Edit tour
Windows
Analysis Report
tier2tickets-1.1.2.30.msi
Overview
General Information
Detection
Score: | 6 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 20% |
Signatures
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64_ra
- msiexec.exe (PID: 6276 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ tier2ticke ts-1.1.2.3 0.msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 6324 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 2200 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng D5AA1D4 C0851ABEA0 4E1CC15902 CBDFB MD5: 9D09DC1EDA745A5F87553048E57620CF) - expand.exe (PID: 5504 cmdline:
"C:\Window s\System32 \expand.ex e" -R file s.cab -F:* files MD5: 544B0DBFF3F393BCE8BB9D815F532D51) - conhost.exe (PID: 5868 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - msiexec.exe (PID: 3020 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 55D4CA0 02D50B566F 8BA4629CEE 5F1B2 E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) - buttonInst.exe (PID: 6948 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\MW-42c 5c097-66b2 -4a17-9dd2 -0346b4e13 9e5\files\ buttonInst .exe" /NOR ESTART /RE STARTEXITC ODE=1234 MD5: D599A693E02EFB8AC51F3D338F49CD00) - buttonInst.tmp (PID: 6288 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-G8D B8.tmp\but tonInst.tm p" /SL5="$ 50374,5632 4545,95180 8,C:\Users \user\AppD ata\Local\ Temp\MW-42 c5c097-66b 2-4a17-9dd 2-0346b4e1 39e5\files \buttonIns t.exe" /NO RESTART /R ESTARTEXIT CODE=1234 MD5: 11EAA1FC1DF81C0847576F864B0E152D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
Source: | Window detected: |