Loading ...

Play interactive tourEdit tour

Analysis Report Setup for Outlook 64-bit.exe

Overview

General Information

Sample Name:Setup for Outlook 64-bit.exe
Analysis ID:289655
MD5:05dd1edf75a1dda6521fd9be49c8da56
SHA1:0521b59e23f75d9690c238e967df951ada35dbd9
SHA256:13e31170058b48bf8c769c4d496c1031e57fb481dc1731fbde49816142decb66

Most interesting Screenshot:

Detection

Score:4
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Checks for available system drives (often done to infect USB drives)
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Startup

  • System is w10x64
  • Setup for Outlook 64-bit.exe (PID: 4728 cmdline: 'C:\Users\user\Desktop\Setup for Outlook 64-bit.exe' MD5: 05DD1EDF75A1DDA6521FD9BE49C8DA56)
    • msiexec.exe (PID: 4536 cmdline: MSIEXEC.EXE /i 'C:\Windows\Downloaded Installations\{B85E6883-74B4-456C-BF00-26789A5C429C}\Add Contacts (x64).msi' TRANSFORMS='C:\Users\user\AppData\Local\Temp\{F11734F0-B035-4B5A-84F0-0B8BF208258B}\1033.MST' SETUPEXEDIR='C:\Users\user\Desktop' MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00412420 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,0_2_00412420
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041F6CB CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,0_2_0041F6CB
Source: msiexec.exe, 00000001.00000002.222754212.000000000089C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Add Contacts (x64).msi.0.drString found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: Add Contacts (x64).msi.0.drString found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: msiexec.exe, 00000001.00000002.222754212.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://ocsp.thawte.com0
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://sf.symcd.com0&
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Add Contacts (x64).msi.0.drString found in binary or memory: http://www.macrovision.com0
Source: msiexec.exe, 00000001.00000002.222802066.00000000008FA000.00000004.00000001.sdmp, msiexec.exe, 00000001.00000003.200675606.0000000000867000.00000004.00000001.sdmpString found in binary or memory: http://www.mapilab.com
Source: msiexec.exe, 00000001.00000003.200862115.000000000086A000.00000004.00000001.sdmpString found in binary or memory: http://www.mapilab.com/download
Source: msiexec.exe, 00000001.00000003.200862115.000000000086A000.00000004.00000001.sdmpString found in binary or memory: http://www.mapilab.com/download3
Source: msiexec.exe, 00000001.00000003.200862115.000000000086A000.00000004.00000001.sdmpString found in binary or memory: http://www.mapilab.com/support
Source: msiexec.exe, 00000001.00000003.201654865.00000000008B7000.00000004.00000001.sdmp, Add Contacts (x64).msi.0.drString found in binary or memory: http://www.mapilab.com/uninstall/ADC/?ver=
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: http://www.mapilab.com0
Source: msiexec.exe, 00000001.00000003.221984499.00000000008EF000.00000004.00000001.sdmpString found in binary or memory: http://www.mapilab.comQ0
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: https://d.symcb.com/cps0%
Source: msiexec.exe, 00000001.00000003.201707952.000000000089C000.00000004.00000001.sdmp, Setup for Outlook 64-bit.exeString found in binary or memory: https://d.symcb.com/rpa0
Source: msiexec.exe, 00000001.00000002.222754212.000000000089C000.00000004.00000001.sdmpString found in binary or memory: https://www.verisign.
Source: msiexec.exe, 00000001.00000002.222754212.000000000089C000.00000004.00000001.sdmpString found in binary or memory: https://www.verisign.ts
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041D954 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,0_2_0041D954
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeFile created: C:\Windows\Downloaded InstallationsJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_004255700_2_00425570
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0042E6560_2_0042E656
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0042872A0_2_0042872A
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00409A9B0_2_00409A9B
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: String function: 00423E18 appears 201 times
Source: Setup for Outlook 64-bit.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup for Outlook 64-bit.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup for Outlook 64-bit.exe, 00000000.00000002.229253291.0000000000AF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Setup for Outlook 64-bit.exe
Source: Setup for Outlook 64-bit.exe, 00000000.00000002.229327611.00000000023D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs Setup for Outlook 64-bit.exe
Source: Setup for Outlook 64-bit.exe, 00000000.00000000.178561025.0000000000442000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSetup.exe vs Setup for Outlook 64-bit.exe
Source: Setup for Outlook 64-bit.exe, 00000000.00000002.229320080.00000000023C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs Setup for Outlook 64-bit.exe
Source: Setup for Outlook 64-bit.exeBinary or memory string: OriginalFilenameSetup.exe vs Setup for Outlook 64-bit.exe
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: classification engineClassification label: clean4.winEXE@3/11@0/0
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041D954 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,0_2_0041D954
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041CFD1 LoadLibraryA,GetProcAddress,lstrcpyA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,FreeLibrary,0_2_0041CFD1
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0040A527 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_0040A527
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeFile created: C:\Users\user\AppData\Local\Temp\{F11734F0-B035-4B5A-84F0-0B8BF208258B}\Jump to behavior
Source: Setup for Outlook 64-bit.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeFile read: C:\Users\user\AppData\Local\Temp\{F11734F0-B035-4B5A-84F0-0B8BF208258B}\Setup.INIJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeFile read: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Setup for Outlook 64-bit.exe 'C:\Users\user\Desktop\Setup for Outlook 64-bit.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Windows\Downloaded Installations\{B85E6883-74B4-456C-BF00-26789A5C429C}\Add Contacts (x64).msi' TRANSFORMS='C:\Users\user\AppData\Local\Temp\{F11734F0-B035-4B5A-84F0-0B8BF208258B}\1033.MST' SETUPEXEDIR='C:\Users\user\Desktop'
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Windows\Downloaded Installations\{B85E6883-74B4-456C-BF00-26789A5C429C}\Add Contacts (x64).msi' TRANSFORMS='C:\Users\user\AppData\Local\Temp\{F11734F0-B035-4B5A-84F0-0B8BF208258B}\1033.MST' SETUPEXEDIR='C:\Users\user\Desktop'Jump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeFile written: C:\Users\user\AppData\Local\Temp\{F11734F0-B035-4B5A-84F0-0B8BF208258B}\Setup.INIJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeAutomated click: OK
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Setup for Outlook 64-bit.exeStatic PE information: certificate valid
Source: Setup for Outlook 64-bit.exeStatic file information: File size 2973912 > 1048576
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00414683 __EH_prolog,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00414683
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00424530 push eax; ret 0_2_0042455E
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00423E18 push eax; ret 0_2_00423E36
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041F4D1 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041F4D1
Source: C:\Windows\SysWOW64\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00412420 __EH_prolog,GetTempPathA,FindFirstFileA,CompareFileTime,DeleteFileA,FindNextFileA,FindClose,0_2_00412420
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041F6CB CreateEventA,GetProcAddress,SearchPathA,GetModuleFileNameA,FindFirstFileA,VirtualProtect,VirtualQuery,VirtualProtect,VirtualProtect,FindClose,FindClose,0_2_0041F6CB
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041784E GetVersionExA,GetSystemInfo,0_2_0041784E
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041F6CB VirtualProtect 00000000,00000001,00408707,004087070_2_0041F6CB
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00414683 __EH_prolog,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00414683
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00404085 CopyFileA,GetFileSize,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,ReadFile,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00404085
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00429EEA SetUnhandledExceptionFilter,0_2_00429EEA
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_00429EFC SetUnhandledExceptionFilter,0_2_00429EFC
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Windows\Downloaded Installations\{B85E6883-74B4-456C-BF00-26789A5C429C}\Add Contacts (x64).msi' TRANSFORMS='C:\Users\user\AppData\Local\Temp\{F11734F0-B035-4B5A-84F0-0B8BF208258B}\1033.MST' SETUPEXEDIR='C:\Users\user\Desktop'
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeProcess created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i 'C:\Windows\Downloaded Installations\{B85E6883-74B4-456C-BF00-26789A5C429C}\Add Contacts (x64).msi' TRANSFORMS='C:\Users\user\AppData\Local\Temp\{F11734F0-B035-4B5A-84F0-0B8BF208258B}\1033.MST' SETUPEXEDIR='C:\Users\user\Desktop'Jump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041DA29 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_0041DA29
Source: Setup for Outlook 64-bit.exeBinary or memory string: Shell_TrayWnd
Source: Setup for Outlook 64-bit.exe, 00000000.00000002.228827211.0000000000438000.00000008.00020000.sdmpBinary or memory string: %sSetupLogFileNameSoftware\InstallShield\ISWI\7.0\SetupExeLogShell_TrayWndArialCancel%x,ALLCANCELDescriptionMSlovenianBasquedefault%#04xTitle.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot dotnetredistSp3.exevjredist20-LP.exevjredist-LP.exelangpack20.exelangpack.exedotnetfxsp1.exe0Microsoft(R) .NET FrameworkJ#CmdLine/jscmd:\"""/q:a /c:\" /redistui:F /redistui:SJ#Version/jsharpver:DotNetLangPacks /langs: /coreui:DotNetLangPackCmd /langcmd:"/q:a /c:\"""DotNetFxCmd" /c:"/redistui:F/redistui:S /ver: /q:a /l%d /q:a /c:"install /q"vjredist20.exevjredist.exedotnetfx20.exeDotNetCoreSetupUILang1033dotnetredist.exedotnetfx.exeInstallerLocationSoftware\Microsoft\Windows\CurrentVersion\InstallerDotNetDelayRebootN3.03.0.0.02.0.0.0J#OptionalJ#InstallOptionIfSilentISSCHEDULEREBOOT=1 ISSCHEDULEREBOOT=1instmsi30.exeWindowsInstaller-KB893803-x86.exe*.mst%s /a "%s"%s%s /f%s "%s" %s%s /j%s "%s" %s%s /x "%s" %s/p"%s" %s%s /p "%s" %s%s /i "%s" %s%s %s%s="%s""="ISSCRIPTCMDLINE%s TRANSFORMS="%s"%s%s%s;%s%sTRANSFORMS=TRANSFORMS="%d\0001"%s" %s /l%d /t"%s" /e"%s" /v"%s" %s"%s" /k %s /l%d /t"%s" /e"%s" /w /v"%s" %s/c/f%s/j%s/x/p AFTERREBOOT=1Software\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Microsoft\Windows\CurrentVersion\RunOnceEx\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries" /%SupportOSSupportOSMsi12SupportOSMsi30Msi.DLL/c:"msiinst /delayrebootq""%s" /c:"msiinst /delayrebootq"/quiet /norestart"%s" /quiet /norestart/q"%s" /q2.0.2600.0ScriptDriven/URL%s /g %s /g %s%s /g %s /g %s /s4.70.0.1300WinInet.dllMsiSummaryInfoGetPropertyAMsiCloseHandleMsiGetSummaryInformationAMsiOpenDatabaseASHGetFolderPathASHFolder.dll1033UseDotNetUI,.VersionSoftware\Microsoft\Active Setup\Installed Components\%s{1C370964-514B-321C-7237-2B4FD86D8
Source: Setup for Outlook 64-bit.exeBinary or memory string: %sSetupLogFileNameSoftware\InstallShield\ISWI\7.0\SetupExeLogShell_TrayWndArialCancel%x,ALLCANCELDescriptionMSlovenianBasquedefault%#04xTitle.iniNoSuppressRebootKeyDotNetOptionalInstallIfSilentDotNetOptionalSETUPEXEDIRCertKeyCacheFolderCacheRootLocationTypeSuppressWrongOSSuppressReboot dotnetredistSp3.exevjredist20-LP.exevjredist-LP.exelangpack20.exelangpack.exedotnetfxsp1.exe0Microsoft(R) .NET FrameworkJ#CmdLine/jscmd:\"""/q:a /c:\" /redistui:F /redistui:SJ#Version/jsharpver:DotNetLangPacks /langs: /coreui:DotNetLangPackCmd /langcmd:"/q:a /c:\"""DotNetFxCmd" /c:"/redistui:F/redistui:S /ver: /q:a /l%d /q:a /c:"install /q"vjredist20.exevjredist.exedotnetfx20.exeDotNetCoreSetupUILang1033dotnetredist.exedotnetfx.exeInstallerLocationSoftware\Microsoft\Windows\CurrentVersion\InstallerDotNetDelayRebootN3.03.0.0.02.0.0.0J#OptionalJ#InstallOptionIfSilentISSCHEDULEREBOOT=1 ISSCHEDULEREBOOT=1instmsi30.exeWindowsInstaller-KB893803-x86.exe*.mst%s /a "%s"%s%s /f%s "%s" %s%s /j%s "%s" %s%s /x "%s" %s/p"%s" %s%s /p "%s" %s%s /i "%s" %s%s %s%s="%s""="ISSCRIPTCMDLINE%s TRANSFORMS="%s"%s%s%s;%s%sTRANSFORMS=TRANSFORMS="%d\0001"%s" %s /l%d /t"%s" /e"%s" /v"%s" %s"%s" /k %s /l%d /t"%s" /e"%s" /w /v"%s" %s/c/f%s/j%s/x/p AFTERREBOOT=1Software\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Microsoft\Windows\CurrentVersion\RunOnceEx\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries" /%SupportOSSupportOSMsi12SupportOSMsi30Msi.DLL/c:"msiinst /delayrebootq""%s" /c:"msiinst /delayrebootq"/quiet /norestart"%s" /quiet /norestart/q"%s" /q2.0.2600.0ScriptDriven/URL%s /g %s /g %s%s /g %s /g %s /s4.70.0.1300WinInet.dllMsiSummaryInfoGetPropertyAMsiCloseHandleMsiGetSummaryInformationAMsiOpenDatabaseASHGetFolderPathASHFolder.dll1033UseDotNetUI,.VersionSoftware\Microsoft\Active Setup\Installed Components\%s{1C370964-514B-321C-7237-2B4FD86D8568}{021122EA-49DC-4aeb-9D15-DCEAD9BAB1BC}{7E76A8D6-33D1-0032-16C3-4593092861D0}{E7E2C871-090A-C372-F9AE-C3C6A988D260}{F1B13231-13BE-1231-5401-486BA763DEB6}{6741C120-01BA-87F9-8734-5FB9DA8A4445}{F279058C-50B2-4BE4-60C9-369CACF06821}{78705f0d-e8db-4b2d-8193-982bdda15ecd}{9B29D757-088E-E8C9-2535-AA319B92C00A}SOFTWARE\Microsoft\NET Framework Setup\NDPvSPInstallSOFTWARE\Microsoft\Visual JSharp Setup\Redist%d%s.mst.mst"ISSetup.dll%*.*fI64%uPasswordTahoma %01d.%01d %s%s%d p
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: GetLocaleInfoA,TranslateCharsetInfo,0_2_0041DB4F
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: GetLocaleInfoA,0_2_0041DBAC
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_004125A6 __EH_prolog,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetSystemTimeAsFileTime,0_2_004125A6
Source: C:\Users\user\Desktop\Setup for Outlook 64-bit.exeCode function: 0_2_0041784E GetVersionExA,GetSystemInfo,0_2_0041784E
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Command and Scripting Interpreter1DLL Side-Loading1Access Token Manipulation1Masquerading1OS Credential DumpingSystem Time Discovery1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsNative API1Application Shimming1Process Injection2Disable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Access Token Manipulation1Security Account ManagerSecurity Software Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Application Shimming1Process Injection2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsPeripheral Device Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsFile and Directory Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Information Discovery27Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 289655 Sample: Setup for Outlook 64-bit.exe Startdate: 24/09/2020 Architecture: WINDOWS Score: 4 5 Setup for Outlook 64-bit.exe 26 2->5         started        process3 7 msiexec.exe 3 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.