Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report notifica2104.msi

Overview

General Information

Sample Name:notifica2104.msi
Analysis ID:395218
MD5:37261a4c059499f3d379f539834b8990
SHA1:1c06fb8a5bf94db2782bf49e080eacc25e740d7c
SHA256:f3316d7cef4978eb334264f709301d6616089abd6272c675228614a6407ed629
Infos:

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Checks for available system drives (often done to infect USB drives)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs

Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Startup

  • System is w10x64
  • msiexec.exe (PID: 6560 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\notifica2104.msi' MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 6616 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 62996ADAF98AEA6C3E76201DA1491D0F MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb` source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb^ source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: notifica2104.msi
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: msiexec.exe, 00000000.00000003.227511962.000001BC85B50000.00000004.00000001.sdmpString found in binary or memory: http://conlazionzzytz.eastus.cloudapp.azure.com/64bits.php
Source: notifica2104.msiString found in binary or memory: http://conlazionzzytz.eastus.cloudapp.azure.com/64bits.php(VersionNT64)SecureCustomPropertiesOLDPROD
Source: msiexec.exe, 00000000.00000003.227479172.000001BC85B5F000.00000004.00000001.sdmpString found in binary or memory: http://conlazionzzytz.eastus.cloudapp.azure.com/64bits.php-
Source: notifica2104.msiString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: notifica2104.msiString found in binary or memory: http://s.symcd.com06
Source: notifica2104.msiString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: notifica2104.msiString found in binary or memory: http://t2.symcb.com0
Source: notifica2104.msiString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: notifica2104.msiString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: notifica2104.msiString found in binary or memory: http://tl.symcd.com0&
Source: notifica2104.msiString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: notifica2104.msiString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: notifica2104.msiString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: notifica2104.msiString found in binary or memory: http://www.winimage.com/zLibDll
Source: notifica2104.msiString found in binary or memory: http://www.winimage.com/zLibDll1.2.7rbr
Source: notifica2104.msiString found in binary or memory: https://d.symcb.com/cps0%
Source: notifica2104.msiString found in binary or memory: https://d.symcb.com/rpa0
Source: notifica2104.msiString found in binary or memory: https://d.symcb.com/rpa0.
Source: notifica2104.msiString found in binary or memory: https://www.advancedinstaller.com
Source: notifica2104.msiString found in binary or memory: https://www.thawte.com/cps0/
Source: notifica2104.msiString found in binary or memory: https://www.thawte.com/repository0W
Source: notifica2104.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs notifica2104.msi
Source: notifica2104.msiBinary or memory string: OriginalFilenameFileOperations.dllF vs notifica2104.msi
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: clean2.winMSI@2/1@0/0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIe9f32.LOGJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: notifica2104.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\notifica2104.msi'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 62996ADAF98AEA6C3E76201DA1491D0F
Source: C:\Windows\System32\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb` source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb^ source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: notifica2104.msi
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: notifica2104.msi
Source: C:\Windows\System32\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: msiexec.exe, 00000001.00000002.250323950.0000000004860000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: msiexec.exe, 00000001.00000002.250323950.0000000004860000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: msiexec.exe, 00000001.00000002.250323950.0000000004860000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: msiexec.exe, 00000001.00000002.250323950.0000000004860000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Windows Management InstrumentationDLL Side-Loading1Process Injection1Process Injection1OS Credential DumpingQuery Registry1Replication Through Removable Media1Data from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1DLL Side-Loading1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerPeripheral Device Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 395218 Sample: notifica2104.msi Startdate: 22/04/2021 Architecture: WINDOWS Score: 2 4 msiexec.exe 12 2->4         started        6 msiexec.exe 3 2->6         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.