Loading ...

Play interactive tourEdit tour

Analysis Report http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:201044
Start date:15.01.2020
Start time:00:18:26
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 8s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean10.win@7/17@1/1
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 94.6%)
  • Quality average: 74.3%
  • Quality standard deviation: 29.1%
HCA Information:
  • Successful, ratio: 56%
  • Number of executed functions: 101
  • Number of non-executed functions: 318
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 52.109.120.20, 52.109.120.21
  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, nexus.officeapps.live.com
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size exceeded maximum capacity and may have missing network information.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold100 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold00 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample searches for specific file, try point organization specific fake files to the analysis machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Execution through API2Application Shimming1Access Token Manipulation1Deobfuscate/Decode Files or Information1Input Capture1System Time Discovery1Remote File Copy12Input Capture1Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaGraphical User Interface1Port MonitorsProcess Injection12Obfuscated Files or Information2Network SniffingPeripheral Device Discovery11Replication Through Removable Media1Data from Removable MediaExfiltration Over Other Network MediumRemote File Copy12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesCommand-Line Interface12Accessibility FeaturesApplication Shimming1Masquerading1Input CaptureFile and Directory Discovery4Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingAccess Token Manipulation1Credentials in FilesSystem Information Discovery26Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection12Account ManipulationProcess Discovery1Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: z:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: x:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: v:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: t:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: r:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: p:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: n:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: l:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: j:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: h:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: f:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: b:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: y:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: w:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: u:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: s:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: q:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: o:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: m:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: k:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: i:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: g:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: e:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: c:Jump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile opened: a:Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00413028 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,7_2_00413028
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004132A2 FtpFindFirstFileA,SetLastError,7_2_004132A2
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00455956 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,8_2_00455956
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0044C7CD __EH_prolog,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,8_2_0044C7CD
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00418DDB __EH_prolog,FindFirstFileA,FindClose,8_2_00418DDB
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0042CFA9 __EH_prolog,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,8_2_0042CFA9
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0045519C __EH_prolog,RegDeleteKeyA,FindFirstFileA,FindClose,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,FindClose,DeleteFileA,GetFileAttributesA,8_2_0045519C
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041649A __EH_prolog,GetFileAttributesA,GetLastError,GetLastError,FindFirstFileA,FindClose,GetLastError,8_2_0041649A
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00416554 GetFileAttributesA,GetLastError,GetLastError,FindFirstFileA,FindClose,8_2_00416554
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_004269BB __EH_prolog,FindFirstFileA,FindNextFileA,SafeArrayCopy,FindClose,8_2_004269BB
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00446D6C __EH_prolog,SysStringLen,FindFirstFileA,FindNextFileA,FindClose,8_2_00446D6C
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00426F48 __EH_prolog,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,SafeArrayCopy,FindClose,8_2_00426F48
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041779B __EH_prolog,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,8_2_0041779B
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041791A __EH_prolog,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindNextFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,8_2_0041791A
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\_is7F1B\Setup.INIJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\_is7F1B.tmpJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior

Networking:

barindex
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2020 23:19:36 GMTServer: Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/1.0.0-fipsLast-Modified: Fri, 19 Jun 2009 21:59:12 GMTETag: "4a030-20e3ed4-46cbaa272ec00"Accept-Ranges: bytesContent-Length: 34488020Keep-Alive: timeout=120, max=3000Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f4 03 a6 a8 b0 62 c8 fb b0 62 c8 fb b0 62 c8 fb 33 7e c6 fb ad 62 c8 fb df 7d c2 fb c4 62 c8 fb cb 7e c4 fb b1 62 c8 fb df 7d c3 fb bd 62 c8 fb 58 7d c3 fb b2 62 c8 fb e6 7d db fb b9 62 c8 fb b0 62 c8 fb b3 62 c8 fb b0 62 c9 fb b9 63 c8 fb d2 7d db fb bf 62 c8 fb b6 41 c3 fb 93 62 c
Contains functionality to download additional files from the internetShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00413236 InternetReadFile,SetLastError,7_2_00413236
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /support/CitadonCW/downloads/8.1.7/setup.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: citadoncw.citadon.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: citadoncw.citadon.com
Urls found in memory or binary dataShow sources
Source: wget.exe, 00000002.00000002.4589418016.0000000001290000.00000004.00000040.sdmpString found in binary or memory: http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe
Source: wget.exe, 00000002.00000002.4589418016.0000000001290000.00000004.00000040.sdmpString found in binary or memory: http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exeaR
Source: wget.exe, 00000002.00000002.4589418016.0000000001290000.00000004.00000040.sdmpString found in binary or memory: http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.execR
Source: wget.exe, 00000002.00000002.4589418016.0000000001290000.00000004.00000040.sdmpString found in binary or memory: http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exenited
Source: wget.exe, 00000002.00000002.4589418016.0000000001290000.00000004.00000040.sdmpString found in binary or memory: http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exepR
Source: wget.exe, 00000002.00000002.4589418016.0000000001290000.00000004.00000040.sdmpString found in binary or memory: http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exevR
Source: wget.exe, 00000002.00000002.4589418016.0000000001290000.00000004.00000040.sdmpString found in binary or memory: http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exeyR
Source: IDriver.exe, 00000008.00000002.5030013005.0000000006CC0000.00000004.00000001.sdmp, IDriver.exe, 00000008.00000002.5021685985.0000000005166000.00000002.00000001.sdmp, String1033.txt.8.drString found in binary or memory: http://www.citadon.com
Source: IDriver.exe, 00000008.00000002.5030013005.0000000006CC0000.00000004.00000001.sdmp, IDriver.exe, 00000008.00000002.5021685985.0000000005166000.00000002.00000001.sdmp, String1033.txt.8.drString found in binary or memory: http://www.citadon.com/support/CitadonCW/index.html
Source: IDriver.exe, 00000008.00000002.5021446165.00000000050A8000.00000002.00000001.sdmpString found in binary or memory: https://%hx.rra0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: setup.exe, 00000007.00000002.5011264060.0000000000720000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_004443B1 __EH_prolog,#141,#136,GetPrivateProfileStringA,MessageBoxA,#73,#112,#8,#95,#112,#144,#67,#67,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,#73,LoadLibraryA,GetProcAddress,CLSIDFromString,NtClose,FreeLibrary,#49,#8,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,GetFileAttributesA,GetPrivateProfileStringA,GetFileAttributesA,FormatMessageA,VariantClear,wsprintfA,RegQueryValueExA,RegCloseKey,lstrlenW,WideCharToMultiByte,#7,#8,#8,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,CopyFileA,#8,VariantClear,#7,RegDeleteKeyA,RegDeleteKeyA,RegDeleteKeyA,8_2_004443B1
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00412462 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,7_2_00412462
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041F33D __EH_prolog,SysAllocString,SysFreeString,GetModuleFileNameA,GetVersionExA,RegCreateKeyExA,RegQueryValueExA,wsprintfA,lstrcpyA,lstrlenA,RegSetValueExA,RegCloseKey,ExitWindowsEx,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,8_2_0041F33D
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041F737 ExitWindowsEx,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,8_2_0041F737
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004208337_2_00420833
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040420C7_2_0040420C
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0041AED87_2_0041AED8
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_004443B18_2_004443B1
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0045754B8_2_0045754B
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00463AAB8_2_00463AAB
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0045FDB68_2_0045FDB6
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: String function: 0041673D appears 33 times
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: String function: 00454DD6 appears 63 times
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: String function: 00459CC8 appears 34 times
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: String function: 0045A0BC appears 831 times
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: String function: 0043EA35 appears 150 times
Source: C:\Users\user\Desktop\download\setup.exeCode function: String function: 004175D4 appears 89 times
PE file contains strange resourcesShow sources
Source: setup.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _ISRES.DLL.8.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: _ISRES.DLL.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: _ISRES.DLL.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\download\setup.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeSection loaded: tsappcmp.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean10.win@7/17@1/1
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00412462 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,7_2_00412462
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041F33D __EH_prolog,SysAllocString,SysFreeString,GetModuleFileNameA,GetVersionExA,RegCreateKeyExA,RegQueryValueExA,wsprintfA,lstrcpyA,lstrlenA,RegSetValueExA,RegCloseKey,ExitWindowsEx,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,8_2_0041F33D
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041F737 ExitWindowsEx,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,8_2_0041F737
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00411BAC LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,7_2_00411BAC
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00404EDD GetPrivateProfileIntA,CoCreateInstance,wsprintfA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrlenW,wsprintfA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,CoCreateGuid,lstrcatA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrcatA,CreateProcessA,SysFreeString,lstrlenW,wsprintfA,WaitForInputIdle,CloseHandle,CloseHandle,CloseHandle,Sleep,CreateItemMoniker,GetRunningObjectTable,SysFreeString,RegCloseKey,RegCloseKey,RegCloseKey,SysFreeString,7_2_00404EDD
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00404C98 FindResourceA,SizeofResource,LoadResource,LockResource,7_2_00404C98
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_01
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\download\setup.exeFile created: C:\Users\user~1\AppData\Local\Temp\~7EEB.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Desktop\download\setup.exeFile read: C:\Users\user\AppData\Local\Temp\_is7F1B\_ISMSIDEL.INIJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample might require command line argumentsShow sources
Source: IDriver.exeString found in binary or memory: CLSID\{697DEABA-809C-49fc-ADD1-E9902D88360D}
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe'
Source: unknownProcess created: C:\Users\user\Desktop\download\setup.exe 'C:\Users\user\Desktop\download\setup.exe'
Source: unknownProcess created: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe 'C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe' -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B9871B190F0F17059ABFC32874084550 C
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\Desktop\download\setup.exeFile written: C:\Users\user\AppData\Local\Temp\_is7F1B\Setup.INIJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Binary contains paths to debug symbolsShow sources
Source: Binary string: wdsfpca.pdb source: IDriver.exe, 00000008.00000002.5021089890.0000000004FA0000.00000002.00000001.sdmp
Source: Binary string: wdsfpca.pdb source: IDriver.exe, 00000008.00000002.5021089890.0000000004FA0000.00000002.00000001.sdmp
Source: Binary string: msvcp71.pdb source: IDriver.exe, 00000008.00000002.5021275479.0000000005025000.00000002.00000001.sdmp
Source: Binary string: stddlls.pdb source: IDriver.exe, 00000008.00000002.5021160635.0000000004FD0000.00000002.00000001.sdmp
Source: Binary string: stddlls.pdb@H source: IDriver.exe, 00000008.00000002.5021160635.0000000004FD0000.00000002.00000001.sdmp
Source: Binary string: msoobci.pdbU source: IDriver.exe, 00000008.00000002.5021089890.0000000004FA0000.00000002.00000001.sdmp
Source: Binary string: msvcr71.pdb source: IDriver.exe, 00000008.00000002.5021160635.0000000004FD0000.00000002.00000001.sdmp
Source: Binary string: msoobci.pdb source: IDriver.exe, 00000008.00000002.5021089890.0000000004FA0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00411BAC LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,7_2_00411BAC
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004175D4 push eax; ret 7_2_004175F2
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004176D0 push eax; ret 7_2_004176FE
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0045A0BC push eax; ret 8_2_0045A0DA
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0043217A push esp; ret 8_2_00432189
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0045B0C0 push eax; ret 8_2_0045B0EE

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\wget.exeFile created: C:\Users\user\Desktop\download\setup.exeJump to dropped file
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile created: C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\IGdi.dllJump to dropped file
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile created: C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\_ISUSER.DLLJump to dropped file
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile created: C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\_ISRES.DLLJump to dropped file
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile created: C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\ISRT.DLLJump to dropped file
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile created: C:\Users\user\AppData\Local\Temp\MSI4568.tmpJump to dropped file
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004088ED __EH_prolog,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlenA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,CoInitialize,GetPrivateProfileIntA,SysFreeString,GetPrivateProfileStringA,SysFreeString,SysFreeString,CoUninitialize,7_2_004088ED
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040F919 __EH_prolog,lstrcpyA,IsValidCodePage,GetPrivateProfileIntA,lstrlenA,lstrlenA,lstrlenA,wsprintfA,7_2_0040F919
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004081EC GetPrivateProfileStringA,7_2_004081EC
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040A26E __EH_prolog,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,CoInitialize,GetPrivateProfileStringA,lstrlenW,WideCharToMultiByte,SysFreeString,SysFreeString,CoUninitialize,7_2_0040A26E
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00401B75 GetPrivateProfileStringA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrlenA,lstrlenA,GetPrivateProfileStringA,lstrlenA,lstrcmpiA,GetPrivateProfileStringA,lstrlenA,GetPrivateProfileStringA,lstrcmpA,lstrcmpA,lstrcmpA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,ExpandEnvironmentStringsA,lstrcpyA,GetPrivateProfileIntA,GetPrivateProfileStringA,GetPrivateProfileStringA,lstrlenA,7_2_00401B75
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040B3EA GetPrivateProfileIntA,wsprintfA,RegCreateKeyExA,RegDeleteKeyA,RegCloseKey,7_2_0040B3EA
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004083A4 __EH_prolog,GetPrivateProfileStringA,lstrcatA,lstrcmpA,lstrcmpA,lstrcmpA,7_2_004083A4
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0041041C GetPrivateProfileIntA,wsprintfA,CharNextA,CharNextA,CharNextA,GetPrivateProfileStringA,7_2_0041041C
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040AD05 GetPrivateProfileIntA,GetPrivateProfileStringA,LoadLibraryA,GetProcAddress,FreeLibrary,lstrcpyA,lstrcpyA,lstrcpyA,lstrcmpA,wsprintfA,MessageBoxA,CopyFileA,GetLastError,wsprintfA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,7_2_0040AD05
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040A517 GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcpyA,7_2_0040A517
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040BD9B __EH_prolog,GetPrivateProfileStringA,7_2_0040BD9B
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004076CC GetPrivateProfileIntA,7_2_004076CC
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00404EDD GetPrivateProfileIntA,CoCreateInstance,wsprintfA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrlenW,wsprintfA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,CoCreateGuid,lstrcatA,StringFromCLSID,SysAllocString,CoTaskMemFree,lstrlenW,lstrcatA,CreateProcessA,SysFreeString,lstrlenW,wsprintfA,WaitForInputIdle,CloseHandle,CloseHandle,CloseHandle,Sleep,CreateItemMoniker,GetRunningObjectTable,SysFreeString,RegCloseKey,RegCloseKey,RegCloseKey,SysFreeString,7_2_00404EDD
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00407685 GetPrivateProfileStringA,7_2_00407685
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040FEBD GetPrivateProfileIntA,wsprintfA,wsprintfA,GetPrivateProfileStringA,wsprintfA,7_2_0040FEBD
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00409F3B GetTempPathA,GetWindowsDirectoryA,GetPrivateProfileStringA,wsprintfA,7_2_00409F3B
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004078E6 GetPrivateProfileStringA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,7_2_004078E6
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00417167 GetPrivateProfileStringA,7_2_00417167
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040A9E7 wsprintfA,GetPrivateProfileStringA,lstrcmpA,7_2_0040A9E7
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00407AFD GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,7_2_00407AFD
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00412B1A wsprintfA,wsprintfA,CharNextA,CharNextA,CharNextA,lstrcatA,wsprintfA,GetPrivateProfileStringA,VerLanguageNameA,7_2_00412B1A
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040B470 __EH_prolog,GetPrivateProfileStringA,wsprintfA,lstrlenW,WideCharToMultiByte,__vprintf_l,7_2_0040B470
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00407D49 GetPrivateProfileStringA,lstrcpyA,lstrcatA,lstrlenA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,wsprintfA,GetDlgItem,EnableWindow,EnableWindow,EnableWindow,7_2_00407D49
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040155E GetPrivateProfileStringA,lstrlenA,7_2_0040155E
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00409D01 GetPrivateProfileStringA,GetPrivateProfileSectionA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,RegQueryValueExA,RegCloseKey,RegCloseKey,7_2_00409D01
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004055E9 __EH_prolog,CharNextA,CharNextA,CharNextA,lstrcmpA,lstrcpyA,RegQueryValueExA,lstrcpyA,RegDeleteValueA,RegCloseKey,RegCloseKey,RegCloseKey,GetPrivateProfileStringA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,CharNextA,lstrcpyA,RegCloseKey,7_2_004055E9
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00405E5D __EH_prolog,CharNextA,CharNextA,CharNextA,lstrcpyA,GetPrivateProfileIntA,wsprintfA,GetPrivateProfileStringA,7_2_00405E5D
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004076F4 wsprintfA,GetPrivateProfileStringA,7_2_004076F4
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040BE96 GetPrivateProfileIntA,7_2_0040BE96
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00408F13 __EH_prolog,CopyFileA,SetFileAttributesA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,lstrcpyA,GetPrivateProfileIntA,lstrcpyA,lstrcpyA,wsprintfA,wsprintfA,lstrcatA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,wsprintfA,lstrcatA,RegCreateKeyExA,RegCloseKey,lstrlenA,CoInitialize,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,RegCloseKey,lstrlenW,WideCharToMultiByte,lstrlenA,RegSetValueExA,RegCloseKey,CoUninitialize,lstrlenA,RegSetValueExA,RegCloseKey,GetPrivateProfileIntA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,RegCloseKey,7_2_00408F13
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004077D5 lstrcatA,GetPrivateProfileStringA,7_2_004077D5
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_004443B1 __EH_prolog,#141,#136,GetPrivateProfileStringA,MessageBoxA,#73,#112,#8,#95,#112,#144,#67,#67,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,#73,LoadLibraryA,GetProcAddress,CLSIDFromString,NtClose,FreeLibrary,#49,#8,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,GetFileAttributesA,GetPrivateProfileStringA,GetFileAttributesA,FormatMessageA,VariantClear,wsprintfA,RegQueryValueExA,RegCloseKey,lstrlenW,WideCharToMultiByte,#7,#8,#8,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,CopyFileA,#8,VariantClear,#7,RegDeleteKeyA,RegDeleteKeyA,RegDeleteKeyA,8_2_004443B1
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0044AEB7 __EH_prolog,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegCloseKey,8_2_0044AEB7
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0044AB1F __EH_prolog,wsprintfA,wsprintfA,wsprintfA,GetPrivateProfileStringA,wsprintfA,SysAllocString,SysFreeString,8_2_0044AB1F

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00412E2E LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_00412E2E
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\IGdi.dllJump to dropped file
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\_ISUSER.DLLJump to dropped file
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\_ISRES.DLLJump to dropped file
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\ISRT.DLLJump to dropped file
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\download\setup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_7-17683
Found large amount of non-executed APIsShow sources
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeAPI coverage: 6.1 %
Checks the free space of harddrivesShow sources
Source: C:\Users\user\Desktop\download\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00413028 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,7_2_00413028
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_004132A2 FtpFindFirstFileA,SetLastError,7_2_004132A2
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00455956 CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,8_2_00455956
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0044C7CD __EH_prolog,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,8_2_0044C7CD
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00418DDB __EH_prolog,FindFirstFileA,FindClose,8_2_00418DDB
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0042CFA9 __EH_prolog,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,8_2_0042CFA9
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0045519C __EH_prolog,RegDeleteKeyA,FindFirstFileA,FindClose,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,RemoveDirectoryA,FindClose,DeleteFileA,GetFileAttributesA,8_2_0045519C
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041649A __EH_prolog,GetFileAttributesA,GetLastError,GetLastError,FindFirstFileA,FindClose,GetLastError,8_2_0041649A
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00416554 GetFileAttributesA,GetLastError,GetLastError,FindFirstFileA,FindClose,8_2_00416554
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_004269BB __EH_prolog,FindFirstFileA,FindNextFileA,SafeArrayCopy,FindClose,8_2_004269BB
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00446D6C __EH_prolog,SysStringLen,FindFirstFileA,FindNextFileA,FindClose,8_2_00446D6C
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00426F48 __EH_prolog,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,SafeArrayCopy,FindClose,8_2_00426F48
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041779B __EH_prolog,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,FindNextFileA,FindClose,8_2_0041779B
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0041791A __EH_prolog,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindNextFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,8_2_0041791A
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0040E2FE GetVersionExA,GetSystemInfo,7_2_0040E2FE
Enumerates the file systemShow sources
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\_is7F1B\Setup.INIJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\_is7F1B.tmpJump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\download\setup.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Program exit pointsShow sources
Source: C:\Users\user\Desktop\download\setup.exeAPI call chain: ExitProcess graph end nodegraph_7-14833

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00411BAC LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,7_2_00411BAC
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0041B9C2 SetUnhandledExceptionFilter,7_2_0041B9C2
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0041B9D4 SetUnhandledExceptionFilter,7_2_0041B9D4
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0045D546 SetUnhandledExceptionFilter,8_2_0045D546
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0045D558 SetUnhandledExceptionFilter,8_2_0045D558

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe' Jump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_00412537 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,7_2_00412537
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: IDriver.exeBinary or memory string: OPTYPE_PROGMAN
Source: setup.exe, 00000007.00000002.5011530816.0000000000A20000.00000002.00000001.sdmp, IDriver.exe, 00000008.00000002.5019903942.0000000000B60000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.5031662643.00000000034F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: setup.exe, IDriver.exe, 00000008.00000002.5019903942.0000000000B60000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.5031662643.00000000034F0000.00000002.00000001.sdmp, setup.exe.2.drBinary or memory string: Shell_TrayWnd
Source: setup.exe, 00000007.00000002.5011530816.0000000000A20000.00000002.00000001.sdmp, IDriver.exe, 00000008.00000002.5019903942.0000000000B60000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.5031662643.00000000034F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: setup.exe, 00000007.00000003.4758583153.0000000000794000.00000004.00000001.sdmp, IDriver.exe, 00000008.00000002.5018420763.00000000004A1000.00000002.00020000.sdmpBinary or memory string: OPTYPE_PROGMAN_FIELDS
Source: setup.exe, 00000007.00000003.4758583153.0000000000794000.00000004.00000001.sdmp, IDriver.exe, 00000008.00000002.5018420763.00000000004A1000.00000002.00020000.sdmpBinary or memory string: OPTYPE_PROGMAN_FIELDS%H
Source: setup.exe, 00000007.00000002.5010307173.0000000000427000.00000008.00020000.sdmp, setup.exe.2.drBinary or memory string: Shell_TrayWndArialCANCEL%x,ALLDescriptionMSlovenianBasqueDefault%#04xTitle.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXEDIRCertKeyISScript.MsiCacheFolderCacheRootLocationTypeScriptVerServicePackPlatformIdBuildNoMinorVerMaxMinorVerMajorVerSupportOSSuppressWrongOSSuppressReboot dotnetredistSp2.exelangpack.exeMicrosoft(R) .NET FrameworkJ#CmdLine/jscmd:\"""/q:a /C:\"J#Version/jsharpver:DotNetLangPacks /langs: /coreui:DotNetLangPackCmd /langcmd:"/c:\"\" /q:a" DotNetFxCmd" /c:" /ver: /q:a /l%d /q:a /c:"install /q"vjredist.exeDotNetCoreSetupUILang1033dotnetredist.exedotnetfx.exeInstallerLocationSoftware\Microsoft\Windows\CurrentVersion\Installer1.01.1J#OptionalJ#InstallOptionIfSilentISSCHEDULEREBOOT=1 ISSCHEDULEREBOOT=1ISScript8.MsiRunAsLaunchingUser?h
Source: setup.exe, 00000007.00000002.5011530816.0000000000A20000.00000002.00000001.sdmp, IDriver.exe, 00000008.00000002.5019903942.0000000000B60000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.5031662643.00000000034F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: IDriver.exe, 00000008.00000002.5018359594.0000000000482000.00000008.00020000.sdmpBinary or memory string: ISGlobalOpTypesTableISLOG_VERSION_INFOOPTYPE_PROGMANISLOGDB_USER_PROPERTIES

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: GetLocaleInfoA,TranslateCharsetInfo,7_2_0041265D
Source: C:\Users\user\Desktop\download\setup.exeCode function: GetLocaleInfoA,7_2_004126BA
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: SendMessageA,SendMessageA,GetObjectA,GetLocaleInfoA,TranslateCharsetInfo,CreateFontIndirectA,DeleteObject,GetDlgItem,SendMessageA,8_2_00454581
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_00417D6C GetSystemTime,SystemTimeToFileTime,SystemTimeToFileTime,SystemTimeToFileTime,8_2_00417D6C
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\download\setup.exeCode function: 7_2_0041890C EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,7_2_0041890C

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0044E0F1 lstrcpyA,RpcServerUseProtseqEpA,SetEvent,RpcServerRegisterIf,SetEvent,RpcServerListen,SetEvent,8_2_0044E0F1
Source: C:\Program Files (x86)\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exeCode function: 8_2_0044E7FB __EH_prolog,CoInitialize,RpcMgmtStopServerListening,RpcServerUnregisterIf,CoUninitialize,8_2_0044E7FB

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 201044 URL: http://citadoncw.citadon.co... Startdate: 15/01/2020 Architecture: WINDOWS Score: 10 5 IDriver.exe 13 2->5         started        8 cmd.exe 2 2->8         started        10 setup.exe 15 2->10         started        12 msiexec.exe 4 2->12         started        file3 20 C:\Users\user\AppData\Local\...\_ISUSER.DLL, PE32 5->20 dropped 22 C:\Users\user\AppData\Local\...\_ISRES.DLL, PE32 5->22 dropped 24 C:\Users\user\AppData\Local\Temp\...\ISRT.DLL, PE32 5->24 dropped 26 2 other files (none is malicious) 5->26 dropped 14 wget.exe 2 8->14         started        18 conhost.exe 8->18         started        process4 dnsIp5 30 citadoncw.citadon.com 64.41.150.60, 49743, 80 CENTURYLINK-LEGACY-SAVVIS-CenturyLinkCommunicationsLLC United States 14->30 28 C:\Users\user\Desktop\download\setup.exe, PE32 14->28 dropped file6

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\IGdi.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\IGdi.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\ISRT.DLL0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\ISRT.DLL0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\_ISRES.DLL0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\{9AD8EC0B-F59F-4F63-AD05-3DE87B248F99}\_ISRES.DLL0%MetadefenderBrowse
C:\Users\user\Desktop\download\setup.exe0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
citadoncw.citadon.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exeyR0%Avira URL Cloudsafe
http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exevR0%Avira URL Cloudsafe
http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.execR0%Avira URL Cloudsafe
https://%hx.rra00%Avira URL Cloudsafe
http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exeaR0%Avira URL Cloudsafe
http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exepR0%Avira URL Cloudsafe
http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe0%VirustotalBrowse
http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exe0%Avira URL Cloudsafe
http://citadoncw.citadon.com/support/CitadonCW/downloads/8.1.7/setup.exenited0%Avira URL Cloudsafe
http://www.citadon.com0%VirustotalBrowse
http://www.citadon.com0%Avira URL Cloudsafe
http://www.citadon.com/support/CitadonCW/index.html0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.