Analysis Report CID_x64.msi

ID:	324348
Product:	CloudBasic
Start time:	12:21:44
Start date:	29.11.2020
Sample:	CID_x64.msi
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8c6536b9cb8544f82f24010596e59eeb
SHA1:	5a550a562ca964a8d29bdf0256f08276d9f65d6e
SHA256:	4faf7350538d1c24997871634ecc9b99b51ad69341af0710f6eeeb2796ec2529
Filetype:	Microsoft Windows Installer (77509/1) 90.64%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\CFG58EA.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	3C3D11B78E4C077C083F0B6B527D146E	C210C08BB3BDA4D775AA4F23BD177DBEF0BC1378	55DB6CC3FCF27F20362198F28B652889F7808FFA206E2140D3F3AB3ECE879EB9
C:\Users\user\AppData\Local\Temp\CFG660A.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	3C3D11B78E4C077C083F0B6B527D146E	C210C08BB3BDA4D775AA4F23BD177DBEF0BC1378	55DB6CC3FCF27F20362198F28B652889F7808FFA206E2140D3F3AB3ECE879EB9
C:\Users\user\AppData\Local\Temp\MSI5735.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0A2626FC9E4E0CA18386C029E9EFFFD9	AC5576497AFAC2456F485CDB14BF52D895769651	97A55524E0BF06419143B1B71778C0EC867716079AB477E8404A0F3125DA7DC3
C:\Users\user\AppData\Local\Temp\MSI58FB.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0A2626FC9E4E0CA18386C029E9EFFFD9	AC5576497AFAC2456F485CDB14BF52D895769651	97A55524E0BF06419143B1B71778C0EC867716079AB477E8404A0F3125DA7DC3

Spreading:

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:			Jump to behavior

Networking:

Urls found in memory or binary data

Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globals
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000000.00000002.469784631.0000023764110000.00000004.00000001.sdmp, CID_x64.msi	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/g
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: CID_x64.msi	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3oc
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: CID_x64.msi	String found in binary or memory: https://www.globalsign.com/repository/0
Source: msiexec.exe, 00000000.00000002.469784631.0000023764110000.00000004.00000001.sdmp, CID_x64.msi	String found in binary or memory: https://www.globalsign.com/repository/06

System Summary:

Sample file is different than original file name gathered from version info

Source: CID_x64.msi

Binary or memory string: OriginalFilenameDPCA.DLL^ vs CID_x64.msi

Tries to load missing DLLs

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll			Jump to behavior

Classification label

Source: classification engine

Classification label: clean3.winMSI@3/4@0/0

Creates temporary files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI5735.tmp

Jump to behavior

Reads software policies

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

SQL strings found in memory and binary data

Source: msiexec.exe, 00000000.00000002.470111091.0000023764710000.00000002.00000001.sdmp

Binary or memory string: SELECT `Directory`, `DefaultDir` FROM `Directory` WHERE `Directory_Parent` = '%s'Software\Microsoft\NET Framework Setup\NDP\v3.%lu%sSOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5Software\Microsoft\NET Framework Setup\NDPSELECT * FROM `%s`Custom action not implemented.ToggleNearestAppRoot.kernel32IsWow64ProcessProcess call was successful.The error indicates that IIS is in 64 bit mode, while this application is a 32 bit application and thus not compatible.The error indicates that IIS is in 32 bit mode, while this application is a 64 bit application and thus not compatible.The error indicates that this version of ASP.NET must first be registered on the machine.Unknown Error.The call to aspnet_regiis.exe was failed. Path: '%s'Process Call Result Code: '%ld'Process Exit Code: '%ld'.Create Process failed.Running process '%s' with parameters '%s' silently...Access denied.CoInitializeEx - COM initialization Free Threaded.FAILED:%ldCoInitializeEx - COM initialization Apartment Threaded...Attach Debugger To MeVSCADEBUGATTACHSetTARGETSITETargetVersion%s\v%d\%sGatherWebSitesGatherAppPoolsSetTARGETAPPPOOLTARGETIISPATHRoot//LM/TARGETVDIRTARGETSITESetTARGETIISPATHaspnet_regiis.exeRESULTPath = PathUsing 64 bit registry key...Reading registry value Path from key 'HKLM\%s'...Software\Microsoft\ASP.NET\%sProductNameRunning show message with fUseMessageBox = %sFALSETRUEVSDINVALIDURLMSGHideFatalErrorFormopenExecuting URL '%s' with source directory '%s'...SourceDirRESULT:Condition is false.RESULT:Condition is true. Nothing more to do.Evaluating condition '%s'...Getting the condition to evaluate...A launch condition has already fired. My work is done here.Checking a launch condition..."/><supportedRuntime version=";VSDFxConfigFile

Sample is a Windows installer

Source: CID_x64.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 90.64%

Spawns processes

Source: unknown	Process created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\CID_x64.msi'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7C2160B8C719111621BBF907BA5D9B1C C
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 67B6CF52D8EDBBB744EA0BA0249B0181

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

PE / OLE file has a valid certificate

Source: CID_x64.msi

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: CID_x64.msi

Static file information: File size 2429952 > 1048576

Binary contains paths to debug symbols

Source:	Binary string: DPCA.pdb source: msiexec.exe, 00000000.00000002.470111091.0000023764710000.00000002.00000001.sdmp, CID_x64.msi
Source:	Binary string: DPCA.pdb<0 source: msiexec.exe, 00000000.00000002.470111091.0000023764710000.00000002.00000001.sdmp, CID_x64.msi

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI5735.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI58FB.tmp			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\msiexec.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI58FB.tmp

Jump to dropped file

Checks the free space of harddrives

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Source: msiexec.exe, 00000000.00000002.468247204.0000023761FD0000.00000002.00000001.sdmp, msiexec.exe, 00000001.00000002.468238994.0000000002D80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000000.00000002.468247204.0000023761FD0000.00000002.00000001.sdmp, msiexec.exe, 00000001.00000002.468238994.0000000002D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000000.00000002.468247204.0000023761FD0000.00000002.00000001.sdmp, msiexec.exe, 00000001.00000002.468238994.0000000002D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: msiexec.exe, 00000000.00000002.468247204.0000023761FD0000.00000002.00000001.sdmp, msiexec.exe, 00000001.00000002.468238994.0000000002D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior