Loading ...

Play interactive tourEdit tour

Windows Analysis Report CTS Graphic module for CID-Pro measurement files.msi

Overview

General Information

Sample Name:CTS Graphic module for CID-Pro measurement files.msi
Analysis ID:502664
MD5:9d1d12f42aa3de041dda288f87ced756
SHA1:0a5bbbd604a5ae6845c4a389ef1f85708d3c679f
SHA256:98d412acbb77f1fd865e17f16c62ae1e53fe3e19a183b3ba2d89c4fc3bd43fd1
Infos:

Most interesting Screenshot:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Queries the volume information (name, serial number etc) of a device
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample file is different than original file name gathered from version info
Checks for available system drives (often done to infect USB drives)
Found dropped PE file which has not been started or loaded
Drops PE files
Tries to load missing DLLs
Deletes files inside the Windows folder
Drops PE files to the windows directory (C:\Windows)
Creates files inside the system directory

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 4752 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\CTS Graphic module for CID-Pro measurement files.msi' MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 2500 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 6056 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 92B7A03B753DE557328F7B181D3A0B3D C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 6300 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B258116E8C98C69587BFD784FAB73825 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: p:\InstrumentDriver\IviInstallers\CustomActions\IviPaths\trunk\400\objects\IviPaths\win32U\i386\msvc71\release\IviPaths.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: p:\InstrumentDriver\IviInstallers\CustomActions\IviPaths\trunk\400\objects\IviPaths\win32U\i386\msvc71\release\IviPaths.pdb@ source: CTS Graphic module for CID-Pro measurement files.msi
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://ocsp.thawte.com0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://s.symcd.com06
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://s2.symcb.com0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://sf.symcb.com/sf.crl0a
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://sf.symcb.com/sf.crt0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://sf.symcd.com0&
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://sv.symcd.com0&
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://www.symauth.com/cps0(
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: http://www.symauth.com/rpa00
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: https://d.symcb.com/cps0%
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: https://d.symcb.com/rpa0
Source: CTS Graphic module for CID-Pro measurement files.msiString found in binary or memory: https://d.symcb.com/rpa0.
Source: MSI4009.tmp.1.drString found in binary or memory: https://www.cts-umweltsimulation.de
Source: MSI4009.tmp.1.drString found in binary or memory: https://www.cts-umweltsimulation.de%
Source: CTS Graphic module for CID-Pro measurement files.msiBinary or memory string: OriginalFilenameNiMsiDistKit.dlluax, vs CTS Graphic module for CID-Pro measurement files.msi
Source: CTS Graphic module for CID-Pro measurement files.msiBinary or memory string: OriginalFilenameNIPathsStub.dllP vs CTS Graphic module for CID-Pro measurement files.msi
Source: CTS Graphic module for CID-Pro measurement files.msiBinary or memory string: OriginalFilenameMetaUtilsCA.dllb! vs CTS Graphic module for CID-Pro measurement files.msi
Source: CTS Graphic module for CID-Pro measurement files.msiBinary or memory string: OriginalFilenameIviPaths.dllX vs CTS Graphic module for CID-Pro measurement files.msi
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI2E3F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4629bb.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF925.tmpJump to behavior
Source: classification engineClassification label: clean3.winMSI@6/15@0/0
Source: unknownProcess created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\CTS Graphic module for CID-Pro measurement files.msi'
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 92B7A03B753DE557328F7B181D3A0B3D C
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B258116E8C98C69587BFD784FAB73825
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 92B7A03B753DE557328F7B181D3A0B3D CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B258116E8C98C69587BFD784FAB73825Jump to behavior
Source: CTS Graphic module for CID-Pro measurement files.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: CTS Graphic module for CID-Pro measurement files.msiStatic file information: File size 1644032 > 1048576
Source: Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaUtils\NI-PathsStub\Unicode_Release\NIPathsStub.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: p:\InstrumentDriver\IviInstallers\CustomActions\IviPaths\trunk\400\objects\IviPaths\win32U\i386\msvc71\release\IviPaths.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: CTS Graphic module for CID-Pro measurement files.msi
Source: Binary string: p:\InstrumentDriver\IviInstallers\CustomActions\IviPaths\trunk\400\objects\IviPaths\win32U\i386\msvc71\release\IviPaths.pdb@ source: CTS Graphic module for CID-Pro measurement files.msi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFF03.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI5C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF925.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3EA0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI38D0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI37D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI195.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIFDD9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E3F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C7D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3EA0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI38D0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI37D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E3F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3C7D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3EA0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI37D5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI195.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIFDD9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3C7D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Windows Management InstrumentationDLL Side-Loading1Process Injection1Masquerading2OS Credential DumpingQuery Registry1Replication Through Removable Media1Data from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection1LSASS MemoryPeripheral Device Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerSystem Information Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File Deletion1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.