Loading ...

Play interactive tourEdit tour

Analysis Report webexapp.msi

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218162
Start date:26.03.2020
Start time:10:55:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 55s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:webexapp.msi
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winMSI@4/5@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .msi
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Graphical User Interface2Winlogon Helper DLLProcess Injection2Masquerading1Credential DumpingProcess Discovery2Replication Through Removable Media1Data from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection2Network SniffingPeripheral Device Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDLL Side-Loading1Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery13Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section


Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.c
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmp, webexapp.msiString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssur(I
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/sha2
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmp, webexapp.msiString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmp, webexapp.msiString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.c
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.cD
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://ocsp.digicert.com0A
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmp, webexapp.msiString found in binary or memory: http://ocsp.digicert.com0C
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://ocsp.digicert.com0O
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://ocsp.thawte.com0
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmpString found in binary or memory: http://s1.symcb.co-
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmp, webexapp.msiString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://s2.symcb.com0
Source: msiexec.exe, 00000000.00000003.748303642.000002A6E900F000.00000004.00000001.sdmpString found in binary or memory: http://support.webex.com
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmpString found in binary or memory: http://support.webex.com/
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmp, webexapp.msiString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://sv.symcd.com0&
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: msiexec.exe, 00000000.00000003.752939277.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752684735.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752601105.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752752340.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752415273.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752328497.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752800249.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752562223.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752850366.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.751840106.000002A6E9070000.00000004.00000001.sdmpString found in binary or memory: http://www.Webex.com/terms-of-service.html)
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.751477891.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752893189.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.753032945.000002A6E9049000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://www.cisco.com/web/siteassets/legal/privacy.html
Source: msiexec.exe, 00000000.00000003.752939277.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752684735.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752506842.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752021413.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752601105.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752752340.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752257322.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752415273.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752328497.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752800249.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752562223.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752850366.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.751840106.000002A6E9070000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://www.cisco.com/web/siteassets/legal/privacy.html)
Source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msiString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://www.symauth.com/cps0(
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://www.symauth.com/rpa00
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmpString found in binary or memory: http://www.webex.com
Source: msiexec.exe, 00000000.00000003.748210660.000002A6E900A000.00000004.00000001.sdmpString found in binary or memory: http://www.webex.com/
Source: msiexec.exe, 00000000.00000003.749130079.000002A6E9004000.00000004.00000001.sdmpString found in binary or memory: http://www.webex.com/X
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.747774915.000002A6E904E000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://www.webex.com/legal/license.html
Source: msiexec.exe, 00000000.00000003.751477891.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752893189.000002A6E9070000.00000004.00000001.sdmpString found in binary or memory: http://www.webex.com/terms-of-service.html
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752506842.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752021413.000002A6E9070000.00000004.00000001.sdmp, msiexec.exe, 00000000.00000003.752257322.000002A6E9070000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: http://www.webex.com/terms-of-service.html)
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmpString found in binary or memory: http://www.webex.com/zif
Source: msiexec.exe, 00000000.00000003.748210660.000002A6E900A000.00000004.00000001.sdmpString found in binary or memory: http://www.webex.comR
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: https://d.symcb.com/cps0%
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmp, webexapp.msiString found in binary or memory: https://d.symcb.com/rpa0
Source: msiexec.exe, 00000000.00000002.1172134148.000002A6E900B000.00000004.00000020.sdmp, webexapp.msiString found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Sample file is different than original file name gathered from version infoShow sources
Source: webexapp.msiBinary or memory string: OriginalFilename_IsIcoRes.exe< vs webexapp.msi
Source: webexapp.msiBinary or memory string: OriginalFilenameISRegSvr.dll vs webexapp.msi
Source: webexapp.msiBinary or memory string: ionInfoCurrentVersionCurrentVersionUpdateHistoryUpdateHistoryVersionbuildnumber%Y/%m/%d %H:%M:%SModifityTimePT.xmlPT/VersionInfo/CurrentVersion<sessionTicket><sessionTicket></sessionTicket>CCommItem::IsWrongRequest: This XML Request SK is NULL!user.phpipphone.php&PWPW=\CCommItem::IsWrongRequest: This Request have param PWPW!SK=SK=\CCommItem::IsWrongRequest: This Request SK is NULL!%u.%u.%u.%u%04d-%02d-%02d %02d:%02d:%02dZPTDebugModeen_USENzh_TWB5da_DKDAde_DEDEes_MXESfr_FRFRzh_CNGBit_ITITja_JPJPko_KRKOnl_NLNLpt_PTPTru_RURUsv_SESVes_ESSPtr_TRTRen_US%sSOFTWARE\Policies\CiscoWebexENB5DADEESFRGBITJPKONLPTRUSPSVTRPTUILanguageSOFTWARE\WebEx\ProdToolsFEATURE_WEBEX_MEETINGS_DESKTOP_LANGUAGELanguage{%s%s%s%s%s%s%s%s-%s%s%s%s-%s%s%s%s-%s%s%s%s-%s%s%s%s%s%s%s%s%s%s%s%s}D246995CF3A71534DA5CB21A176B54E11A705790D0FBFFE4DBC7B0F099009CD901B86E973310E6B41B32D3838B0D7F54B65785237423439438E10A099BA54F48Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\msitypePathwebexAppLauncher.exe%s\%sptoneclk.exeptSrv.exeSoftware\Microsoft\Windows\CurrentVersion\Uninstall\ProductivityToolsWebexApplicationsvector<T> too long...\\\\\StringFileInfo\040904b0\OriginalFilename%d.%d.%d.%d%d.%d.%d.%d%d.%d.%d.%dUnloadUserProfileLoadUserProfileWImpersonateLoggedOnUserRevertToSelfKernel32.dllexplorerCPTCallProcess::GetCurrentLogonUserToken: LoadSystemLibrary Kernel32.dll FAILED! vs webexapp.msi
Source: webexapp.msiBinary or memory string: OriginalFilenamePTMsi.DLL: vs webexapp.msi
Source: webexapp.msiBinary or memory string: OriginalFilenameSetAllUsers.dll< vs webexapp.msi
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean1.winMSI@4/5@0/0
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WebexJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI62C.tmpJump to behavior
Reads ini filesShow sources
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is a Windows installerShow sources
Source: webexapp.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 36.90%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\webexapp.msi'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDD8DA82777A8F6C73DD1BB1C5A46116 C
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F60381F36D86BBFD29E4A364C866AD08
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 100C22EB6B54636D91C0363382727596 E Global\MSI0000
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: I accept the terms in the license agreement
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Install
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: webexapp.msiStatic file information: File size 75085824 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: O:\webex-productivitytools\output\maps\release\pt\PTMsi.pdb source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msi
Source: Binary string: O:\webex-msi\output\libs\release\webexmsi.pdb# source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msi
Source: Binary string: O:\webex-msi\output\libs\release\webexmsi.pdb source: msiexec.exe, 00000000.00000002.1183082412.000002A6F048F000.00000002.00000001.sdmp, webexapp.msi

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI62C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI821.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI9AA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI851.tmpJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: msiexec.exe, 00000000.00000002.1171350979.000000D1D2C6E000.00000004.00000001.sdmpBinary or memory string: <C:\Program Files (x86)\Webex\Webex\Meetings\VMWareServer.dll(
Source: webexapp.msiBinary or memory string: webexmsi.dllAfterInstalledAfterInstalledProAfterInstalledSMTBeforeInstallBeforeInstallSMTCASLSearchCheckAARACheckVMwareOrCitrixCheckWebexVDIRunningInstallVDIPluginFinalizeInstallVDIPluginFinalizeProIsAARAExistsIsWow64UninstallingUninstallingProUninstallingSMT
Source: msiexec.exe, 00000000.00000002.1174714522.000002A6EB6AF000.00000004.00000001.sdmpBinary or memory string: VMWareServer.dll
Source: msiexec.exe, 00000004.00000002.1217276914.0000000003910000.00000002.00000001.sdmpBinary or memory string: Error 1310.Error writing to file: C:\Program Files (x86)\Webex\Webex\Meetings\VMWareServer.dll. Verify that you have access to that directory.oes here><error text goes here><error text goes here><error text goes here><error text goes here>
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmpBinary or memory string: <C:\Program Files (x86)\Webex\Webex\Meetings\VMWareServer.dll
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmpBinary or memory string: Error 1310.Error writing to file: C:\Program Files (x86)\Webex\Webex\Meetings\VMWareServer.dll. Verify that you have access to that directory.
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmpBinary or memory string: VMWARE~1.DLL|VMWareServer.dll
Source: msiexec.exe, 00000000.00000003.748210660.000002A6E900A000.00000004.00000001.sdmpBinary or memory string: VMWARE~1.DLL|VMWareServer.dllN
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmpBinary or memory string: @<C:\Program Files (x86)\Webex\Webex\Meetings\VMWareServer.dll
Source: webexapp.msiBinary or memory string: vmwareserver.dll
Source: msiexec.exe, 00000000.00000002.1174429953.000002A6EB600000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\Webex\Webex\Meetings\VMWareServer.dll
Source: webexapp.msiBinary or memory string: CheckVMwareOrCitrix
Source: webexapp.msiBinary or memory string: vmwareserver.dll
Source: webexapp.msiBinary or memory string: ;SERVICETYPE;INSTALLDIRWEBEXDIRUninstalling;SERVICETYPE;INSTALLDIR;WEBEXDIR;REMOVE;ProductVersion;SHAREDRESTORED;REMOVEDFOLDERS;KEEPOLDTEMPFILE;TEMPSHAREDFILE;WBXPRINTERREMOVECURRENTUSERREGAfterInstalled;SERVICETYPE;INSTALLDIR;VDIPluginFolder;REMOVEInstallVDIPluginFinalizeCustomActionDataCustomActionDataCustomActionDataInstalledREMOVEREMOVEALL15ALLWebex\;10SHAREDRESTORED11Software\Webex\Uninstall\MSI\MCRemoveCurrentUserReg1kernel32IsWow64Processwbxreport.exewebexmta.exeatinst.exewebex.execiscowebexstart.exeatmgr.exeAtAuthor.exeptinst.exeptoneclk.exeptSrv.exeptupdate.exeptOIEx.exeptOIEx64.exeptMeetingsHost.exeptWbxONI.exewebexAppLauncher.exeCiscoWebexImporting.exeCiscoWebexVideoService.exeCiscoWebexWebService.exeatmgr.exeClientUninstallEventCiscoWebexConverter.exeClientUninstallConverterEventatnthost.exeracfg.exeAgtMon.exeatagtctl.exeatauthor.exerapanel.exeraupdate.exeataskernel.exeatscmgr.exe1CASLDISCLAIMERSoftware\WebEx_WebACD\WebACDUpgradeToR2BackUpgradeToR2InstallFolderClientInstallPathSOFTWARE\Citrix\Install\ICA ClientSOFTWARE\VMware, Inc.\VMware VDMRequiredCitrixOrVMwarewebexvdi.exeWebexVDIRunningSoftware\WebEx\CASLCASLDISCLAIMEDSoftwareWebex\CASLSoftware\WebexSoftware\WebexSoftware\Webex /uatauthor.exeieatgpc.dll/install/uninstall /registerallwebex.exe /unregisterallwebex.exe /iCiscoWebExStart.exe /xCiscoWebExStart.exe/MSIVERSION= /SERVICE="SC" /INSTALLDIR=wbxinstall.exe -MSIInstallatagtctl.exe -MSIUninstallatagtctl.exeWbxDLInst.exeWebEx\Common FilesWebEx\Applicationswbxdlinst.log /log ""\DllUnregisterServeratpdppta.dllatpdppta64.dllPDUninstallPPTPlugInwebexpd.ppawebex.ppawebexpd64.ppaSoftware\Webex\Uninstall\MSI\MC1RemoveCurrentUserRegWebexVDI_Installation.logWebexVDIatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib:.WBX\,Webex\.WBXWebex\Software\Webex\Uninstall\MSI\OldVersions,,KEEPOLDTEMPFILETEMPSHAREDFILEBKPatlTraceGeneralatlTraceCOMatlTraceQIatlTraceRegistraratlTraceRefcountatlTraceWindowingatlTraceControlsatlTraceHostingatlTraceDBClientatlTraceDBProvideratlTraceSnapinatlTraceNotImplatlTraceAllocationatlTraceExceptionatlTraceTimeatlTraceCacheatlTraceStencilatlTraceStringatlTraceMapatlTraceUtilatlTraceSecurityatlTraceSyncatlTraceISAPISMDBValForceRemoveNoRemoveDeleteAppIDCLSIDComponent CategoriesFileTypeInterfaceHardwareMimeSAMSECURITYSYSTEMSoftwareTypeLib:CiscoMeetingsCitrixPlugin.dllCiscoMeetingsCommon.dllciscomeetingslogger.dllInstallFolderCiscoMeetingsVirtualChannel.dllSOFTWARE\Citrix\Install\ICA ClientInstallFolderSOFTWARE\Citrix\Install\ICA Clientvector<T> too longinvalid string positionbad castbad locale nameios_base::badbit setio
Queries a list of all running processesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: msiexec.exe, 00000000.00000002.1172472989.000002A6E9440000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.1210727135.0000000002DC0000.00000002.00000001.sdmp, msiexec.exe, 00000003.00000002.1214791241.00000000031F0000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000002.1217276914.0000000003910000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000000.00000002.1172472989.000002A6E9440000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.1210727135.0000000002DC0000.00000002.00000001.sdmp, msiexec.exe, 00000003.00000002.1214791241.00000000031F0000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000002.1217276914.0000000003910000.00000002.00000001.sdmpBinary or memory string: Progman
Source: msiexec.exe, 00000000.00000002.1172472989.000002A6E9440000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.1210727135.0000000002DC0000.00000002.00000001.sdmp, msiexec.exe, 00000003.00000002.1214791241.00000000031F0000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000002.1217276914.0000000003910000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: msiexec.exe, 00000000.00000002.1172472989.000002A6E9440000.00000002.00000001.sdmp, msiexec.exe, 00000002.00000002.1210727135.0000000002DC0000.00000002.00000001.sdmp, msiexec.exe, 00000003.00000002.1214791241.00000000031F0000.00000002.00000001.sdmp, msiexec.exe, 00000004.00000002.1217276914.0000000003910000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 218162 Sample: webexapp.msi Startdate: 26/03/2020 Architecture: WINDOWS Score: 1 4 msiexec.exe 10 2->4         started        7 msiexec.exe 2->7         started        9 msiexec.exe 5 2->9         started        11 msiexec.exe 2->11         started        file3 13 C:\Users\user\AppData\Local\Temp\MSI9AA.tmp, PE32 4->13 dropped 15 C:\Users\user\AppData\Local\Temp\MSI851.tmp, PE32 4->15 dropped 17 C:\Users\user\AppData\Local\Temp\MSI821.tmp, PE32 4->17 dropped 19 C:\Users\user\AppData\Local\Temp\MSI62C.tmp, PE32 4->19 dropped

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
webexapp.msi0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSI62C.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI62C.tmp2%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSI821.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI851.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI9AA.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.webex.comR0%Avira URL Cloudsafe
http://ocsp.digicert.cD0%Avira URL Cloudsafe
http://s1.symcb.co-0%Avira URL Cloudsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.digicert.c0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
C:\Users\user\AppData\Local\Temp\MSI62C.tmpwebexapp.msiGet hashmaliciousBrowse

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.