Edit tour

Windows Analysis Report
MTInstaller.exe

Overview

General Information

Sample name:	MTInstaller.exe
Analysis ID:	1431575
MD5:	3a38166fc254e5630a73e765a5880fbd
SHA1:	fde054010b649c93ee8599f61fb734ca2b2e2ad5
SHA256:	0a340e8b88720ee6a908dc768de6210dced54bde6d491e91d6fbc9f66e905c44
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Uses Windows timers to delay execution

Allocates memory with a write watch (potentially for evading sandboxes)

Potential time zone aware malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

MTInstaller.exe (PID: 3924 cmdline: "C:\Users\user\Desktop\MTInstaller.exe" MD5: 3A38166FC254E5630A73E765A5880FBD)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: MTInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MTInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\uica.pdb source: MTInstaller.exe
Source:	Binary string: E:\TeamCity-BuildAgent1\work\7ee93833781f805a\MT4\MT4Bootstrapper\obj\x86\Release\MTInstaller.pdb source: MTInstaller.exe
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: MTInstaller.exe
Source:	Binary string: E:\TeamCity-BuildAgent1\work\7ee93833781f805a\MT4\MT4Bootstrapper\obj\x86\Release\MTInstaller.pdbP source: MTInstaller.exe

Source: MTInstaller.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MTInstaller.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: MTInstaller.exe	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: MTInstaller.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: MTInstaller.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: MTInstaller.exe	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: MTInstaller.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MTInstaller.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MTInstaller.exe	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: MTInstaller.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: MTInstaller.exe, 00000000.00000002.3381107185.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MainWindow.xamld
Source: MTInstaller.exe, 00000000.00000002.3381107185.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/MainWindow.xaml
Source: MTInstaller.exe, 00000000.00000002.3381107185.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: MTInstaller.exe, 00000000.00000002.3381107185.0000000004661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.bamld
Source: MTInstaller.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: MTInstaller.exe	String found in binary or memory: http://ocsp.digicert.com0K
Source: MTInstaller.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: MTInstaller.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: MTInstaller.exe	String found in binary or memory: http://schemas.micr
Source: MTInstaller.exe	String found in binary or memory: http://wixtoolset.org
Source: MTInstaller.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: MTInstaller.exe, 00000000.00000002.3378721998.000000000272E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs MTInstaller.exe
Source: MTInstaller.exe, 00000000.00000000.2129581296.00000000020EC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewixca.dll\ vs MTInstaller.exe
Source: MTInstaller.exe, 00000000.00000000.2129581296.00000000020EC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameuica.dll\ vs MTInstaller.exe
Source: MTInstaller.exe	Binary or memory string: OriginalFilenamewixca.dll\ vs MTInstaller.exe
Source: MTInstaller.exe	Binary or memory string: OriginalFilenameuica.dll\ vs MTInstaller.exe

Source: MTInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus23.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\MTInstaller.exe

Mutant created: NULL

Source: MTInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: MTInstaller.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Source: C:\Users\user\Desktop\MTInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MTInstaller.exe	String found in binary or memory: ckFinish&Fertig stellenTopBannerUserExitDie [ProductName]-Installation wurde unterbrochen. Das System wurde nicht ver
Source: MTInstaller.exe	String found in binary or memory: Das .NET-Installationsprogramm finden Sie an folgendem Speicherort:

Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\MTInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\MTInstaller.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: MTInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: MTInstaller.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: MTInstaller.exe

Static file information: File size 24748032 > 1048576

Source: MTInstaller.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1797c00

Source: MTInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: MTInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\uica.pdb source: MTInstaller.exe
Source:	Binary string: E:\TeamCity-BuildAgent1\work\7ee93833781f805a\MT4\MT4Bootstrapper\obj\x86\Release\MTInstaller.pdb source: MTInstaller.exe
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: MTInstaller.exe
Source:	Binary string: E:\TeamCity-BuildAgent1\work\7ee93833781f805a\MT4\MT4Bootstrapper\obj\x86\Release\MTInstaller.pdbP source: MTInstaller.exe

Source: C:\Users\user\Desktop\MTInstaller.exe	Code function: 0_2_02CA4290 push es; ret	0_2_02CA42A0
Source: C:\Users\user\Desktop\MTInstaller.exe	Code function: 0_2_02CA51B0 push es; ret	0_2_02CA51C0
Source: C:\Users\user\Desktop\MTInstaller.exe	Code function: 0_2_02CA0E35 pushfd ; iretd	0_2_02CA0E39
Source: C:\Users\user\Desktop\MTInstaller.exe	Code function: 0_2_02CA2782 pushad ; iretd	0_2_02CA2791
Source: C:\Users\user\Desktop\MTInstaller.exe	Code function: 0_2_02CA2792 pushfd ; iretd	0_2_02CA27C1
Source: C:\Users\user\Desktop\MTInstaller.exe	Code function: 0_2_02CA7CF0 push eax; ret	0_2_02CA7CF1
Source: C:\Users\user\Desktop\MTInstaller.exe	Code function: 0_2_02CA2C4A push esp; retf	0_2_02CA2C59

Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses Windows timers to delay execution

Source: C:\Users\user\Desktop\MTInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	User Timer Set: Timeout: 1ms	Jump to behavior

Source: C:\Users\user\Desktop\MTInstaller.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Memory allocated: 4660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Memory allocated: 4560000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\MTInstaller.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\MTInstaller.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\MTInstaller.exe	Queries volume information: C:\Users\user\Desktop\MTInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\MTInstaller.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\MTInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	111 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	111 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MTInstaller.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://foo/MainWindow.xaml	0%	Avira URL Cloud	safe
http://defaultcontainer/MainWindow.xamld	0%	Avira URL Cloud	safe
http://foo/bar/mainwindow.bamld	0%	Avira URL Cloud	safe
http://foo/bar/mainwindow.baml	0%	Avira URL Cloud	safe
http://schemas.micr	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://foo/bar/mainwindow.baml	MTInstaller.exe, 00000000.00000002.3381107185.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/bar/mainwindow.bamld	MTInstaller.exe, 00000000.00000002.3381107185.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://defaultcontainer/MainWindow.xamld	MTInstaller.exe, 00000000.00000002.3381107185.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://foo/MainWindow.xaml	MTInstaller.exe, 00000000.00000002.3381107185.0000000004661000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://wixtoolset.org	MTInstaller.exe	false		high
http://schemas.micr	MTInstaller.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431575
Start date and time:	2024-04-25 13:27:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MTInstaller.exe
Detection:	SUS
Classification:	sus23.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 16 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: MTInstaller.exe

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.964915190145068
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.91% Win32 Executable (generic) a (10002005/4) 49.86% InstallShield setup (43055/19) 0.21% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	MTInstaller.exe
File size:	24'748'032 bytes
MD5:	3a38166fc254e5630a73e765a5880fbd
SHA1:	fde054010b649c93ee8599f61fb734ca2b2e2ad5
SHA256:	0a340e8b88720ee6a908dc768de6210dced54bde6d491e91d6fbc9f66e905c44
SHA512:	f29ecdd95e791aa503774f004335324994efe3d1deaffea9e85ccfcdaa7b9a9cc40ffac226f95745a10f0f1f88bc5172c45b42fa2858c9dbe8efc426a057eff9
SSDEEP:	393216:DA2n/0/BO89VUlhCfhppWLZScgwT/I27NTTzJg1YMe5S4COYJHslKLJZ37IS07://05OCVUDmhpML6wTDg2nCOYgKVK
TLSH:	E04722A97800439AD36253B49B22F1896D3BFC1414F58494B2EFF2BF247F994D2774A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..e..............0..\|y.."......z.y.. ....y...@.. ........................y...........@................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x1b99b7a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65B40B2C [Fri Jan 26 19:42:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1799b28	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x179a000	0x1e18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x179c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x17999f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1797b80	0x1797c00	de2dc9af23c0c7e07a8dd0c09b2dd2f8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x179a000	0x1e18	0x2000	2f8f94b680c2e842f551643265f7f7f8	False	0.333984375	data	4.707468534288696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x179c000	0xc	0x200	acdb30225f57218798794106f7b72d14	False	0.044921875	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x179a160	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	0.5675675675675675
RT_ICON	0x179a298	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	0.4486994219653179
RT_ICON	0x179a810	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.4637096774193548
RT_ICON	0x179ab08	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	0.3935018050541516
RT_GROUP_ICON	0x179b3c0	0x3e	data	0.8387096774193549
RT_VERSION	0x179b410	0x2f4	data	0.42724867724867727
RT_MANIFEST	0x179b714	0x6ff	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.4103852596314908

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	13:28:15
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\MTInstaller.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MTInstaller.exe"
Imagebase:	0xb90000
File size:	24'748'032 bytes
MD5 hash:	3A38166FC254E5630A73E765A5880FBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Executed Functions

Function 02CA906C Relevance: 1.6, APIs: 1, Instructions: 50
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(00000000,00000080,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02CA9788

Memory Dump Source

Source File: 00000000.00000002.3380821278.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ca0000_MTInstaller.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ebc7f585eccc43d7612ba94c8094dd4f3eac678e1c30b4bbca5b38a1f2a4b53e
Instruction ID: 99f75a0e465b98e433524cbf26f07c74643db22e54081811d5f945dcd4f54e3f
Opcode Fuzzy Hash: ebc7f585eccc43d7612ba94c8094dd4f3eac678e1c30b4bbca5b38a1f2a4b53e
Instruction Fuzzy Hash: A21143B58003499FCB60CF9AC485BDEBBF8FF88324F208419E518A7210C3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02CA9718 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(00000000,00000080,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 02CA9788

Memory Dump Source

Source File: 00000000.00000002.3380821278.0000000002CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ca0000_MTInstaller.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e1c14c93adc1e7e9aae65c0afd14a72af7045c328f6b83c0757d34fb189e7c3a
Instruction ID: b9df8b4c3325b09ee938749ca314781bec6fbf1f88b8e6036c0766cdac042107
Opcode Fuzzy Hash: e1c14c93adc1e7e9aae65c0afd14a72af7045c328f6b83c0757d34fb189e7c3a
Instruction Fuzzy Hash: D01102B58002499FCB20DF9AC985BDEBBF4FF88324F208419E558A7250C375A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 029FE1A8 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3380231717.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29fd000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505b7464ff958dc758dd7943e19e0bb139151166fe2a820fc66940b0293026e2
Instruction ID: 3810e605572d59fdb165e9b1a6e83a731bd74166e1f3cca83a10c0429add8356
Opcode Fuzzy Hash: 505b7464ff958dc758dd7943e19e0bb139151166fe2a820fc66940b0293026e2
Instruction Fuzzy Hash: 4D31F472100200EFDF859F44C9C0F567F66FB88310F248599EF490A22AC337C461DB91

Uniqueness

Uniqueness Score: -1.00%

Function 029FE09C Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3380231717.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29fd000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30c561611e093e7a04d8be7d87814c63342301bd871db6b0c489c02e45ea8b5
Instruction ID: f7e2a8162a944d556f95978f248f90ca6a0e307b81900e1d21713da66d1bbd14
Opcode Fuzzy Hash: d30c561611e093e7a04d8be7d87814c63342301bd871db6b0c489c02e45ea8b5
Instruction Fuzzy Hash: 9C31E372204200EFDF899F50C9C0F26BF66FB88314F248598EE494E266C337D465CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029FEB70 Relevance: .1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3380231717.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29fd000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f978e15480596166c9cbc2ad319011bbae7f628abaf02bee9cefe236f70a0e
Instruction ID: 9ea814b3f18d6b43aa6cb030630c1c068ce901bad65eaf5570eb060db32ceb72
Opcode Fuzzy Hash: 50f978e15480596166c9cbc2ad319011bbae7f628abaf02bee9cefe236f70a0e
Instruction Fuzzy Hash: DE31E472104244EFDF869F54D9C0F26BF66FB88324F248598FE490A266C336D466CB61

Uniqueness

Uniqueness Score: -1.00%

Function 029ED06C Relevance: .1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3380112464.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29ed000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 478216f3ac9a77e86263ef1eb726d1a53c8d23ef8fd43373020f2a821dfd5904
Instruction ID: 3ef8ab091a1875824cfda8a06556618fedb188c057bd00f79b7930e73aee1de3
Opcode Fuzzy Hash: 478216f3ac9a77e86263ef1eb726d1a53c8d23ef8fd43373020f2a821dfd5904
Instruction Fuzzy Hash: 60210676504244EFDF1ADF10D9C0B26BFA9FB8C314F248569E90A0B256C33AD416CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 029FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380231717.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29fd000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3176bf576800b69026fdc0f923396c919dcf5eff6a1adba0647f828927ce07f0
Instruction ID: c94d7f6908ef567eaee16734aebc9b5fe4fe9ef285c67724468defbe35550e6f
Opcode Fuzzy Hash: 3176bf576800b69026fdc0f923396c919dcf5eff6a1adba0647f828927ce07f0
Instruction Fuzzy Hash: 78212275604200EFDB94DF14D9C0B26BB65FB84314F28C96DEA0A4B692C77AD407CB71

Uniqueness

Uniqueness Score: -1.00%

Function 029FE1A7 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380231717.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29fd000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e84ce971fca43dca508a33c6959b806fedd4a8aab47db88c79755557b2c94d4
Instruction ID: dc642498576fb11602f0a9a7118951f9f00fcfd4d3f0e25c0f08622434b07daf
Opcode Fuzzy Hash: 6e84ce971fca43dca508a33c6959b806fedd4a8aab47db88c79755557b2c94d4
Instruction Fuzzy Hash: 37215E76500240EFCF969F84D9C0B55BF76FB88314F248299EE480A22AD337D466DF91

Uniqueness

Uniqueness Score: -1.00%

Function 029FEB6B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380231717.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29fd000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2087b8d63eadebed767397e5388f447d8a1407dda94bbe0d24585625ae7399b3
Instruction ID: c27b50dac49fc7e5e7094113ae112c35a18aeba8978f43e0fa76e24a6d12da3d
Opcode Fuzzy Hash: 2087b8d63eadebed767397e5388f447d8a1407dda94bbe0d24585625ae7399b3
Instruction Fuzzy Hash: 5E218076404284DFCF46CF50D9C0B56BF72FB88314F248299EE490A26AC336D466DF51

Uniqueness

Uniqueness Score: -1.00%

Function 029FE09B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380231717.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29fd000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545bc4a1e8e8af4fffe1e27e2b054ac3ba41b6c78fa149a98268901144a748e4
Instruction ID: ec5798dc36d0229edc469768b25b1a58b002933ff3ce8c8b4c650c6281a079c3
Opcode Fuzzy Hash: 545bc4a1e8e8af4fffe1e27e2b054ac3ba41b6c78fa149a98268901144a748e4
Instruction Fuzzy Hash: E7213A76500244EFCF86CF50D9C0B56BF72FB48314F2486A9EE494A26AC336D466DB51

Uniqueness

Uniqueness Score: -1.00%

Function 029FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380231717.00000000029FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 029FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29fd000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b722fc69e9dbe203eecce26feec1e0e4a6e7849708387a9a23793f134d2619d9
Instruction ID: d574840bcf88b40edceb6476c9ebdf4a634d3cc13236b431cb7020330684e9ee
Opcode Fuzzy Hash: b722fc69e9dbe203eecce26feec1e0e4a6e7849708387a9a23793f134d2619d9
Instruction Fuzzy Hash: 6921A1755093C08FCB42CF24D990715BF71EB46214F28C5EAD9498F6A7C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 029ED067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380112464.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29ed000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83fb694dd1e91a6ea135483331fab76a04ef60c4faa8ae053019808facf22284
Instruction ID: 86e92178ebfc5c11ecf3a41ed5ae63f38075d553923f1ce513de0599ec2b966f
Opcode Fuzzy Hash: 83fb694dd1e91a6ea135483331fab76a04ef60c4faa8ae053019808facf22284
Instruction Fuzzy Hash: 68219D76504284DFCF0ACF10D9C4B1ABF76FB88318F2486A9D9490B256C33AD426CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 029EDA51 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380112464.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29ed000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0476fe6fb950b7296139180b0ef76111882698277cef2ccfa6f5d723e25d04e1
Instruction ID: dc1af2548214aaf0348705930dd7d4a1bfcaab54c38d111634c4cc122efc0c83
Opcode Fuzzy Hash: 0476fe6fb950b7296139180b0ef76111882698277cef2ccfa6f5d723e25d04e1
Instruction Fuzzy Hash: D501A7715093449AFB119B15C984766BF9CEF41334F18C95AED0A4A292C7789940C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 029ED847 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380112464.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29ed000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f22a036eae045540926fcf38a1a9122cd1c90bc66f29ef2647a8d7e152f709
Instruction ID: 42f4de0c35ef11b9c4bd277358895b22a587dffece92d32249bafe4be77464c6
Opcode Fuzzy Hash: 97f22a036eae045540926fcf38a1a9122cd1c90bc66f29ef2647a8d7e152f709
Instruction Fuzzy Hash: 1D011A72100A00AFDB619F46C980C23FBFAFF88720355895DE94A4BA21C772F851DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 029ED838 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380112464.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29ed000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab183ddd506022e7c79036c3a95c9e639fa8c72c8f8c2f0c4e8c5d0e09acc5c
Instruction ID: 0dfe648c22d3a0785ccdcb9c8839d47e882558869d43783d6b1a5fe7230af1eb
Opcode Fuzzy Hash: 5ab183ddd506022e7c79036c3a95c9e639fa8c72c8f8c2f0c4e8c5d0e09acc5c
Instruction Fuzzy Hash: A8010C75104A40AFD7228F55C940C63BFBAFF89620719898DE9864BA22C672F812DF60

Uniqueness

Uniqueness Score: -1.00%

Function 029EDA50 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3380112464.00000000029ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29ed000_MTInstaller.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754671f5a93710794e760d70e04522ceaf0447788ff5582fca45092e20592a29
Instruction ID: 17e56e104f64ad3dfeb444d721b7766e93a8671585110eecb3db5233c47f5840
Opcode Fuzzy Hash: 754671f5a93710794e760d70e04522ceaf0447788ff5582fca45092e20592a29
Instruction Fuzzy Hash: 6EF0C2714093449EEB118B05C984B62FFDCEB80634F18C55AED094F282C378A840CAB1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MTInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: MTInstaller.exePID: 3924, Parent PID: 4004

General

Chronological Activities

Disassembly

Analysis Process: MTInstaller.exePID: 3924, Parent PID: 4004COMMON

Execution Graph

Graph

Executed Functions

Function 02CA906C Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Control-flow Graph

Windows Analysis Report
MTInstaller.exe

Function 02CA906C Relevance: 1.6, APIs: 1, Instructions: 50
windowCOMMON

Function 02CA9718 Relevance: 1.5, APIs: 1, Instructions: 49
windowCOMMON

Function 029FE1A8 Relevance: .1, Instructions: 87
COMMON

Function 029FE09C Relevance: .1, Instructions: 83
COMMON

Function 029FEB70 Relevance: .1, Instructions: 83
COMMON

Function 029ED06C Relevance: .1, Instructions: 77
COMMON