Edit tour

Windows Analysis Report
IndexUNE.msi

Overview

General Information

Sample name:	IndexUNE.msi
Analysis ID:	1428606
MD5:	9565d67fff53497e167098fe77cfacae
SHA1:	b09ea054d55881a6a5aa2f9f1452f2bcbf13d74d
SHA256:	b215823c6a7b75d52fb07f04227be5d9ffb467d5bc45ec58076131c6c8ed5217
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w7x64

msiexec.exe (PID: 2188 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\IndexUNE.msi" MD5: AC2E7152124CEED36846BD1B6592A00F)

msiexec.exe (PID: 2060 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)

msiexec.exe (PID: 1468 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding A0F386CF98DB4E24AA5349D70FAD0015 C MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source:	Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: IndexUNE.msi, MSIBD37.tmp.0.dr, MSI9233.tmp.0.dr
Source:	Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: IndexUNE.msi, MSIBD37.tmp.0.dr, MSI9233.tmp.0.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: IndexUNE.msi

Binary or memory string: OriginalFilenameDPCA.DLLT vs IndexUNE.msi

Source: classification engine

Classification label: clean3.winMSI@4/3@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIBD37.tmp

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\IndexUNE.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0F386CF98DB4E24AA5349D70FAD0015 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0F386CF98DB4E24AA5349D70FAD0015 C	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior

Source:	Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: IndexUNE.msi, MSIBD37.tmp.0.dr, MSI9233.tmp.0.dr
Source:	Binary string: F:\gs1\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: IndexUNE.msi, MSIBD37.tmp.0.dr, MSI9233.tmp.0.dr

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBD37.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9233.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBD37.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9233.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe TID: 1784	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 1504	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3088	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding A0F386CF98DB4E24AA5349D70FAD0015 C

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IndexUNE.msi	0%	ReversingLabs
IndexUNE.msi	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSI9233.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI9233.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIBD37.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBD37.tmp	0%	Virustotal	Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428606
Start date and time:	2024-04-19 10:00:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IndexUNE.msi
Detection:	CLEAN
Classification:	clean3.winMSI@4/3@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe

Simulations

Behavior and APIs

Time	Type	Description
10:01:41	API Interceptor	1063x Sleep call for process: msiexec.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSI9233.tmp	dxWPtvpUF4.exe	Get hash	malicious	Unknown	Browse
	http://instrumind.blob.core.windows.net/thinkcomposer/setup_imtc.exe	Get hash	malicious	Unknown	Browse
	CardServiceSetup.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSIBD37.tmp	dxWPtvpUF4.exe	Get hash	malicious	Unknown	Browse
	http://instrumind.blob.core.windows.net/thinkcomposer/setup_imtc.exe	Get hash	malicious	Unknown	Browse
	CardServiceSetup.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\CFGBE40.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	123
Entropy (8bit):	4.869476015399742
Encrypted:	false
SSDEEP:	3:vFWWMNHUz/cIMOoT02V7VKXRAmIRMNHNQAoe+RAW4QIMOov:TMV0kI002V7VQ7VNQAoeuAW4QIm
MD5:	17AF548F88A3199AA8A63A72201F470F
SHA1:	4E64BB20A2F54D778ED684AA21ABEBAD63A5C2C0
SHA-256:	A558DBE555749CD3BDD62060FDBBA72720C4F4A186D5870B977ED2ACF9721D9E
SHA-512:	08BDBC75F5FD4D9EC85C53253E4030CE7245B20ECC95E032835609C7C43A07D6C9E7776F48C5494A788A543240C0649A9F1A34A0E514EBC4DDA5730953647338
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0"?>..<configuration>...<startup><supportedRuntime version="v2.0.50727"/>...</startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\MSI9233.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.503878741867183
Encrypted:	false
SSDEEP:	6144:juAO5lvgiHqfcTmGZ8009t0svTPxmx4yAyA5bDB+urH+npAMysZ3:aDlvgiHAcTmS80g9vTMx4yAyA5b0urHu
MD5:	9945F10135A4C7214FA5605C21E5DE9B
SHA1:	3826FB627C67EFD574A30448EA7F1E560B949C87
SHA-256:	9F3B0F3AF4BFA061736935BAB1D50ED2581358DDC9A9C0DB22564ACED1A1807C
SHA-512:	F385E078CEEB54FE86F66F2DB056BABA9556817BBF9A110BCD9E170462351AF0DD4462429412410C7C3B2B76EA808D7BCE4EA1F756A18819AA1762EDB3745CC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: dxWPtvpUF4.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: CardServiceSetup.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|U..84..84..84...Z..;4......;4...U..<4....0.54....2..4....3.%4...Y..j4...Y..)4...Y..-4......#4..84..f5...Z..$4...Z..94...Z>.94...Z..94..Rich84..........PE..L....*n`.........."!.....N...v...............`............................................@..........................Z..:...............`.......................l....(..T...........................X(..@............................................text....L.......N.................. ..`.data...<....`.......R..............@....idata...............b..............@..@.rsrc...`............r..............@..@.reloc..l........0...x..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBD37.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.503878741867183
Encrypted:	false
SSDEEP:	6144:juAO5lvgiHqfcTmGZ8009t0svTPxmx4yAyA5bDB+urH+npAMysZ3:aDlvgiHAcTmS80g9vTMx4yAyA5b0urHu
MD5:	9945F10135A4C7214FA5605C21E5DE9B
SHA1:	3826FB627C67EFD574A30448EA7F1E560B949C87
SHA-256:	9F3B0F3AF4BFA061736935BAB1D50ED2581358DDC9A9C0DB22564ACED1A1807C
SHA-512:	F385E078CEEB54FE86F66F2DB056BABA9556817BBF9A110BCD9E170462351AF0DD4462429412410C7C3B2B76EA808D7BCE4EA1F756A18819AA1762EDB3745CC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: dxWPtvpUF4.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: CardServiceSetup.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|U..84..84..84...Z..;4......;4...U..<4....0.54....2..4....3.%4...Y..j4...Y..)4...Y..-4......#4..84..f5...Z..$4...Z..94...Z>.94...Z..94..Rich84..........PE..L....*n`.........."!.....N...v...............`............................................@..........................Z..:...............`.......................l....(..T...........................X(..@............................................text....L.......N.................. ..`.data...<....`.......R..............@....idata...............b..............@..@.rsrc...`............r..............@..@.reloc..l........0...x..............@..B................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;3082, Number of Pages: 200, Revision Number: {7D975D03-538A-48F2-AACF-AE7D6EDCECE4}, Title: IndexUNE, Author: UNE, Number of Words: 2, Last Saved Time/Date: Mon Jul 5 07:45:52 2021, Last Printed: Mon Jul 5 07:45:52 2021
Entropy (8bit):	5.86204127989461
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	IndexUNE.msi
File size:	543'744 bytes
MD5:	9565d67fff53497e167098fe77cfacae
SHA1:	b09ea054d55881a6a5aa2f9f1452f2bcbf13d74d
SHA256:	b215823c6a7b75d52fb07f04227be5d9ffb467d5bc45ec58076131c6c8ed5217
SHA512:	46a0c476a9a42ee6c503bc8b26b2cb35d577bb69fbbec7b43ee09543a3e66911fa415c4bdde553ae619128507775ea8422a494a3cf4d4f7e05e6272ebd0459d3
SSDEEP:	12288:0N5DlvgiHAcTmS80g9vTMx4yAyA5b0urHeGMfd7ADdAMAFE7:0NDYiPkLMcMfd7ADdAMAF6
TLSH:	FDC48D1176C75232D2BA0630397B6BA16A7EBC305DF08A1F9394B66D1E317C06325FA7
File Content Preview:	........................>...................................8...................f...g...h...i...j..............................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	10:01:41
Start date:	19/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\IndexUNE.msi"
Imagebase:	0xffe30000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:01:41
Start date:	19/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0xffe30000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	10:01:42
Start date:	19/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding A0F386CF98DB4E24AA5349D70FAD0015 C
Imagebase:	0x870000
File size:	73'216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IndexUNE.msi

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\CFGBE40.tmp

C:\Users\user\AppData\Local\Temp\MSI9233.tmp

C:\Users\user\AppData\Local\Temp\MSIBD37.tmp

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: msiexec.exePID: 2188, Parent PID: 1244

General

Chronological Activities

Analysis Process: msiexec.exePID: 2060, Parent PID: 404

General

Chronological Activities

Analysis Process: msiexec.exePID: 1468, Parent PID: 2060

General

Chronological Activities

Disassembly

Windows Analysis Report
IndexUNE.msi