Analysis Report LI180_win-1.5.1.exe

Overview

General Information

Sample Name: LI180_win-1.5.1.exe
Analysis ID: 358582
MD5: 77d64242fbd270b5363d383b51075783
SHA1: 4c23d1f71ff19b5c046d8b1d750104a386f184f9
SHA256: a48f199141b10a4d425fd128ac0bdfca75ec98741a3eacff11a67a3bbc4bde01
Infos:

Most interesting Screenshot:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

May use the Tor software to hide its network traffic
Sample is not signed and drops a device driver
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file contains strange resources
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to detect Joe Sandbox
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: LI180_win-1.5.1.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Creates license or readme file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: x64DPInst.exe, 0000000E.00000003.303322446.000000000058F000.00000004.00000001.sdmp, SIUSBXP.sys0.0.dr
Source: Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: Binary string: DpInst.pdbH source: x64DPInst.exe.0.dr
Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: SIUSBXP.sys.0.dr
Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: SIUSBXP.sys.0.dr
Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: SETF07E.tmp.14.dr
Source: Binary string: DpInst.pdb source: x64DPInst.exe.0.dr
Source: Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW, 0_2_00409263
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_0040C9F8 FindFirstFileW,FindClose, 1_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00424B48 FindFirstFileW,GetLastError, 1_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose, 1_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 1_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00424548 FindFirstFileW,FindClose, 1_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose, 1_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00424764 FindFirstFileW,FindClose, 1_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00794720 FindFirstFileW,FindClose, 1_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose, 1_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW, 1_2_00422390
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData Jump to behavior
Source: Install Fonts EXE-PlugIn.dll.0.dr String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: drvinst.exe, 00000010.00000003.308221075.0000026FF54F8000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: drvinst.exe, 00000010.00000003.308221075.0000026FF54F8000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsof8
Source: Install Fonts EXE-PlugIn.dll.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: LI-180_Installer.exe, LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp String found in binary or memory: http://standards.iso.org/iso/19770/-2/2008/schema.xsd
Source: mdd_0.ttf.0.dr String found in binary or memory: http://www.ascendercorp.com/http://ascendercorp.com/eula10.html
Source: mdd_0.ttf.0.dr String found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlThis
Source: LI180_win-1.5.1.exe String found in binary or memory: http://www.installaware.com
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp String found in binary or memory: http://www.installaware.com/
Source: LI180_win-1.5.1.exe String found in binary or memory: http://www.installaware.comz
Source: LI-180_Installer.exe, 00000001.00000003.236989235.000000007F8D0000.00000004.00000001.sdmp String found in binary or memory: http://www.licor.com
Source: LICORlang.ini.0.dr String found in binary or memory: https://www.licor.com/

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\453607F8\E1510A13\siusbxp.cat Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe File created: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\SETF04E.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\SETF59D.tmp Jump to dropped file

System Summary:

barindex
Creates driver files
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys Jump to behavior
Creates files inside the driver directory
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f} Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Windows\Fonts\mdd_0.ttf Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\drvinst.exe File deleted: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\SETF59D.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00415060 0_2_00415060
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0040D0E1 0_2_0040D0E1
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00416135 0_2_00416135
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0041A3D8 0_2_0041A3D8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00415535 0_2_00415535
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0040D67F 0_2_0040D67F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0040F949 0_2_0040F949
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00415909 0_2_00415909
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0040CA77 0_2_0040CA77
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0040CB18 0_2_0040CB18
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0040CCB9 0_2_0040CCB9
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00415D15 0_2_00415D15
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0040EE50 0_2_0040EE50
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: String function: 00417B6C appears 36 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: String function: 00408BFB appears 39 times
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: String function: 00416B21 appears 164 times
PE file contains strange resources
Source: LI180_win-1.5.1.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z759F.tmp.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7z.dll.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: LI180_win-1.5.1.exe, 00000000.00000002.348802076.0000000002350000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs LI180_win-1.5.1.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: LI180_win-1.5.1.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: classification engine Classification label: sus24.evad.winEXE@9/119@0/0
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00413849 GetVersion,CoCreateInstance, 0_2_00413849
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_004580E4 FindResourceW,LoadResource,SizeofResource,LockResource, 1_2_004580E4
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\III Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp Jump to behavior
Source: Yara match File source: 00000001.00000000.234871327.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.340697583.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe, type: DROPPED
Source: Yara match File source: 1.2.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.LI-180_Installer.exe.400000.0.unpack, type: UNPACKEDPE
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: "-k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: "-k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: "/k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: "/k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: -k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: -k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: /k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: /k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: "/k= 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: ;!@InstallEnd@! 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: BB 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: Title 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: Directory 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: RunProgram 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: ExecuteFile 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: setup.exe 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: %%T 0_2_00413F63
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Command line argument: %%T\ 0_2_00413F63
Source: LI180_win-1.5.1.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: LI-180_Installer.exe, 00000001.00000003.289541820.0000000000E49000.00000004.00000001.sdmp Binary or memory string: INSERT INTO `Property` ( `Property` , `Value` ) VALUES ( 'P6DBFE203_1' , 'C:\Program Files (x86)\LI-180 Spectrometer\skin' );^
Source: LI-180_Installer.exe String found in binary or memory: <!--StartFragment-->
Source: LI-180_Installer.exe String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe String found in binary or memory: Start/Stop Count
Source: LI-180_Installer.exe String found in binary or memory: NATS-SEFI-ADD
Source: LI-180_Installer.exe String found in binary or memory: NATS-DANO-ADD
Source: LI-180_Installer.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: LI-180_Installer.exe String found in binary or memory: jp-ocr-b-add
Source: LI-180_Installer.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: LI-180_Installer.exe String found in binary or memory: jp-ocr-hand-add
Source: LI-180_Installer.exe String found in binary or memory: ISO_6937-2-add
Source: LI-180_Installer.exe String found in binary or memory: </InstallAware>
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File read: C:\Users\user\Desktop\LI180_win-1.5.1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\LI180_win-1.5.1.exe 'C:\Users\user\Desktop\LI180_win-1.5.1.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /m='C:\Users\user~1\Desktop\LI180_~1.EXE' /k=''
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BA9949B78EE4EB19368DAA67058A42BA
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: unknown Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user~1\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\siusbxp.inf' '9' '4ae43d7fb' '00000000000001A8' 'WinSta0\Default' '00000000000001AC' '208' 'c:\progra~2\li-180~1\driver'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe .\LI-180_Installer.exe /m='C:\Users\user~1\Desktop\LI180_~1.EXE' /k='' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x64DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR~1\mDIFxIDE.dll\x86DPInst.exe /SW /SE /EL /PATH C:\PROGRA~2\\LI-180~1\Driver\ /D /SA /LM /F Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File written: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\6C0AF2E8\BE4A257\LICORlang.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Window found: window name: TButton Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Automated click: I accept the terms of the license agreement
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: LI180_win-1.5.1.exe Static file information: File size 10630347 > 1048576
Source: Binary string: gacutil.pdb, AH/@ source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: Binary string: GameuxInstallHelper.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: Binary string: gacutil.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SIUSBXP.pdb source: x64DPInst.exe, 0000000E.00000003.303322446.000000000058F000.00000004.00000001.sdmp, SIUSBXP.sys0.0.dr
Source: Binary string: gacutil.pdb(0 source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp
Source: Binary string: DpInst.pdbH source: x64DPInst.exe.0.dr
Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdb source: SIUSBXP.sys.0.dr
Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\usbxpress\windows_2k_xp_s2k3_vista\objfre_w2k_x86\i386\SIUSBXP.pdbp source: SIUSBXP.sys.0.dr
Source: Binary string: c:\dev\development\librarypackages\usbxpress\drivers\silib\windows_98se_2k_xp_s2k3_vista\objfre_wnet_amd64\amd64\SiLib.pdb source: SETF07E.tmp.14.dr
Source: Binary string: DpInst.pdb source: x64DPInst.exe.0.dr
Source: Binary string: gacutlrc.pdb source: LI-180_Installer.exe, 00000001.00000000.235382509.0000000000909000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0041C3CC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_0041C3CC
PE file contains an invalid checksum
Source: 7z.dll.1.dr Static PE information: real checksum: 0x0 should be: 0xe8565
Source: LI180_win-1.5.1.exe Static PE information: real checksum: 0x4db7e should be:
Source: 7z759F.tmp.1.dr Static PE information: real checksum: 0x0 should be: 0xe8565
PE file contains sections with non-standard names
Source: 7z759F.tmp.1.dr Static PE information: section name: .sxdata
Source: 7z.dll.1.dr Static PE information: section name: .sxdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00416BF9 push ecx; ret 0_2_00416C0C
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00417BB1 push ecx; ret 0_2_00417BC4
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_0076889C push 00768B24h; ret 1_2_00768B1C
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_0076839C push 007686BAh; ret 1_2_007686B2
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_0045116C push ecx; mov dword ptr [esp], edx 1_2_00451171

Persistence and Installation Behavior:

barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user~1\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\51845961\DBD131B5\SiLib.sys Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\A3F0088A\23667BEE\SIUSBXP.sys Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\mDIFxEXE.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\Temp\7z759F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\2E5DCE8F\23667BEE\SiLib.sys Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe File created: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07E.tmp Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\III\7z.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\Temp\mia1\mDIFxEXE.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe File created: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\Temp\IAW1FEA.tmp Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\55E6A65E\DBD131B5\SIUSBXP.sys Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CE.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\mia.lib Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\LI-180_Installer.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CF.tmp Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CE.tmp Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe File created: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\mia.lib Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\ProgramData\{E6FF8B17-66F1-4213-A668-EBEAEBBA4AEB}\mia.lib Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
May use the Tor software to hide its network traffic
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp Binary or memory string: torConnect
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x86DPInst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\msiexec.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07E.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\353AD105\E1510A13\USBXpressInstaller.exe Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SETF07F.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IAW1FEA.tmp Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\DC702C7E\E023D589\SiUSBXp.dll Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\OFFLINE\D35647E\E023D589\LI-180 Spectrometer.exe Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SETF5CE.tmp Jump to dropped file
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\Install Fonts IDE-PlugIn.dll\Install Fonts EXE-PlugIn.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\Install Fonts EXE-PlugIn.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409 Jump to behavior
Tries to detect Joe Sandbox
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\data\LI-COR Spectrum\mDIFxIDE.dll\x64DPInst.exe File operation: C:\Users\user~1\AppData\Local\Temp\{546a2256-27f6-d746-9372-a5af287c59d0}\x64\SiUSBXp.sys Jump to behavior
Source: C:\Windows\System32\drvinst.exe File operation: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\x64\SiUSBXp.sys Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00409263 __EH_prolog3,FindFirstFileW,FindFirstFileW,FindFirstFileW, 0_2_00409263
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_0040C9F8 FindFirstFileW,FindClose, 1_2_0040C9F8
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00424B48 FindFirstFileW,GetLastError, 1_2_00424B48
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_007942A8 FindFirstFileW,FindClose,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose, 1_2_007942A8
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_0040C434 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW, 1_2_0040C434
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00424548 FindFirstFileW,FindClose, 1_2_00424548
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00596518 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose, 1_2_00596518
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00424764 FindFirstFileW,FindClose, 1_2_00424764
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00794720 FindFirstFileW,FindClose, 1_2_00794720
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00794724 FindFirstFileW,FindClose,FindNextFileW,FindClose,FindFirstFileW,FindClose,FindNextFileW,FindClose, 1_2_00794724
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: 1_2_00422390 GetLogicalDriveStringsW,QueryDosDeviceW, 1_2_00422390
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe File opened: C:\Users\user\AppData Jump to behavior
Source: x64DPInst.exe, 0000000E.00000002.313408506.0000000002760000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: LI180_win-1.5.1.exe Binary or memory string: vMCi0
Source: x64DPInst.exe, 0000000E.00000002.313408506.0000000002760000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: x64DPInst.exe, 0000000E.00000002.313408506.0000000002760000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: x64DPInst.exe, 0000000E.00000002.313408506.0000000002760000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041B20D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0041C3CC LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_0041C3CC
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0041B20D _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041B20D
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_004182E8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004182E8
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0041B945 SetUnhandledExceptionFilter, 0_2_0041B945
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00416B12 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00416B12
Source: LI-180_Installer.exe Binary or memory string: Shell_TrayWnd
Source: LI-180_Installer.exe Binary or memory string: Progman
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp Binary or memory string: Progmanadvapi32.dllCreateProcessWithTokenW
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp Binary or memory string: ProgmanU
Source: LI-180_Installer.exe, 00000001.00000003.237053334.000000007F8E9000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndU

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0040DA29 cpuid 0_2_0040DA29
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: GetLocaleInfoA, 0_2_004204E7
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: GetUserDefaultUILanguage,GetLocaleInfoW, 1_2_0040CB30
Source: C:\Users\user\AppData\Local\Temp\7zS5C99.tmp\LI-180_Installer.exe Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_0040BFD8
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\drvinst.exe Queries volume information: C:\Windows\System32\DriverStore\Temp\{e09d9f86-101e-864a-b600-9318f3cd459f}\SiUSBXp.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_0041C0BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0041C0BC
Source: C:\Users\user\Desktop\LI180_win-1.5.1.exe Code function: 0_2_00413849 GetVersion,CoCreateInstance, 0_2_00413849
Source: C:\Windows\System32\drvinst.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358582 Sample: LI180_win-1.5.1.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 24 47 May use the Tor software to hide its network traffic 2->47 7 LI180_win-1.5.1.exe 1 236 2->7         started        11 drvinst.exe 9 16 2->11         started        13 msiexec.exe 2->13         started        process3 file4 27 C:\Users\user\AppData\Local\Temp\...\mia.lib, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\mMSIExec.dll, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\SiUSBXp.dll, PE32 7->31 dropped 37 11 other files (none is malicious) 7->37 dropped 49 Sample is not signed and drops a device driver 7->49 15 LI-180_Installer.exe 19 60 7->15         started        33 C:\Windows\System32\...\SETF5CF.tmp, PE32+ 11->33 dropped 35 C:\Windows\System32\...\SETF5CE.tmp, PE32+ 11->35 dropped signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\mMSIExec.dll, PE32 15->39 dropped 41 C:\Users\user\AppData\Local\...\mDIFxEXE.dll, PE32 15->41 dropped 43 C:\Users\...\Install Fonts EXE-PlugIn.dll, PE32 15->43 dropped 45 5 other files (none is malicious) 15->45 dropped 18 x64DPInst.exe 1 13 15->18         started        21 x86DPInst.exe 15->21         started        process8 file9 23 C:\Users\user\AppData\Local\...\SETF07F.tmp, PE32+ 18->23 dropped 25 C:\Users\user\AppData\Local\...\SETF07E.tmp, PE32+ 18->25 dropped
No contacted IP infos