Windows Analysis Report CTS Graphic module for CID-Pro measurement files.msi

Overview

General Information

Sample Name: CTS Graphic module for CID-Pro measurement files.msi
Analysis ID: 502664
MD5: 9d1d12f42aa3de041dda288f87ced756
SHA1: 0a5bbbd604a5ae6845c4a389ef1f85708d3c679f
SHA256: 98d412acbb77f1fd865e17f16c62ae1e53fe3e19a183b3ba2d89c4fc3bd43fd1
Infos:

Most interesting Screenshot:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Queries the volume information (name, serial number etc) of a device
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Checks for available system drives (often done to infect USB drives)
Found dropped PE file which has not been started or loaded
Drops PE files
Tries to load missing DLLs
Deletes files inside the Windows folder
Drops PE files to the windows directory (C:\Windows)
Creates files inside the system directory

Classification

Source: Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: p:\InstrumentDriver\IviInstallers\CustomActions\IviPaths\trunk\400\objects\IviPaths\win32U\i386\msvc71\release\IviPaths.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: p:\InstrumentDriver\IviInstallers\CustomActions\IviPaths\trunk\400\objects\IviPaths\win32U\i386\msvc71\release\IviPaths.pdb@ source: CTS Graphic module for CID-Pro measurement files.msi

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://ocsp.thawte.com0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://s.symcd.com06
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://s2.symcb.com0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://sf.symcd.com0&
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://sv.symcd.com0&
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://www.symauth.com/cps0(
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: http://www.symauth.com/rpa00
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: https://d.symcb.com/cps0%
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: https://d.symcb.com/rpa0
Source: CTS Graphic module for CID-Pro measurement files.msi String found in binary or memory: https://d.symcb.com/rpa0.
Source: MSI4009.tmp.1.dr String found in binary or memory: https://www.cts-umweltsimulation.de
Source: MSI4009.tmp.1.dr String found in binary or memory: https://www.cts-umweltsimulation.de%

System Summary:

barindex
Sample file is different than original file name gathered from version info
Source: CTS Graphic module for CID-Pro measurement files.msi Binary or memory string: OriginalFilenameNiMsiDistKit.dlluax, vs CTS Graphic module for CID-Pro measurement files.msi
Source: CTS Graphic module for CID-Pro measurement files.msi Binary or memory string: OriginalFilenameNIPathsStub.dllP vs CTS Graphic module for CID-Pro measurement files.msi
Source: CTS Graphic module for CID-Pro measurement files.msi Binary or memory string: OriginalFilenameMetaUtilsCA.dllb! vs CTS Graphic module for CID-Pro measurement files.msi
Source: CTS Graphic module for CID-Pro measurement files.msi Binary or memory string: OriginalFilenameIviPaths.dllX vs CTS Graphic module for CID-Pro measurement files.msi
Tries to load missing DLLs
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI2E3F.tmp Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4629bb.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF925.tmp Jump to behavior
Source: classification engine Classification label: clean3.winMSI@6/15@0/0
Source: unknown Process created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\CTS Graphic module for CID-Pro measurement files.msi'
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 92B7A03B753DE557328F7B181D3A0B3D C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B258116E8C98C69587BFD784FAB73825
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 92B7A03B753DE557328F7B181D3A0B3D C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B258116E8C98C69587BFD784FAB73825 Jump to behavior
Source: CTS Graphic module for CID-Pro measurement files.msi Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: Window Recorder Window detected: More than 3 window changes detected
Source: CTS Graphic module for CID-Pro measurement files.msi Static file information: File size 1644032 > 1048576
Source: Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: p:\InstrumentDriver\IviInstallers\CustomActions\IviPaths\trunk\400\objects\IviPaths\win32U\i386\msvc71\release\IviPaths.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: p:\InstrumentDriver\IviInstallers\CustomActions\IviPaths\trunk\400\objects\IviPaths\win32U\i386\msvc71\release\IviPaths.pdb@ source: CTS Graphic module for CID-Pro measurement files.msi

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIFF03.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI5C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF925.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3EA0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI38D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI37D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSI195.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIFDD9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2E3F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3C7D.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3EA0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI38D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI37D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2E3F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3C7D.tmp Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\msiexec.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3EA0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI37D5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI195.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDD9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3C7D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 502664 Sample: CTS Graphic module for CID-... Startdate: 14/10/2021 Architecture: WINDOWS Score: 3 5 msiexec.exe 122 24 2->5         started        8 msiexec.exe 11 2->8         started        file3 14 C:\Windows\Installer\MSI3EA0.tmp, PE32 5->14 dropped 16 C:\Windows\Installer\MSI3C7D.tmp, PE32 5->16 dropped 18 C:\Windows\Installer\MSI38D0.tmp, PE32 5->18 dropped 26 2 other files (none is malicious) 5->26 dropped 10 msiexec.exe 5->10         started        12 msiexec.exe 5->12         started        20 C:\Users\user\AppData\Local\...\MSIFF03.tmp, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\...\MSIFDD9.tmp, PE32 8->22 dropped 24 C:\Users\user\AppData\Local\...\MSIF925.tmp, PE32 8->24 dropped 28 2 other files (none is malicious) 8->28 dropped process4
No contacted IP infos