMDFComm unicationP orts\WUDF\ HostProces s-35dc3092 -997a-462b -8ee0-c4c4 6c580d41 - SystemEven tPortName: \UMDFCommu nicationPo rts\WUDF\H ostProcess -2348cb75- 16eb-4e88- aea2-36cde 2ec3571 -I oCancelEve ntPortName :\UMDFComm unicationP orts\WUDF\ HostProces s-8f9a7ac6 -e24f-4275 -b4e5-c5e1 6ce5d6a7 - NonStateCh angingEven tPortName: \UMDFCommu nicationPo rts\WUDF\H ostProcess -34c938a5- 6219-4a04- 8fb5-f0a5c 593a835 -L ifetimeId: f1058ddd-6 15d-4a9e-a 592-7cb571 a1dced -De viceGroupI d:v3DDKInd irectGroup -HostArg: 0 MD5: 00E2EF3D2C9309CA4135195A049CC79C)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | Window detected: |