Edit tour

Windows Analysis Report
VS80sp1-KB954961-X86-INTL.exe

Overview

General Information

Sample name:	VS80sp1-KB954961-X86-INTL.exe
Analysis ID:	1428262
MD5:	de6843e7937dfe0704b9eadfe589e691
SHA1:	c07566c6abc50cd9350d33209520bda798dda3e8
SHA256:	b4ad9fb4f0fc28c41b1a32ba309c8f8cf8b0c1eacb40107d7687288a040eb317
Infos:

Detection

Score:	7
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	47
Range:	0 - 100

Signatures

Checks for available system drives (often done to infect USB drives)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

VS80sp1-KB954961-X86-INTL.exe (PID: 380 cmdline: "C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe" MD5: DE6843E7937DFE0704B9EADFE589E691)

msiexec.exe (PID: 6156 cmdline: "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5660 cmdline: "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6024 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5284 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D94135EDDA44CEACEF1298338DEB1A49 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 5556 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 31C2B4F4F21467A963096029BA61CEDC E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

Uses 32bit PE files

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: msvcm80.i386.pdb source: msvcm80.dll.4.dr
Source:	Binary string: ddsetca.pdb source: 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5B27.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb", source: DWTRIG20.EXE.4.dr
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: C:\BriqsBuildDirectories\BriqsSourceDirectory\target\briqs3.4\retail\i386\DDPatch.pdb source: 5497.tmp.0.dr, 55A4.tmp.0.dr, 5AA8.tmp.0.dr, 582D.tmp.0.dr, 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5FA7.tmp.0.dr, 590C.tmp.0.dr, 573E.tmp.0.dr, 5B27.tmp.0.dr, 5C24.tmp.0.dr, 5EFB.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 594B.tmp.0.dr, 5AE7.tmp.0.dr, 5565.tmp.0.dr, 5BC5.tmp.0.dr, 58BC.tmp.0.dr, 5CA3.tmp.0.dr, 5C63.tmp.0.dr, 5467.tmp.0.dr, 5437.tmp.0.dr, 59BA.tmp.0.dr, 5525.tmp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr, 56CF.tmp.0.dr, 585D.tmp.0.dr, 60C7.tmp.0.dr, 6036.tmp.0.dr, 570F.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdb source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: \x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdbPu source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: C:\razzle\binaries\BRIQSSHARED.x86ret\bin\i386\wrapdrvr.pdb source: VS80sp1-KB954961-X86-INTL.exe
Source:	Binary string: msvcp80.i386.pdb source: msvcp80.dll.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dw20sharedca.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: \ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\AbortMsiCA.pdb source: dw20shared.msi.0.dr, MSI70E6.tmp.4.dr, 5d6f33.msi.4.dr
Source:	Binary string: FileHashFixup.pdb source: filehashfixup.exe.0.dr

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f30.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{95120000-00B9-0409-0000-0000000FF1CE}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7194.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP\QHEADLES	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.manifest	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0\8.0.50727.42.policy	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627498.0\8.0.50727.42.cat	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f33.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5d6f33.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI70E6.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Code function: 0_3_0108A191

0_3_0108A191

PE file contains executable resources (Code or Archives)

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: Resource name: BINARY type: Microsoft Cabinet archive data, many, 12381593 bytes, 5 files, at 0x2c +A "manifest.ini" +A "filehashfixup.exe", number 1, 631 datablocks, 0x1 compression

Sample file is different than original file name gathered from version info

Source: VS80sp1-KB954961-X86-INTL.exe, 00000000.00000003.2008386411.0000000002E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileHashFixup.exeP vs VS80sp1-KB954961-X86-INTL.exe
Source: VS80sp1-KB954961-X86-INTL.exe, 00000000.00000003.2073654830.0000000002E79000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileHashFixup.exeP vs VS80sp1-KB954961-X86-INTL.exe

Uses 32bit PE files

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean7.winEXE@10/83@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW

Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\MicrosoftDevDivPatchMutex

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File created: C:\Users\user\AppData\Local\Temp\ZNW50FA.tmp

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File read: C:\Users\user\AppData\Local\Temp\ZNW50FA\manifest.ini

Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: </install>
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: </addsource>
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"
Source: VS80sp1-KB954961-X86-INTL.exe	String found in binary or memory: <update executable file name> /addsource "C:\Product MSI\Visual Studio\enu\vs_setup.msi" /addsource "C:\Product MSI\Net\Netfx.msi"

Source: unknown	Process created: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe "C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe"
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D94135EDDA44CEACEF1298338DEB1A49
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 31C2B4F4F21467A963096029BA61CEDC E Global\MSI0000
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D94135EDDA44CEACEF1298338DEB1A49	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 31C2B4F4F21467A963096029BA61CEDC E Global\MSI0000	Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: es.dll	Jump to behavior

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

File written: C:\Users\user\AppData\Local\Temp\ZNW50FA\manifest.ini

Jump to behavior

PE / OLE file has a valid certificate

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: certificate valid

PE /OLE file has a valid certificate with Microsoft as Issuer

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Submission file is bigger than most known malware samples

Source: VS80sp1-KB954961-X86-INTL.exe

Static file information: File size 12779920 > 1048576

Uses new MSVCR Dlls

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll

Jump to behavior

PE file has a big raw section

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc02200

PE file contains a debug data directory

Source: VS80sp1-KB954961-X86-INTL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: msvcm80.i386.pdb source: msvcm80.dll.4.dr
Source:	Binary string: ddsetca.pdb source: 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5B27.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dw20.pdb\x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb\ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb", source: DWTRIG20.EXE.4.dr
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: C:\BriqsBuildDirectories\BriqsSourceDirectory\target\briqs3.4\retail\i386\DDPatch.pdb source: 5497.tmp.0.dr, 55A4.tmp.0.dr, 5AA8.tmp.0.dr, 582D.tmp.0.dr, 5E0E.tmp.0.dr, 5CE2.tmp.0.dr, 5FA7.tmp.0.dr, 590C.tmp.0.dr, 573E.tmp.0.dr, 5B27.tmp.0.dr, 5C24.tmp.0.dr, 5EFB.tmp.0.dr, VS80sp1-KB954961-X86-INTL.msp.0.dr, 594B.tmp.0.dr, 5AE7.tmp.0.dr, 5565.tmp.0.dr, 5BC5.tmp.0.dr, 58BC.tmp.0.dr, 5CA3.tmp.0.dr, 5C63.tmp.0.dr, 5467.tmp.0.dr, 5437.tmp.0.dr, 59BA.tmp.0.dr, 5525.tmp.0.dr, 5D90.tmp.0.dr, 5D31.tmp.0.dr, 56CF.tmp.0.dr, 585D.tmp.0.dr, 60C7.tmp.0.dr, 6036.tmp.0.dr, 570F.tmp.0.dr
Source:	Binary string: t:\dw\x86\ship\0\dwtrig20.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdb source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: \x86\ship\0\dw20.exe\bbtopt\dw20O.pdb source: DW20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dwsens.pdbPu source: MSI7204.tmp.4.dr, dw20shared.msi.0.dr, MSI738B.tmp.4.dr, 5d6f33.msi.4.dr, MSI7194.tmp.4.dr
Source:	Binary string: C:\razzle\binaries\BRIQSSHARED.x86ret\bin\i386\wrapdrvr.pdb source: VS80sp1-KB954961-X86-INTL.exe
Source:	Binary string: msvcp80.i386.pdb source: msvcp80.dll.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\dw20sharedca.pdb source: dw20shared.msi.0.dr, 5d6f33.msi.4.dr
Source:	Binary string: \ship\0\dwtrig20.exe\bbtopt\dwtrig20O.pdb source: DWTRIG20.EXE.4.dr
Source:	Binary string: t:\msishared\x86\ship\0\CustomActions\AbortMsiCA.pdb source: dw20shared.msi.0.dr, MSI70E6.tmp.4.dr, 5d6f33.msi.4.dr
Source:	Binary string: FileHashFixup.pdb source: filehashfixup.exe.0.dr

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	File created: C:\Users\user\AppData\Local\Temp\ZNW50FA\filehashfixup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file

Boot Survival

Creates or modifies windows services

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VS80sp1-KB954961-X86-INTL

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI738B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7195.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ZNW50FA\filehashfixup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7144.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7204.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7174.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI70E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 3_2_04C3F42C LdrInitializeThunk,

3_2_04C3F42C

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log			Jump to behavior
Source: C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus			Jump to behavior

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	21 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VS80sp1-KB954961-X86-INTL.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE	0%	ReversingLabs
C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE	0%	ReversingLabs
C:\Windows\Installer\MSI70E6.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7144.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7174.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7195.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7204.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI738B.tmp	0%	ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcm80.dll	0%	ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcp80.dll	0%	ReversingLabs
C:\Windows\WinSxS\InstallTemp\20240418183627404.0\msvcr80.dll	0%	ReversingLabs

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428262
Start date and time:	2024-04-18 18:35:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VS80sp1-KB954961-X86-INTL.exe
Detection:	CLEAN
Classification:	clean7.winEXE@10/83@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target VS80sp1-KB954961-X86-INTL.exe, PID 380 because there are no executed function
Execution Graph export aborted for target msiexec.exe, PID 5660 because there are no executed function
VT rate limit hit for: VS80sp1-KB954961-X86-INTL.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI7195.tmp	https://download.brother.com/welcome/dlfp100270/cltw10100a.exe	Get hash	malicious	Unknown	Browse
	amd-demo-pingpong-v1.4.msi	Get hash	malicious	Unknown	Browse
	AMD-Demo-PingPong-v1.5 (2).msi	Get hash	malicious	Unknown	Browse
	zero.sfx.exe	Get hash	malicious	Unknown	Browse
	zero.sfx.exe	Get hash	malicious	Hidden Macro 4.0, Masscan	Browse
	cryptor.exe	Get hash	malicious	Unknown	Browse
	cryptor.exe	Get hash	malicious	Conti	Browse
	cryptor.exe	Get hash	malicious	Unknown	Browse
	cryptor.exe	Get hash	malicious	Conti	Browse
	cryptor.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	21945
Entropy (8bit):	5.668299507612215
Encrypted:	false
SSDEEP:	384:2zYd3Ul7iuLNR0pt4tdU2DDtPrIII673j7m7vMBXx:2z1wuLNR0pt4tTTHI673jCOh
MD5:	D89830ADB96C909F64448192B8660B19
SHA1:	D751BDFD432CF40CE2EBE137003E5DCC9A10B266
SHA-256:	F41534C79D3F9209C5A32EE12BDB711A2AD14C445220B9CE91EA10680B02C1D7
SHA-512:	9AEB10592A0FF219C4F7F87E312607E4FB3481316E9A2388ACFBA6D9529AFC2AC0A51D1F4483C5DAEF48479889B8EE1B8DB59B63C6A9D622CF97D9950E63FC7B
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@...X.@.....@.....@.....@.....@.....@......&.{95120000-00B9-0409-0000-0000000FF1CE}%.Microsoft Application Error Reporting..dw20shared.msi.@.....@\|....@.....@........&.{420F351B-33A5-4A58-A856-69B2EDEDC8F7}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft Application Error Reporting......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....MsiPublishAssemblies..Publishing assembly information.Application Context:[1], Assembly Name:[2]$..@....1.Software\Classes\Installer\Win32Assemblies\Global...@....(.&.t.Microsoft.VC80.CRT,version="8.0.50727.42",type="win32",processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b".{(MvWD*8A$!!!!!MKKSk>_j0,Y]s!Soe8MkbIdFwU.$..@....1.Software\Classes\Installer\Win32Assemblies\Globalx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....'.&...policy.8.0.Microsoft.VC80.CRT,version="8.0.50727.42",type="win32-

Process:	C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	232448
Entropy (8bit):	6.37664585650164
Encrypted:	false
SSDEEP:	1536:1ItTWEi4FaZNsavOecCGLqTUbYglzkkpyeeNpiUvU1A0pKJUw4+gT1Ws7Dp+Jfhe:14TWEHWNtvOeTUvIiFbwIh/B/Zt4B5
MD5:	89161DEE5EB99913537C3FA4113A73CF
SHA1:	BF44859CBEB35144711E3866295D97C600B87720
SHA-256:	DDF3C5946E2A1E24BE8F3286D8F7E6A91B088DEBFF5EAE62A960A0ACE72EEC6B
SHA-512:	06C3E191F656234D832C5BED7FF52E3CDC0630E6E80C298500A49ABC06EF50638308A383284A6FB989A51C4F1ACEC82E84FAA71D71E5035CC444F738D230870E
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................i...j...k...............................................................................................................................................................................................................................................................................................................................................................................................................................................d...............................Y...c............................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X.......Z...[...\...]...^..._...`...a...b...e...........f...g...h...................m...n...o...p...q...r...s...t...u...v...w...x...y...z...

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (369), with CRLF line terminators
Category:	dropped
Size (bytes):	838
Entropy (8bit):	3.722019951914111
Encrypted:	false
SSDEEP:	24:QkU3YKoSHLGPkWQULFjmBHg0RKOaVnTypQ:hKPoSrGPYxi0Yjy6
MD5:	BD75ACD45A1839154E1908C22B03107F
SHA1:	DCB5DB238635769B2D918C672E945F355B91F880
SHA-256:	8422FB5CCA8DC6C67793A75C17FBC1A09B0F50060A26FFB410ED9E7517529C2A
SHA-512:	B5FEA522064C14889736AB83E12FDF6FCD8B20AD4AC8AEF7E9F7766F0E7F0BD1E4CD00C153383547BE2736AEB38934FA99021C0ED7EF3F8EE01672B9A5F10F11
Malicious:	false
Preview:	..E.r.r.o.r. .1.9.3.5... .A.n. .e.r.r.o.r. .o.c.c.u.r.r.e.d. .d.u.r.i.n.g. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n. .o.f. .a.s.s.e.m.b.l.y. .'.M.i.c.r.o.s.o.f.t...V.C.8.0...C.R.T.,.v.e.r.s.i.o.n.=.".8...0...5.0.7.2.7...4.2.".,.t.y.p.e.=.".w.i.n.3.2.".,.p.r.o.c.e.s.s.o.r.A.r.c.h.i.t.e.c.t.u.r.e.=.".x.8.6.".,.p.u.b.l.i.c.K.e.y.T.o.k.e.n.=.".1.f.c.8.b.3.b.9.a.1.e.1.8.e.3.b.".'... .P.l.e.a.s.e. .r.e.f.e.r. .t.o. .H.e.l.p. .a.n.d. .S.u.p.p.o.r.t. .f.o.r. .m.o.r.e. .i.n.f.o.r.m.a.t.i.o.n... .H.R.E.S.U.L.T.:. .0.x.8.0.0.7.0.4.2.2... .a.s.s.e.m.b.l.y. .i.n.t.e.r.f.a.c.e.:. .I.A.s.s.e.m.b.l.y.C.a.c.h.e.I.t.e.m.,. .f.u.n.c.t.i.o.n.:. .C.o.m.m.i.t.,. .c.o.m.p.o.n.e.n.t.:. .{.9.8.C.B.2.4.A.D.-.5.2.F.B.-.D.B.5.F.-.A.0.1.F.-.C.8.B.3.B.9.A.1.E.1.8.E.}.....=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.8./.0.4./.2.0.2.4. . .1.8.:.3.6.:.2.7. .=.=.=.....

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.988289793655857
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VS80sp1-KB954961-X86-INTL.exe
File size:	12'779'920 bytes
MD5:	de6843e7937dfe0704b9eadfe589e691
SHA1:	c07566c6abc50cd9350d33209520bda798dda3e8
SHA256:	b4ad9fb4f0fc28c41b1a32ba309c8f8cf8b0c1eacb40107d7687288a040eb317
SHA512:	52faaeda1ffcca964c1f28f606f34b58749017d3a9a3c3c05a73b3818aa89b79c7d7e71b250f13d45f58f295ef50396f30ee2d5e40e4c1d554592a7debdbc760
SSDEEP:	393216:7Ey49hfvGKCp7X5v0d6Ffw39qcltJsM8n:54HWJpv0A1w3blLy
TLSH:	7AD6330267FB8234F1F35B355975026A8A7BBD419C78DA0E232D248D4FB7A90DA74723
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......MO...............! ......!".......~.........................3...........................Rich............................PE..L..

Entrypoint:	0x413364
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x48FE50BB [Tue Oct 21 21:59:23 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7f55a5807fc04f3bdb96697986509b73

Signature Valid:	true
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	15/12/2020 22:31:45 02/12/2021 22:31:45
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	658DCC2A890351DF97DC9F05146283C0
Thumbprint SHA-1:	ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B
Thumbprint SHA-256:	E39CC80A0DF6F2BED821D11B49717306138C1D19FD20190336BF1C4297638A79
Serial:	33000001DF6BF02E92A74AB4D00000000001DF

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x29f04	0xb4	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0xc02030	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc2de00	0x2390	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1350	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b68	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x2cc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29e0a	0x2a000	503cca636ea10c777351bb67a07d7ee7	False	0.5704926990327381	data	6.631145569533157	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2b000	0x47f8	0x1800	531bb325eb45441d4a3d3cfd7f47401c	False	0.31982421875	Matlab v4 mat-file (little endian) type_info@@, sparse, rows 4206816, columns 4199280	3.356880315005309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x30000	0xc02030	0xc02200	f7b692f228766c6b82befa9a1a2bd670	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BINARY	0x3122c	0xbced99	Microsoft Cabinet archive data, many, 12381593 bytes, 5 files, at 0x2c +A "manifest.ini" +A "filehashfixup.exe", number 1, 631 datablocks, 0x1 compression	English	United States	0.9997081756591797
RT_ICON	0xbfffc8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colors	English	United States	0.43548387096774194
RT_DIALOG	0xc002b0	0x8c	data	Arabic	Saudi Arabia	0.7642857142857142
RT_DIALOG	0xc0033c	0x84	data	Chinese	Taiwan	0.7348484848484849
RT_DIALOG	0xc003c0	0x84	data	Czech	Czech Republic	0.7272727272727273
RT_DIALOG	0xc00444	0x84	data	Danish	Denmark	0.7272727272727273
RT_DIALOG	0xc004c8	0x84	data	German	Germany	0.7272727272727273
RT_DIALOG	0xc0054c	0x84	data	Greek	Greece	0.7272727272727273
RT_DIALOG	0xc005d0	0x84	data	English	United States	0.7272727272727273
RT_DIALOG	0xc00654	0x84	data	Finnish	Finland	0.7272727272727273
RT_DIALOG	0xc006d8	0x84	data	French	France	0.7272727272727273
RT_DIALOG	0xc0075c	0x8c	data	Hebrew	Israel	0.7642857142857142
RT_DIALOG	0xc007e8	0x84	data	Hungarian	Hungary	0.7272727272727273
RT_DIALOG	0xc0086c	0x84	data	Italian	Italy	0.7272727272727273
RT_DIALOG	0xc008f0	0x7c	data	Japanese	Japan	0.7661290322580645
RT_DIALOG	0xc0096c	0x84	data	Korean	North Korea	0.7348484848484849
RT_DIALOG	0xc0096c	0x84	data	Korean	South Korea	0.7348484848484849
RT_DIALOG	0xc009f0	0x84	data	Dutch	Netherlands	0.7272727272727273
RT_DIALOG	0xc00a74	0x84	data	Norwegian	Norway	0.7272727272727273
RT_DIALOG	0xc00af8	0x84	data	Polish	Poland	0.7272727272727273
RT_DIALOG	0xc00b7c	0x84	data	Portuguese	Brazil	0.7272727272727273
RT_DIALOG	0xc00c00	0x84	data	Russian	Russia	0.7348484848484849
RT_DIALOG	0xc00c84	0x84	data	Swedish	Sweden	0.7272727272727273
RT_DIALOG	0xc00d08	0x8c	data	Turkish	Turkey	0.7071428571428572
RT_DIALOG	0xc00d94	0x84	data	Chinese	China	0.7348484848484849
RT_DIALOG	0xc00e18	0x84	data	Portuguese	Portugal	0.7272727272727273
RT_DIALOG	0xc00e9c	0x90	data			0.7291666666666666
RT_DIALOG	0xc00f2c	0x274	data	Arabic	Saudi Arabia	0.44745222929936307
RT_DIALOG	0xc011a0	0x16c	data	Chinese	Taiwan	0.6236263736263736
RT_DIALOG	0xc0130c	0x254	data	Czech	Czech Republic	0.4714765100671141
RT_DIALOG	0xc01560	0x298	data	Danish	Denmark	0.45331325301204817
RT_DIALOG	0xc017f8	0x2c0	data	German	Germany	0.4446022727272727
RT_DIALOG	0xc01ab8	0x310	data	Greek	Greece	0.45663265306122447
RT_DIALOG	0xc01dc8	0x25c	data	English	United States	0.4602649006622517
RT_DIALOG	0xc02024	0x2dc	data	Finnish	Finland	0.38114754098360654
RT_DIALOG	0xc02300	0x304	data	French	France	0.41321243523316065
RT_DIALOG	0xc02604	0x254	data	Hebrew	Israel	0.5
RT_DIALOG	0xc02858	0x2a8	data	Hungarian	Hungary	0.48823529411764705
RT_DIALOG	0xc02b00	0x2bc	data	Italian	Italy	0.4614285714285714
RT_DIALOG	0xc02dbc	0x1a8	data	Japanese	Japan	0.6061320754716981
RT_DIALOG	0xc02f64	0x1d0	data	Korean	North Korea	0.6099137931034483
RT_DIALOG	0xc02f64	0x1d0	data	Korean	South Korea	0.6099137931034483
RT_DIALOG	0xc03134	0x2cc	data	Dutch	Netherlands	0.41899441340782123
RT_DIALOG	0xc03400	0x298	data	Norwegian	Norway	0.4397590361445783
RT_DIALOG	0xc03698	0x338	data	Polish	Poland	0.404126213592233
RT_DIALOG	0xc039d0	0x2c0	data	Portuguese	Brazil	0.43607954545454547
RT_DIALOG	0xc03c90	0x28c	data	Russian	Russia	0.455521472392638
RT_DIALOG	0xc03f1c	0x274	data	Swedish	Sweden	0.45063694267515925
RT_DIALOG	0xc04190	0x2b8	data	Turkish	Turkey	0.4324712643678161
RT_DIALOG	0xc04448	0x164	data	Chinese	China	0.6292134831460674
RT_DIALOG	0xc045ac	0x2b0	data	Portuguese	Portugal	0.45058139534883723
RT_DIALOG	0xc0485c	0x29c	data			0.4416167664670659
RT_DIALOG	0xc04af8	0x2a0	data	Arabic	Saudi Arabia	0.49851190476190477
RT_DIALOG	0xc04d98	0x1d8	data	Chinese	Taiwan	0.6038135593220338
RT_DIALOG	0xc04f70	0x2c0	data	Czech	Czech Republic	0.5227272727272727
RT_DIALOG	0xc05230	0x2f8	data	Danish	Denmark	0.48947368421052634
RT_DIALOG	0xc05528	0x300	data	German	Germany	0.47265625
RT_DIALOG	0xc05828	0x338	data	Greek	Greece	0.4987864077669903
RT_DIALOG	0xc05b60	0x2e4	data	English	United States	0.4810810810810811
RT_DIALOG	0xc05e44	0x28c	data	Finnish	Finland	0.5015337423312883
RT_DIALOG	0xc060d0	0x308	data	French	France	0.48195876288659795
RT_DIALOG	0xc063d8	0x274	data	Hebrew	Israel	0.5143312101910829
RT_DIALOG	0xc0664c	0x2f4	data	Hungarian	Hungary	0.49867724867724866
RT_DIALOG	0xc06940	0x308	data	Italian	Italy	0.47680412371134023
RT_DIALOG	0xc06c48	0x224	data	Japanese	Japan	0.583941605839416
RT_DIALOG	0xc06e6c	0x244	data	Korean	North Korea	0.6241379310344828
RT_DIALOG	0xc06e6c	0x244	data	Korean	South Korea	0.6241379310344828
RT_DIALOG	0xc070b0	0x2f8	data	Dutch	Netherlands	0.48157894736842105
RT_DIALOG	0xc073a8	0x2b0	data	Norwegian	Norway	0.48546511627906974
RT_DIALOG	0xc07658	0x308	data	Polish	Poland	0.5051546391752577
RT_DIALOG	0xc07960	0x310	data	Portuguese	Brazil	0.47831632653061223
RT_DIALOG	0xc07c70	0x324	data	Russian	Russia	0.4975124378109453
RT_DIALOG	0xc07f94	0x2d0	data	Swedish	Sweden	0.5027777777777778
RT_DIALOG	0xc08264	0x30c	data	Turkish	Turkey	0.4935897435897436
RT_DIALOG	0xc08570	0x1e0	data	Chinese	China	0.6083333333333333
RT_DIALOG	0xc08750	0x310	data	Portuguese	Portugal	0.46938775510204084
RT_DIALOG	0xc08a60	0x320	data			0.4675
RT_DIALOG	0xc08d80	0x1ec	data	Arabic	Saudi Arabia	0.5894308943089431
RT_DIALOG	0xc08f6c	0x134	data	Chinese	Taiwan	0.7435064935064936
RT_DIALOG	0xc090a0	0x204	data	Czech	Czech Republic	0.5833333333333334
RT_DIALOG	0xc092a4	0x200	data	Danish	Denmark	0.525390625
RT_DIALOG	0xc094a4	0x278	data	German	Germany	0.5268987341772152
RT_DIALOG	0xc0971c	0x240	data	Greek	Greece	0.5885416666666666
RT_DIALOG	0xc0995c	0x1f8	data	English	United States	0.5496031746031746
RT_DIALOG	0xc09b54	0x1f4	data	Finnish	Finland	0.554
RT_DIALOG	0xc09d48	0x244	data	French	France	0.5275862068965518
RT_DIALOG	0xc09f8c	0x1b4	data	Hebrew	Israel	0.6146788990825688
RT_DIALOG	0xc0a140	0x1c8	data	Hungarian	Hungary	0.5921052631578947
RT_DIALOG	0xc0a308	0x210	data	Italian	Italy	0.5492424242424242
RT_DIALOG	0xc0a518	0x16c	data	Japanese	Japan	0.7554945054945055
RT_DIALOG	0xc0a684	0x164	data	Korean	North Korea	0.7865168539325843
RT_DIALOG	0xc0a684	0x164	data	Korean	South Korea	0.7865168539325843
RT_DIALOG	0xc0a7e8	0x21c	data	Dutch	Netherlands	0.5351851851851852
RT_DIALOG	0xc0aa04	0x1e0	data	Norwegian	Norway	0.5604166666666667
RT_DIALOG	0xc0abe4	0x1fc	data	Polish	Poland	0.5787401574803149
RT_DIALOG	0xc0ade0	0x20c	data	Portuguese	Brazil	0.5477099236641222
RT_DIALOG	0xc0afec	0x218	data	Russian	Russia	0.5652985074626866
RT_DIALOG	0xc0b204	0x1e8	data	Swedish	Sweden	0.555327868852459
RT_DIALOG	0xc0b3ec	0x218	data	Turkish	Turkey	0.5578358208955224
RT_DIALOG	0xc0b604	0x134	data	Chinese	China	0.762987012987013
RT_DIALOG	0xc0b738	0x224	data	Portuguese	Portugal	0.5346715328467153
RT_DIALOG	0xc0b95c	0x228	data			0.5362318840579711
RT_STRING	0xc0bb84	0x1430	Matlab v4 mat-file (little endian) *\006H\006A\0061\006 , numeric, rows 0, columns 0	Arabic	Saudi Arabia	0.30089009287925694
RT_STRING	0xc0cfb4	0xcb6	Matlab v4 mat-file (little endian) \206N\376s\011g\204v , numeric, rows 0, columns 0	Chinese	Taiwan	0.43853718500307315
RT_STRING	0xc0dc6c	0x176e	Matlab v4 mat-file (little endian) r, numeric, rows 0, columns 0	Czech	Czech Republic	0.2917639213071024
RT_STRING	0xc0f3dc	0x174c	Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0	Danish	Denmark	0.2701207243460765
RT_STRING	0xc10b28	0x18b2	Matlab v4 mat-file (little endian) u, numeric, rows 0, columns 0	German	Germany	0.2674786459981019
RT_STRING	0xc123dc	0x1b5e	Matlab v4 mat-file (little endian) \272\003\304\003\314\003\302\003 , numeric, rows 0, columns 0	Greek	Greece	0.28860976306023406
RT_STRING	0xc13f3c	0x1638	Matlab v4 mat-file (little endian) h, numeric, rows 0, columns 0	English	United States	0.2619549929676512
RT_STRING	0xc15574	0x1628	Matlab v4 mat-file (little endian) i, numeric, rows 0, columns 0	Finnish	Finland	0.2794428772919605
RT_STRING	0xc16b9c	0x1974	Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0	French	France	0.2572130141190915
RT_STRING	0xc18510	0x137c	Matlab v4 mat-file (little endian) \320\005\344\005\351\005\350\005\325\005\331\005\325\005\352\005 , numeric, rows 0, columns 0	Hebrew	Israel	0.3103448275862069
RT_STRING	0xc1988c	0x1928	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Hungarian	Hungary	0.2796583850931677
RT_STRING	0xc1b1b4	0x19ac	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	Italian	Italy	0.25380401704199634
RT_STRING	0xc1cb60	0xfec	Matlab v4 mat-file (little endian) X[n0 , numeric, rows 0, columns 0	Japanese	Japan	0.37389597644749756
RT_STRING	0xc1db4c	0xf84	Matlab v4 mat-file (little endian) \230\267 , numeric, rows 0, columns 0	Korean	North Korea	0.39224572004028196
RT_STRING	0xc1db4c	0xf84	Matlab v4 mat-file (little endian) \230\267 , numeric, rows 0, columns 0	Korean	South Korea	0.39224572004028196
RT_STRING	0xc1ead0	0x1944	Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0	Dutch	Netherlands	0.25865800865800864
RT_STRING	0xc20414	0x16b4	Matlab v4 mat-file (little endian) \370, numeric, rows 0, columns 0	Norwegian	Norway	0.2703028217481074
RT_STRING	0xc21ac8	0x19dc	Matlab v4 mat-file (little endian) p, numeric, rows 0, columns 0	Polish	Poland	0.277190332326284
RT_STRING	0xc234a4	0x180c	Matlab v4 mat-file (little endian) s, numeric, rows 0, columns 0	Portuguese	Brazil	0.27225471085120206
RT_STRING	0xc24cb0	0x18e2	Matlab v4 mat-file (little endian) ;\0045\0044\004C\004N\004I\0048\0045\004 , numeric, rows 0, columns 0	Russian	Russia	0.2902668759811617
RT_STRING	0xc26594	0x1648	Matlab v4 mat-file (little endian) \366, numeric, rows 0, columns 0	Swedish	Sweden	0.2699859747545582
RT_STRING	0xc27bdc	0x17ce	Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0	Turkish	Turkey	0.28897276009189365
RT_STRING	0xc293ac	0xc50	Matlab v4 mat-file (little endian) \260s\011g\204v , numeric, rows 0, columns 0	Chinese	China	0.440989847715736
RT_STRING	0xc29ffc	0x18ca	Matlab v4 mat-file (little endian) a, numeric, rows 0, columns 0	Portuguese	Portugal	0.2677277024897573
RT_STRING	0xc2b8c8	0x199c	Matlab v4 mat-file (little endian) e, numeric, rows 0, columns 0			0.2614399023794997
RT_STRING	0xc2d264	0x116	Targa image data - Color 1571 x 58 x 32 +1582 +1591 "*\006E\006 "	Arabic	Saudi Arabia	0.5755395683453237
RT_STRING	0xc2d37c	0xc0	data	Chinese	Taiwan	0.7916666666666666
RT_STRING	0xc2d43c	0x144	data	Czech	Czech Republic	0.5771604938271605
RT_STRING	0xc2d580	0x140	data	Danish	Denmark	0.55625
RT_STRING	0xc2d6c0	0x162	data	German	Germany	0.5282485875706214
RT_STRING	0xc2d824	0x19c	data	Greek	Greece	0.5631067961165048
RT_STRING	0xc2d9c0	0x13c	data	English	United States	0.5284810126582279
RT_STRING	0xc2dafc	0x148	data	Finnish	Finland	0.5274390243902439
RT_STRING	0xc2dc44	0x16c	data	French	France	0.510989010989011
RT_STRING	0xc2ddb0	0x10c	data	Hebrew	Israel	0.5895522388059702
RT_STRING	0xc2debc	0x16c	data	Hungarian	Hungary	0.5494505494505495
RT_STRING	0xc2e028	0x186	data	Italian	Italy	0.4564102564102564
RT_STRING	0xc2e1b0	0xe4	Targa image data - Color 12540 x 58 x 32 +12456 +12521 "\2420\2570\2730\2710)jP\226n0\322b&T\010"	Japanese	Japan	0.75
RT_STRING	0xc2e294	0x10a	data	Korean	North Korea	0.8007518796992481
RT_STRING	0xc2e294	0x10a	data	Korean	South Korea	0.8007518796992481
RT_STRING	0xc2e3a0	0x150	Targa image data - Color 117 x 116 x 32 +70 +111 ":"	Dutch	Netherlands	0.5238095238095238
RT_STRING	0xc2e4f0	0x11e	data	Norwegian	Norway	0.5524475524475524
RT_STRING	0xc2e610	0x13e	data	Polish	Poland	0.550314465408805
RT_STRING	0xc2e750	0x158	Targa image data - Color 114 x 111 x 32 +69 +114 ":"	Portuguese	Brazil	0.4941860465116279
RT_STRING	0xc2e8a8	0x16c	data	Russian	Russia	0.5604395604395604
RT_STRING	0xc2ea14	0x11e	Targa image data - Color 108 x 58 x 32 +70 +101 "\305"	Swedish	Sweden	0.583916083916084
RT_STRING	0xc2eb34	0x148	Targa image data - Color 116 x 97 x 32 +72 +97 ":"	Turkish	Turkey	0.551829268292683
RT_STRING	0xc2ec7c	0xb0	data	Chinese	China	0.7897727272727273
RT_STRING	0xc2ed2c	0x156	data	Portuguese	Portugal	0.5146198830409356
RT_STRING	0xc2ee84	0x160	data			0.4914772727272727
RT_STRING	0xc2efe4	0x152	data	Arabic	Saudi Arabia	0.5118343195266272
RT_STRING	0xc2f138	0x8e	data	Chinese	Taiwan	0.7676056338028169
RT_STRING	0xc2f1c8	0x156	data	Czech	Czech Republic	0.5146198830409356
RT_STRING	0xc2f320	0x1c8	data	Danish	Denmark	0.4342105263157895
RT_STRING	0xc2f4e8	0x1a0	data	German	Germany	0.45913461538461536
RT_STRING	0xc2f688	0x222	data	Greek	Greece	0.4652014652014652
RT_STRING	0xc2f8ac	0x17c	data	English	United States	0.48157894736842105
RT_STRING	0xc2fa28	0x192	data	Finnish	Finland	0.47512437810945274
RT_STRING	0xc2fbbc	0x1c0	data	French	France	0.44642857142857145
RT_STRING	0xc2fd7c	0x11c	data	Hebrew	Israel	0.5528169014084507
RT_STRING	0xc2fe98	0x158	data	Hungarian	Hungary	0.5319767441860465
RT_STRING	0xc2fff0	0x16a	data	Italian	Italy	0.47790055248618785
RT_STRING	0xc3015c	0xec	data	Japanese	Japan	0.6567796610169492
RT_STRING	0xc30248	0xb6	data	Korean	North Korea	0.8076923076923077
RT_STRING	0xc30248	0xb6	data	Korean	South Korea	0.8076923076923077
RT_STRING	0xc30300	0x19c	data	Dutch	Netherlands	0.4975728155339806
RT_STRING	0xc3049c	0x1b6	data	Norwegian	Norway	0.4292237442922374
RT_STRING	0xc30654	0x194	data	Polish	Poland	0.4975247524752475
RT_STRING	0xc307e8	0x166	data	Portuguese	Brazil	0.4720670391061452
RT_STRING	0xc30950	0x158	data	Russian	Russia	0.49127906976744184
RT_STRING	0xc30aa8	0x1ae	data	Swedish	Sweden	0.4604651162790698
RT_STRING	0xc30c58	0x176	data	Turkish	Turkey	0.5106951871657754
RT_STRING	0xc30dd0	0x88	data	Chinese	China	0.7867647058823529
RT_STRING	0xc30e58	0x18c	data	Portuguese	Portugal	0.4722222222222222
RT_STRING	0xc30fe4	0x192	data			0.4527363184079602
RT_GROUP_ICON	0xc31178	0x14	data	English	United States	1.2
RT_VERSION	0xc3118c	0xb18	data	English	United States	0.3503521126760563
RT_MANIFEST	0xc31ca4	0x38b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.47739801543550164

DLL	Import
KERNEL32.dll	InterlockedExchange, GetLastError, EnterCriticalSection, CreateMutexA, DeleteCriticalSection, ReleaseMutex, LocalFree, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, VirtualAlloc, GetProcAddress, GetModuleHandleA, GetSystemInfo, HeapReAlloc, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, Sleep, HeapSize, LoadLibraryA, GetCPInfo, GetACP, GetOEMCP, RtlUnwind, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, ReadFile, GetConsoleCP, GetThreadLocale, LocalFileTimeToFileTime, SetFileAttributesA, SetFileTime, DosDateTimeToFileTime, CreateThread, ResumeThread, SuspendThread, SetFilePointer, GetUserDefaultLangID, FindNextFileA, GetPrivateProfileStringA, FindClose, RemoveDirectoryA, FindFirstFileA, CreateDirectoryA, GetPrivateProfileIntA, DeleteFileA, GetTempPathA, CloseHandle, DuplicateHandle, GetCurrentDirectoryA, LockResource, CreateFileMappingA, GetTempFileNameA, RaiseException, SetEndOfFile, WriteConsoleW, GetConsoleOutputCP, FlushFileBuffers, GetSystemDirectoryA, CreateProcessA, WriteConsoleA, SetStdHandle, GetConsoleMode, MultiByteToWideChar, LeaveCriticalSection, WideCharToMultiByte, InitializeCriticalSection, FormatMessageA, FreeLibrary, CreateFileA, FindResourceA, MapViewOfFile, UnmapViewOfFile, LoadResource, WaitForSingleObject, SetEvent, FindResourceExA, SizeofResource, CreateEventA, GetFileAttributesA, GetExitCodeProcess
USER32.dll	ExitWindowsEx, CharNextA, LoadStringA, DispatchMessageA, ShowWindow, GetWindowLongA, SetWindowLongA, TranslateMessage, IsDialogMessageA, PostQuitMessage, CreateDialogParamA, GetMessageA, UnregisterClassA, DestroyWindow, PostMessageA, IsWindow, SetForegroundWindow, LoadIconA, SendMessageA, MessageBoxA, GetDlgItem, SetWindowTextA
msi.dll
ole32.dll	CoTaskMemFree, StgCreateDocfile, StgOpenStorage, CoInitialize, CoUninitialize
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA
VERSION.dll	GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
COMCTL32.dll	InitCommonControlsEx
ADVAPI32.dll	LookupPrivilegeValueA, OpenProcessToken, InitiateSystemShutdownA, RegCloseKey, RegOpenKeyExA, RegCreateKeyExA, RegQueryValueExA, RegSetValueExA, AdjustTokenPrivileges

Target ID:	0
Start time:	18:36:18
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VS80sp1-KB954961-X86-INTL.exe"
Imagebase:	0x400000
File size:	12'779'920 bytes
MD5 hash:	DE6843E7937DFE0704B9EADFE589E691
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	18:36:22
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /p "C:\Users\user\AppData\Local\Temp\ZNW50FA\VS80sp1-KB954961-X86-INTL.msp" /l*v C:\Users\user\AppData\Local\Temp\VS80sp1-KB954961-X86-INTL\VS80sp1-KB954961-X86-INTL-msi.0.log
Imagebase:	0x810000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	18:36:26
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\msiexec.exe" REBOOT=ReallySuppress /q /i C:\Users\user\AppData\Local\Temp\ZNW50FA\dw20shared.msi APPGUID={AB1098F4-4E8B-4BC1-9979-6367DF53ED51} REINSTALL=all REINSTALLMODE=vomus
Imagebase:	0x810000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	18:36:27
Start date:	18/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 31C2B4F4F21467A963096029BA61CEDC E Global\MSI0000
Imagebase:	0x810000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VS80sp1-KB954961-X86-INTL.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5d6f32.rbs

C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DW20.EXE

C:\Program Files (x86)\Common Files\Microsoft Shared\DW\DWTRIG20.EXE

C:\Users\user\AppData\Local\Temp\5437.tmp

C:\Users\user\AppData\Local\Temp\5467.tmp

C:\Users\user\AppData\Local\Temp\5497.tmp

C:\Users\user\AppData\Local\Temp\54D6.tmp

C:\Users\user\AppData\Local\Temp\5525.tmp

C:\Users\user\AppData\Local\Temp\5565.tmp

C:\Users\user\AppData\Local\Temp\55A4.tmp

C:\Users\user\AppData\Local\Temp\5603.tmp

C:\Users\user\AppData\Local\Temp\56CF.tmp

C:\Users\user\AppData\Local\Temp\570F.tmp

C:\Users\user\AppData\Local\Temp\573E.tmp

C:\Users\user\AppData\Local\Temp\577E.tmp

C:\Users\user\AppData\Local\Temp\57BD.tmp

C:\Users\user\AppData\Local\Temp\57ED.tmp

C:\Users\user\AppData\Local\Temp\582D.tmp

C:\Users\user\AppData\Local\Temp\585D.tmp

C:\Users\user\AppData\Local\Temp\588D.tmp

C:\Users\user\AppData\Local\Temp\58BC.tmp

C:\Users\user\AppData\Local\Temp\590C.tmp

C:\Users\user\AppData\Local\Temp\594B.tmp

C:\Users\user\AppData\Local\Temp\598B.tmp

C:\Users\user\AppData\Local\Temp\59BA.tmp

Windows Analysis Report
VS80sp1-KB954961-X86-INTL.exe

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre