Loading ...

Play interactive tourEdit tour

Analysis Report instmsiw.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:193304
Start date:03.12.2019
Start time:08:47:20
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 46s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:instmsiw.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean9.winEXE@4/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 96.4%)
  • Quality average: 83.6%
  • Quality standard deviation: 24.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold90 - 100trueclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample searches for specific file, try point organization specific fake files to the analysis machine



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
Valid AccountsRundll321Winlogon Helper DLLAccess Token Manipulation1Software Packing1Input Capture1Security Software Discovery21Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1System Shutdown/Reboot1
Replication Through Removable MediaExecution through API3Port MonitorsProcess Injection1Virtualization/Sandbox Evasion1Network SniffingFile and Directory Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsData Encrypted for Impact
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionAccess Token Manipulation1Input CaptureSystem Information Discovery14Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolDisk Structure Wipe
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationDisk Content Wipe
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolService Stop
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceRundll321Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortInhibit System Recovery
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortDefacement

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01001CB7 lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcmpA,lstrcmpA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_01004D44 FindFirstFileW,GetLastError,FindClose,StgOpenStorage,GetUserDefaultLangID,GetUserDefaultLangID,GetUserDefaultLangID,GetSystemDefaultLangID,wsprintfW,wsprintfW,lstrlenW,lstrcatW,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_010061B6 lstrlenW,lstrlenW,lstrlenW,lstrcpyW,lstrcpyW,lstrcpyW,FindFirstFileW,SetFileAttributesW,lstrlenW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,GetLastError,GetFileAttributesW,SetFileAttributesW,CopyFileW,GetLastError,SetFileAttributesW,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,SetFileAttributesW,
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\msiexec.exe
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\Local\Temp\

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: instmsiw.exe, 00000000.00000002.4487664037.00000000007D0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_0100266C ExitWindowsEx,
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_010018ED GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01007E21
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_0100793E
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01008765
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_010080FA
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: String function: 01005AC5 appears 61 times
PE file contains executable resources (Code or Archives)Show sources
Source: instmsiw.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 1755094 bytes, 20 files
PE file contains strange resourcesShow sources
Source: instmsiw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msiexec.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: msiexec.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: instmsiw.exe, 00000000.00000003.4471174732.000000000080A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesdbapi.dll vs instmsiw.exe
Source: instmsiw.exeBinary or memory string: OriginalFilenameMsi.dll,MsiHnd.dll,MsiExec.exeX vs instmsiw.exe
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: instmsiw.exeStatic PE information: Section: .rsrc ZLIB complexity 0.988773464471
Classification labelShow sources
Source: classification engineClassification label: clean9.winEXE@4/1@0/0
Contains functionality for error loggingShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01003F3A lstrcpyA,GetCurrentDirectoryA,SetCurrentDirectoryA,SetCurrentDirectoryA,GetLastError,FormatMessageA,GetVolumeInformationA,GetLastError,FormatMessageA,SetCurrentDirectoryA,SetCurrentDirectoryA,lstrcpynA,
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_010018ED GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01005E94 GetDiskFreeSpaceA,SetCurrentDirectoryA,MulDiv,
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01004A08 GetDlgItem,GetDlgItem,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,FreeResource,SendMessageA,
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\instmsiw.exeFile created: C:\Users\user~1\AppData\Local\Temp\IXP000.TMPJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: instmsiw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\instmsiw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\'
SQL strings found in memory and binary dataShow sources
Source: msiexec.exe.0.drBinary or memory string: select * from CS_ErrorDescription'select * from sysdatabases where name='masterSQLSERVER_FATAL_ERROR1ValidateDB;Network Library=dbmssocnNetwork Library=dbmssocnd:\cs40\private\cs40\setup\ca_dll\database.cppCommitDB%s
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\instmsiw.exe 'C:\Users\user\Desktop\instmsiw.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb+!
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\advpack.dll,DelNodeRunDLL32 'C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\'
Source: C:\Users\user\Desktop\instmsiw.exeProcess created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb+!
PE / OLE file has a valid certificateShow sources
Source: instmsiw.exeStatic PE information: certificate valid
PE /OLE file has a valid certificate with Microsoft as IssuerShow sources
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
Submission file is bigger than most known malware samplesShow sources
Source: instmsiw.exeStatic file information: File size 1822520 > 1048576
PE file has a big raw sectionShow sources
Source: instmsiw.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b2800
PE file contains a debug data directoryShow sources
Source: instmsiw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: msiexec.pdb source: msiexec.exe.0.dr
Source: Binary string: wextract.pdb source: instmsiw.exe
Source: Binary string: regsip.pdbU source: msiexec.exe.0.dr
Source: Binary string: MsiHnd.pdb source: msiexec.exe.0.dr
Source: Binary string: MsiHnd.pdbV source: msiexec.exe.0.dr
Source: Binary string: shfolder.pdb source: msiexec.exe.0.dr
Source: Binary string: sdbapiu.pdbU source: msiexec.exe.0.dr
Source: Binary string: usp10.pdbMZ source: msiexec.exe.0.dr
Source: Binary string: msisip.pdb source: msiexec.exe.0.dr
Source: Binary string: sdbapiu.pdb source: msiexec.exe.0.dr
Source: Binary string: riched20.pdb source: msiexec.exe.0.dr
Source: Binary string: mspatcha.pdb source: msiexec.exe.0.dr
Source: Binary string: wextract.pdbe\setup\iexpress\wextract\obj\i386\wextract.pdbU source: instmsiw.exe
Source: Binary string: msiregmv.pdb source: msiexec.exe.0.dr
Source: Binary string: regsip.pdb source: msiexec.exe.0.dr
Source: Binary string: mspatcha.pdbU source: msiexec.exe.0.dr
Source: Binary string: msi_l.pdb source: msiexec.exe.0.dr
Source: Binary string: msiregmv.pdbV source: msiexec.exe.0.dr
Source: Binary string: usp10.pdb source: msiexec.exe.0.dr
Source: Binary string: imagehlp.pdbMZ source: msiexec.exe.0.dr
Source: Binary string: ss\wextract\obj\i386\wextract.pdb source: instmsiw.exe
Source: Binary string: imagehlp.pdb source: msiexec.exe.0.dr
Source: Binary string: riched20.pdbMZ source: msiexec.exe.0.dr
Source: Binary string: MsiInst.pdb source: msiinst.exe, msiexec.exe.0.dr
Source: Binary string: msisip.pdb3 source: msiexec.exe.0.dr
Source: Binary string: e\setup\iexpress\wextract\obj\i386\wextract.pdb source: instmsiw.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_010019C3 LocalFree,RegCreateKeyExA,wsprintfA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetModuleFileNameA,RegCloseKey,wsprintfA,lstrlenA,RegSetValueExA,RegCloseKey,LocalFree,
PE file contains an invalid checksumShow sources
Source: msiexec.exe.0.drStatic PE information: real checksum: 0x15fac should be: 0x55aa89
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_01007E09 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_01007E20 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_01007E20 push eax; ret

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\instmsiw.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiexec.exeJump to dropped file
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_0100232A LocalFree,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcpyA,lstrcpyA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\instmsiw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\instmsiw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\instmsiw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\instmsiw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\instmsiw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\instmsiw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\instmsiw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\instmsiw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Desktop\instmsiw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiexec.exeJump to dropped file
Found evasive API chain (may stop execution after accessing registry keys)Show sources
Source: C:\Users\user\Desktop\instmsiw.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcess
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\instmsiw.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeAPI coverage: 4.5 %
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01001CB7 lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcmpA,lstrcmpA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_01004D44 FindFirstFileW,GetLastError,FindClose,StgOpenStorage,GetUserDefaultLangID,GetUserDefaultLangID,GetUserDefaultLangID,GetSystemDefaultLangID,wsprintfW,wsprintfW,lstrlenW,lstrcatW,
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_010061B6 lstrlenW,lstrlenW,lstrlenW,lstrcpyW,lstrcpyW,lstrcpyW,FindFirstFileW,SetFileAttributesW,lstrlenW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,CreateDirectoryW,GetLastError,CopyFileW,GetLastError,GetFileAttributesW,SetFileAttributesW,CopyFileW,GetLastError,SetFileAttributesW,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,SetFileAttributesW,
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01004B47 lstrcpyA,GetSystemInfo,lstrcpyA,CreateDirectoryA,RemoveDirectoryA,
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\msiexec.exe
Source: C:\Users\user\Desktop\instmsiw.exeFile opened: C:\Users\user~1\AppData\Local\Temp\
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: msiinst.exe, 00000002.00000002.4484041699.0000000000600000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: msiinst.exe, 00000002.00000002.4484041699.0000000000600000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: msiinst.exe, 00000002.00000002.4484041699.0000000000600000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: msiinst.exe, 00000002.00000002.4484041699.0000000000600000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeAPI call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_01005AC5 GetLastError,wvsprintfW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,SetLastError,
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_010019C3 LocalFree,RegCreateKeyExA,wsprintfA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetModuleFileNameA,RegCloseKey,wsprintfA,lstrlenA,RegSetValueExA,RegCloseKey,LocalFree,
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: 2_2_0100B00D HeapAlloc,RegCloseKey,GetProcessHeap,HeapAlloc,SetLastError,RegCreateKeyExW,SetLastError,RegDeleteValueW,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,StringFromIID,CoTaskMemFree,RegSetValueExW,SetLastError,GetProcessHeap,HeapFree,RegCloseKey,GetProcessHeap,HeapFree,

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_0100162E LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiinst.exeCode function: GetLocaleInfoA,
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\instmsiw.exeCode function: 0_2_01005D4F GetVersionExA,GetSystemMetrics,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 193304 Sample: instmsiw.exe Startdate: 03/12/2019 Architecture: WINDOWS Score: 9 5 instmsiw.exe 1 22 2->5         started        8 rundll32.exe 2->8         started        file3 12 C:\Users\user\AppData\Local\...\msiexec.exe, PE32 5->12 dropped 10 msiinst.exe 5->10         started        process4

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
instmsiw.exe0%VirustotalBrowse
instmsiw.exe3%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Local\Temp\IXP000.TMP\msiexec.exeinstmsiw.exeGet hashmaliciousBrowse

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.