Windows Analysis Report
IndexUNE.msi

Overview

General Information

Sample name: IndexUNE.msi
Analysis ID: 1428606
MD5: 9565d67fff53497e167098fe77cfacae
SHA1: b09ea054d55881a6a5aa2f9f1452f2bcbf13d74d
SHA256: b215823c6a7b75d52fb07f04227be5d9ffb467d5bc45ec58076131c6c8ed5217
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: IndexUNE.msi, MSIBD37.tmp.0.dr, MSI9233.tmp.0.dr
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: IndexUNE.msi, MSIBD37.tmp.0.dr, MSI9233.tmp.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Sample file is different than original file name gathered from version info
Source: IndexUNE.msi Binary or memory string: OriginalFilenameDPCA.DLLT vs IndexUNE.msi
Source: classification engine Classification label: clean3.winMSI@4/3@0/0
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIBD37.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\IndexUNE.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0F386CF98DB4E24AA5349D70FAD0015 C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0F386CF98DB4E24AA5349D70FAD0015 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: IndexUNE.msi, MSIBD37.tmp.0.dr, MSI9233.tmp.0.dr
Source: Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: IndexUNE.msi, MSIBD37.tmp.0.dr, MSI9233.tmp.0.dr
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIBD37.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI9233.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBD37.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9233.tmp Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\msiexec.exe TID: 1784 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 1504 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3088 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0F386CF98DB4E24AA5349D70FAD0015 C Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1428606 Sample: IndexUNE.msi Startdate: 19/04/2024 Architecture: WINDOWS Score: 3 5 msiexec.exe 7 2->5         started        8 msiexec.exe 2->8         started        file3 12 C:\Users\user\AppData\Local\...\MSIBD37.tmp, PE32 5->12 dropped 14 C:\Users\user\AppData\Local\...\MSI9233.tmp, PE32 5->14 dropped 10 msiexec.exe 1 8->10         started        process4
No contacted IP infos