Analysis Report notifica2104.msi

Overview

General Information

Sample Name: notifica2104.msi
Analysis ID: 395218
MD5: 37261a4c059499f3d379f539834b8990
SHA1: 1c06fb8a5bf94db2782bf49e080eacc25e740d7c
SHA256: f3316d7cef4978eb334264f709301d6616089abd6272c675228614a6407ed629
Infos:

Most interesting Screenshot:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Checks for available system drives (often done to infect USB drives)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb` source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb^ source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: notifica2104.msi

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: msiexec.exe, 00000000.00000003.227511962.000001BC85B50000.00000004.00000001.sdmp String found in binary or memory: http://conlazionzzytz.eastus.cloudapp.azure.com/64bits.php
Source: notifica2104.msi String found in binary or memory: http://conlazionzzytz.eastus.cloudapp.azure.com/64bits.php(VersionNT64)SecureCustomPropertiesOLDPROD
Source: msiexec.exe, 00000000.00000003.227479172.000001BC85B5F000.00000004.00000001.sdmp String found in binary or memory: http://conlazionzzytz.eastus.cloudapp.azure.com/64bits.php-
Source: notifica2104.msi String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: notifica2104.msi String found in binary or memory: http://s.symcd.com06
Source: notifica2104.msi String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: notifica2104.msi String found in binary or memory: http://t2.symcb.com0
Source: notifica2104.msi String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: notifica2104.msi String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: notifica2104.msi String found in binary or memory: http://tl.symcd.com0&
Source: notifica2104.msi String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: notifica2104.msi String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: notifica2104.msi String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: notifica2104.msi String found in binary or memory: http://www.winimage.com/zLibDll
Source: notifica2104.msi String found in binary or memory: http://www.winimage.com/zLibDll1.2.7rbr
Source: notifica2104.msi String found in binary or memory: https://d.symcb.com/cps0%
Source: notifica2104.msi String found in binary or memory: https://d.symcb.com/rpa0
Source: notifica2104.msi String found in binary or memory: https://d.symcb.com/rpa0.
Source: notifica2104.msi String found in binary or memory: https://www.advancedinstaller.com
Source: notifica2104.msi String found in binary or memory: https://www.thawte.com/cps0/
Source: notifica2104.msi String found in binary or memory: https://www.thawte.com/repository0W

System Summary:

barindex
Sample file is different than original file name gathered from version info
Source: notifica2104.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs notifica2104.msi
Source: notifica2104.msi Binary or memory string: OriginalFilenameFileOperations.dllF vs notifica2104.msi
Tries to load missing DLLs
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: classification engine Classification label: clean2.winMSI@2/1@0/0
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIe9f32.LOG Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: notifica2104.msi Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: unknown Process created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\notifica2104.msi'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 62996ADAF98AEA6C3E76201DA1491D0F
Source: C:\Windows\System32\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb` source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb^ source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: notifica2104.msi

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\msiexec.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: msiexec.exe, 00000001.00000002.250323950.0000000004860000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: msiexec.exe, 00000001.00000002.250323950.0000000004860000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: msiexec.exe, 00000001.00000002.250323950.0000000004860000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: msiexec.exe, 00000001.00000002.250323950.0000000004860000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 395218 Sample: notifica2104.msi Startdate: 22/04/2021 Architecture: WINDOWS Score: 2 4 msiexec.exe 12 2->4         started        6 msiexec.exe 3 2->6         started       
No contacted IP infos