Windows Analysis Report
ad.msi

Overview

General Information

Sample name: ad.msi
Analysis ID: 1431884
MD5: 666151c11b7899a0c764abe711d3f9b3
SHA1: 35462114e096f4d307607d713136bfe38479870d
SHA256: 8041a15e27c785f2adcce9e8c643f5cc619b52e50cd36ff043d13c4089ce1cad
Tags: msi
Infos:

Detection

Latrodectus
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
System process connects to network (likely due to code injection or exploit)
Yara detected Latrodectus
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
PE file contains section with special chars
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Unidentified 111 (Latrodectus), Latrodectus First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

AV Detection
barindex
Found malware configuration
Source: 6.2.rundll32.exe.26387cf0000.2.unpack Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}
Sample uses string decryption to hide its real strings
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor:
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor: "o
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor: "
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor: uau3"#%,''!
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor: FfD!6""#'& )<
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor: jB!
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor:
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor: 3efal9#"
Source: 7.2.rundll32.exe.2095b820000.2.raw.unpack String decryptor: #kl&+=>4>@F[yz1
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 6_2_000000018003BC0C
Source: unknown HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIB6D3.tmp, 00000005.00000002.2114621087.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, MSIB6D3.tmp, 00000005.00000000.2105755236.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, ad.msi, 62b2e8.msi.2.dr, MSIB616.tmp.2.dr, MSIB6D3.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB539.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB539.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIB6D3.tmp, 00000005.00000002.2114621087.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, MSIB6D3.tmp, 00000005.00000000.2105755236.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, ad.msi, 62b2e8.msi.2.dr, MSIB616.tmp.2.dr, MSIB6D3.tmp.2.dr
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B6AF79 FindFirstFileExW, 5_2_00B6AF79
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CFA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 6_2_0000026387CFA350
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 6_2_0000026387CF1A08
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 7_2_000002095B82A350
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B821A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 7_2_000002095B821A08
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6DA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 8_2_000002268D6DA350
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 8_2_000002268D6D1A08

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.46.75 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor URLs: https://wrankaget.site/live/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 184Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 184Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 184Cache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF8D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 6_2_0000026387CF8D90
Source: global traffic DNS traffic detected: DNS query: jarinamaers.shop
Source: unknown HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr String found in binary or memory: ftp://ftp%2desktop.ini
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr String found in binary or memory: http://dr.f.360.cn/scanlist
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://t2.symcb.com0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/.b
Source: rundll32.exe, 00000007.00000003.3230609342.0000020959EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959EE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/d
Source: rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/fb
Source: rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/06
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/5
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/I
Source: rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/IP
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/RYPT32.dll.mui3N
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/ace
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/r
Source: rundll32.exe, 00000007.00000003.3230577585.0000020959F34000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/zTEum
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/rRb&u
Source: rundll32.exe, 00000007.00000003.3230609342.0000020959EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959EE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/x
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB616.tmp.2.dr, MSIB539.tmp.2.dr, MSIB6D3.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.6:49723 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: 360total.dll.2.dr Static PE information: section name: yhDm^
Source: Update_71a2ec86.dll.6.dr Static PE information: section name: yhDm^
Contains functionality to call native functions
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B33C20 GetProcAddress,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,GetLastError,FreeLibrary, 5_2_00B33C20
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF7B40 NtFreeVirtualMemory, 6_2_0000026387CF7B40
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF7A54 NtWriteFile, 6_2_0000026387CF7A54
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF79C8 NtClose, 6_2_0000026387CF79C8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF78C0 NtReadFile, 6_2_0000026387CF78C0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF378C NtClose, 6_2_0000026387CF378C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF77B0 RtlInitUnicodeString,NtCreateFile, 6_2_0000026387CF77B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CFAD34 NtAllocateVirtualMemory, 6_2_0000026387CFAD34
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, 6_2_0000026387CF463C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF7588 RtlInitUnicodeString,NtCreateFile,NtClose, 6_2_0000026387CF7588
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CFB1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 6_2_0000026387CFB1D4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CFB0C4 NtOpenKey,RtlpNtOpenKey, 6_2_0000026387CFB0C4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF7ACC NtClose, 6_2_0000026387CF7ACC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF7704 NtQueryInformationFile, 6_2_0000026387CF7704
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF7694 RtlInitUnicodeString,NtDeleteFile, 6_2_0000026387CF7694
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CFCB54 NtDelayExecution, 6_2_0000026387CFCB54
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387D00AF0 NtWriteFile, 6_2_0000026387D00AF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387D00A90 NtDeleteFile,GetVolumeInformationW, 6_2_0000026387D00A90
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387D00AC0 NtFreeVirtualMemory,GetVolumeInformationW, 6_2_0000026387D00AC0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387D00A78 NtClose, 6_2_0000026387D00A78
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF745C RtlInitUnicodeString,NtOpenFile,NtClose, 6_2_0000026387CF745C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82B0C4 NtOpenKey,RtlpNtOpenKey, 7_2_000002095B82B0C4
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, 7_2_000002095B82463C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82378C NtClose, 7_2_000002095B82378C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B8277B0 RtlInitUnicodeString,NtCreateFile, 7_2_000002095B8277B0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82B1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 7_2_000002095B82B1D4
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82AD34 NtAllocateVirtualMemory, 7_2_000002095B82AD34
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B827B40 NtFreeVirtualMemory, 7_2_000002095B827B40
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82CB54 NtDelayExecution, 7_2_000002095B82CB54
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B830A78 NtClose, 7_2_000002095B830A78
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B830A90 NtDeleteFile,GetVolumeInformationW, 7_2_000002095B830A90
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B827694 RtlInitUnicodeString,NtDeleteFile, 7_2_000002095B827694
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B830AC0 NtFreeVirtualMemory,GetVolumeInformationW, 7_2_000002095B830AC0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B8278C0 NtReadFile, 7_2_000002095B8278C0
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B827ACC NtClose, 7_2_000002095B827ACC
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B827A54 NtWriteFile, 7_2_000002095B827A54
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82745C RtlInitUnicodeString,NtOpenFile,NtClose, 7_2_000002095B82745C
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B827588 RtlInitUnicodeString,NtCreateFile,NtClose, 7_2_000002095B827588
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B8279C8 NtClose, 7_2_000002095B8279C8
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B827704 NtQueryInformationFile, 7_2_000002095B827704
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6DAD34 NtAllocateVirtualMemory, 8_2_000002268D6DAD34
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D7B40 NtFreeVirtualMemory, 8_2_000002268D6D7B40
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D7ACC NtClose, 8_2_000002268D6D7ACC
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6DB0C4 NtOpenKey, 8_2_000002268D6DB0C4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6E0AC0 NtFreeVirtualMemory,CreateToolhelp32Snapshot, 8_2_000002268D6E0AC0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D78C0 NtReadFile, 8_2_000002268D6D78C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D7694 RtlInitUnicodeString,NtDeleteFile, 8_2_000002268D6D7694
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6DCB54 NtDelayExecution, 8_2_000002268D6DCB54
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D7704 NtQueryInformationFile, 8_2_000002268D6D7704
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6DB1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 8_2_000002268D6DB1D4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D79C8 NtClose, 8_2_000002268D6D79C8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D77B0 RtlInitUnicodeString,NtCreateFile, 8_2_000002268D6D77B0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D378C NtClose, 8_2_000002268D6D378C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D7588 RtlInitUnicodeString,NtCreateFile,NtClose, 8_2_000002268D6D7588
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D7A54 NtWriteFile, 8_2_000002268D6D7A54
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D745C RtlInitUnicodeString,NtOpenFile,NtClose, 8_2_000002268D6D745C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle, 8_2_000002268D6D463C
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006A2C8: DeviceIoControl, 6_2_000000018006A2C8
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 6_2_000000018004B1A4
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\62b2e8.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB539.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB5A8.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{B135729E-0574-44D1-B7A1-6E44550F506B} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB616.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB6D3.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIB539.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B36A50 5_2_00B36A50
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B6F032 5_2_00B6F032
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B692A9 5_2_00B692A9
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B5C2CA 5_2_00B5C2CA
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B5E270 5_2_00B5E270
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B684BD 5_2_00B684BD
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B5A587 5_2_00B5A587
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B6D8D5 5_2_00B6D8D5
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B3C870 5_2_00B3C870
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B54920 5_2_00B54920
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B5A915 5_2_00B5A915
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B60A48 5_2_00B60A48
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B39CC0 5_2_00B39CC0
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B65D6D 5_2_00B65D6D
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180017FE8 6_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006DFF4 6_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800220D8 6_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018007C140 6_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180060174 6_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018008023C 6_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018000834C 6_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006C470 6_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800784E0 6_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800764F0 6_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180060578 6_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180010580 6_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004E5DC 6_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180062600 6_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180002610 6_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180004638 6_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004A650 6_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006E760 6_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800647B0 6_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018007E7C7 6_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180076930 6_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180062954 6_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006A994 6_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006E9FC 6_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180082A18 6_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180072A27 6_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180010B58 6_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180026C84 6_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001ECF4 6_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180008E20 6_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180052FD8 6_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018003AFE8 6_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005D014 6_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006F0B4 6_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800630CC 6_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005912C 6_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004B1A4 6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049278 6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018007B2D0 6_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002B2EC 6_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006D3D4 6_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800033E0 6_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180075480 6_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800694A0 6_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005958C 6_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800576DC 6_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800097E0 6_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800277FC 6_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018002D964 6_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180073B60 6_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018007BBB0 6_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001BC38 6_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005DD18 6_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180073DF0 6_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180011DF0 6_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018005BE6C 6_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004FF88 6_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF1030 6_2_0000026387CF1030
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B821030 7_2_000002095B821030
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D1030 8_2_000002268D6D1030
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: String function: 00B5325F appears 103 times
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: String function: 00B53790 appears 39 times
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: String function: 00B53292 appears 70 times
Sample file is different than original file name gathered from version info
Source: ad.msi Binary or memory string: OriginalFilenameviewer.exeF vs ad.msi
Source: ad.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs ad.msi
Source: classification engine Classification label: mal88.troj.evad.winMSI@12/30@1/1
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess, 6_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 6_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 6_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 6_2_000000018008395A
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B33860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,FindCloseChangeNotification,Process32NextW,CloseHandle, 5_2_00B33860
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B34BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error, 5_2_00B34BA0
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B345B0 LoadResource,LockResource,SizeofResource, 5_2_00B345B0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 6_2_0000000180049AEC
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CMLB691.tmp Jump to behavior
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIB151.tmp Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: rundll32.exe, rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ad.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CFBB24A404B21769C19C85B2027D69FC C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 02B62BF455D61FC50D15E7A41AF45BC1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSIB6D3.tmp "C:\Windows\Installer\MSIB6D3.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: unknown Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CFBB24A404B21769C19C85B2027D69FC C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 02B62BF455D61FC50D15E7A41AF45BC1 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSIB6D3.tmp "C:\Windows\Installer\MSIB6D3.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll", homq Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: ad.msi Static file information: File size 1619456 > 1048576
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSIB6D3.tmp, 00000005.00000002.2114621087.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, MSIB6D3.tmp, 00000005.00000000.2105755236.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, ad.msi, 62b2e8.msi.2.dr, MSIB616.tmp.2.dr, MSIB6D3.tmp.2.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB539.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: ad.msi, MSIB1FF.tmp.0.dr, 62b2e8.msi.2.dr, MSIB29F.tmp.0.dr, MSIB539.tmp.2.dr, MSIB22F.tmp.0.dr, MSIB25F.tmp.0.dr, MSIB1DF.tmp.0.dr, MSIB5A8.tmp.2.dr, MSIB151.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSIB6D3.tmp, 00000005.00000002.2114621087.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, MSIB6D3.tmp, 00000005.00000000.2105755236.0000000000B77000.00000002.00000001.01000000.00000003.sdmp, ad.msi, 62b2e8.msi.2.dr, MSIB616.tmp.2.dr, MSIB6D3.tmp.2.dr
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000006.00000003.2111415783.0000026387FC0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2112678084.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000007.00000002.3347746498.0000000180086000.00000002.00000001.01000000.00000007.sdmp, Update_71a2ec86.dll.6.dr, 360total.dll.2.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 6_2_00000001800033E0
PE file contains an invalid checksum
Source: Update_71a2ec86.dll.6.dr Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
Source: 360total.dll.2.dr Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
PE file contains sections with non-standard names
Source: 360total.dll.2.dr Static PE information: section name: yhDm^
Source: Update_71a2ec86.dll.6.dr Static PE information: section name: yhDm^
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B5323C push ecx; ret 5_2_00B5324F
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180010451 push rcx; ret 6_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018001045A push rcx; ret 6_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018017500F push rdx; iretd 6_2_0000000180175010

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSIB6D3.tmp Jump to behavior
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIB151.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: :wtfbbq (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIB1FF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB539.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIB25F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIB22F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIB1DF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB5A8.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIB29F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB6D3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\sharepoint\360total.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB539.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB5A8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIB6D3.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 6_2_0000000180049AEC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 6_2_0000000180062148
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\rundll32.exe Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection, 6_2_00000001800655A8
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049AEC 6_2_0000000180049AEC
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 6_2_0000026387CF68E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 6_2_0000026387CF7FA8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 7_2_000002095B8268E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 7_2_000002095B827FA8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 8_2_000002268D6D68E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 8_2_000002268D6D7FA8
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 1004 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 815 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 8180 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: :wtfbbq (copy) Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB151.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB1FF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB539.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB25F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB22F.tmp Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_71a2ec86.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIB5A8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB1DF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB29F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\Installer\MSIB6D3.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe API coverage: 8.4 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049AEC 6_2_0000000180049AEC
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\rundll32.exe TID: 6556 Thread sleep count: 1004 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556 Thread sleep time: -1004000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6636 Thread sleep count: 815 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6636 Thread sleep time: -81500s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556 Thread sleep count: 8180 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556 Thread sleep time: -8180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B6AF79 FindFirstFileExW, 5_2_00B6AF79
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CFA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 6_2_0000026387CFA350
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 6_2_0000026387CF1A08
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B82A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 7_2_000002095B82A350
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000002095B821A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 7_2_000002095B821A08
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6DA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 8_2_000002268D6DA350
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_000002268D6D1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 8_2_000002268D6D1A08
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959E88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: rundll32.exe, 00000007.00000002.3348585444.0000020959F22000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.3230609342.0000020959F22000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000003.3230609342.0000020959EEF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3348585444.0000020959EE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B3D0A5 IsDebuggerPresent,OutputDebugStringW, 5_2_00B3D0A5
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 6_2_0000000180066C3C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 6_2_00000001800033E0
Contains functionality to read the PEB
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B62DCC mov ecx, dword ptr fs:[00000030h] 5_2_00B62DCC
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B6AD78 mov eax, dword ptr fs:[00000030h] 5_2_00B6AD78
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B32310 GetProcessHeap, 5_2_00B32310
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B533A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00B533A8
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B5353F SetUnhandledExceptionFilter, 5_2_00B5353F
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B52968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00B52968
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B56E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00B56E1B
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 104.21.46.75 443 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B352F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess, 5_2_00B352F0
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle, 6_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 6_2_0000000180049278
Source: 360total.dll.2.dr Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe Binary or memory string: Progman
Source: rundll32.exe Binary or memory string: Program manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B535A9 cpuid 5_2_00B535A9
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: EnumSystemLocalesW, 5_2_00B6E0C6
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: EnumSystemLocalesW, 5_2_00B6E1AC
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: EnumSystemLocalesW, 5_2_00B67132
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: EnumSystemLocalesW, 5_2_00B6E111
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_00B6E237
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: GetLocaleInfoEx, 5_2_00B523F8
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: GetLocaleInfoW, 5_2_00B6E48A
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_00B6E5B3
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: GetLocaleInfoW, 5_2_00B6E6B9
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: GetLocaleInfoW, 5_2_00B676AF
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_00B6E788
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 5_2_00B6DE24
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B537D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00B537D5
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000026387CF8AE0 GetUserNameA,wsprintfA, 6_2_0000026387CF8AE0
Source: C:\Windows\Installer\MSIB6D3.tmp Code function: 5_2_00B67B1F GetTimeZoneInformation, 5_2_00B67B1F
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress, 6_2_0000000180040CB0
AV process strings found (often used to terminate AV products)
Source: rundll32.exe Binary or memory string: 360tray.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information
barindex
Yara detected Latrodectus
Source: Yara match File source: 6.2.rundll32.exe.26387cf0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2095b810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.26387ce0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.26387ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2268d6d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2095b820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2095b820000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2095b810000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2268d6d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2268d6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2268d6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.26387cf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000003.3230953855.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2135345986.000002268D6C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2135365322.000002268D6D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2974432949.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3348940328.000002095B810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3349009831.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3348957722.000002095B820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.3287402342.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2113159787.0000026387CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.3130529388.000002095BDE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3348028990.000000E23987A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2113131628.0000026387CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2224, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Latrodectus
Source: Yara match File source: 6.2.rundll32.exe.26387cf0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2095b810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.26387ce0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.26387ce0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2268d6d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2095b820000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2095b820000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2095b810000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2268d6d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2268d6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2268d6c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.26387cf0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000003.3230953855.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2135345986.000002268D6C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2135365322.000002268D6D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2974432949.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3348940328.000002095B810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3349009831.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3348957722.000002095B820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.3287402342.000002095BA10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2113159787.0000026387CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.3130529388.000002095BDE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3348028990.000000E23987A000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2113131628.0000026387CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2224, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431884 Sample: ad.msi Startdate: 25/04/2024 Architecture: WINDOWS Score: 88 47 jarinamaers.shop 2->47 51 Found malware configuration 2->51 53 Yara detected Latrodectus 2->53 55 Sample uses string decryption to hide its real strings 2->55 57 2 other signatures 2->57 7 rundll32.exe 2 2->7         started        11 msiexec.exe 15 38 2->11         started        13 msiexec.exe 9 2->13         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\Update_71a2ec86.dll, PE32+ 7->27 dropped 29 :wtfbbq (copy), PE32+ 7->29 dropped 59 Contains functionality to compare user and computer (likely to detect sandboxes) 7->59 61 Contains functionality to detect sleep reduction / modifications 7->61 17 rundll32.exe 12 7->17         started        31 C:\Windows\Installer\MSIB6D3.tmp, PE32 11->31 dropped 33 C:\Windows\Installer\MSIB5A8.tmp, PE32 11->33 dropped 35 C:\Windows\Installer\MSIB539.tmp, PE32 11->35 dropped 37 C:\Users\user\AppData\Local\...\360total.dll, PE32+ 11->37 dropped 63 Drops executables to the windows directory (C:\Windows) and starts them 11->63 21 MSIB6D3.tmp 11->21         started        23 msiexec.exe 11->23         started        25 msiexec.exe 11->25         started        39 C:\Users\user\AppData\Local\...\MSIB29F.tmp, PE32 13->39 dropped 41 C:\Users\user\AppData\Local\...\MSIB25F.tmp, PE32 13->41 dropped 43 4 other files (none is malicious) 13->43 dropped signatures6 process7 dnsIp8 45 jarinamaers.shop 104.21.46.75, 443, 49723, 49724 CLOUDFLARENETUS United States 17->45 49 System process connects to network (likely due to code injection or exploit) 17->49 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.46.75
 jarinamaers.shop United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
jarinamaers.shop 104.21.46.75 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://wrankaget.site/live/ true
  • Avira URL Cloud: safe
 unknown
https://jarinamaers.shop/live/ true
  • Avira URL Cloud: safe
 unknown