Edit tour

Windows Analysis Report
DE-1550 Installer v1.03_rev1 07-23-2018.msi

Overview

General Information

Sample Name:	DE-1550 Installer v1.03_rev1 07-23-2018.msi
Analysis ID:	831165
MD5:	08af3aac53f698f92b16583e6a76b2aa
SHA1:	f34527fe04eded912253b494e4b7b9dc29150283
SHA256:	cdec38d9934ee64d57f09ce851de1b9f3b4f823e4b7b5420a8c1254f53eabdee
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Queries the volume information (name, serial number etc) of a device

Modifies existing windows services

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Deletes files inside the Windows folder

Drops PE files to the windows directory (C:\Windows)

Creates files inside the system directory

Stores files to the Windows start menu directory

Checks for available system drives (often done to infect USB drives)

Found dropped PE file which has not been started or loaded

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample searches for specific file, try point organization specific fake files to the analysis machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64native

msiexec.exe (PID: 8324 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\DE-1550 Installer v1.03_rev1 07-23-2018.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2040 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 8944 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 84DA78192880581D6829482FFD39CF6A C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 560 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C6401D95ECC4BE08AAC131C3978679E2 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source:	Binary string: C:\Dev\@Altronic\de1550_pcapp\DE-1550\obj\x86\Debug\Altronic DE-1550.pdb source: Altronic DE-1550.exe.3.dr
Source:	Binary string: DPCA.pdb source: DE-1550 Installer v1.03_rev1 07-23-2018.msi, MSI591B.tmp.2.dr, MSI584F.tmp.2.dr, 118801b.msi.3.dr, 118801d.msi.3.dr, MSI81A2.tmp.3.dr, MSI80E6.tmp.3.dr
Source:	Binary string: C:\Dev\@Altronic\de1550_pcapp\DE-1550\obj\x86\Debug\Altronic DE-1550.pdbDp source: Altronic DE-1550.exe.3.dr
Source:	Binary string: DPCA.pdb<0 source: DE-1550 Installer v1.03_rev1 07-23-2018.msi, MSI591B.tmp.2.dr, MSI584F.tmp.2.dr, 118801b.msi.3.dr, 118801d.msi.3.dr, MSI81A2.tmp.3.dr, MSI80E6.tmp.3.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: d:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming

Source: DE-1550 Installer v1.03_rev1 07-23-2018.msi

Binary or memory string: OriginalFilenameDPCA.DLL^ vs DE-1550 Installer v1.03_rev1 07-23-2018.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: edgegdi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edgegdi.dll

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI80E6.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\118801b.msi

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\DE-1550 Installer v1.03_rev1 07-23-2018.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 84DA78192880581D6829482FFD39CF6A C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C6401D95ECC4BE08AAC131C3978679E2
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 84DA78192880581D6829482FFD39CF6A C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C6401D95ECC4BE08AAC131C3978679E2

Source: DE-1550 Installer v1.03_rev1 07-23-2018.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 90.64%

Source: DE-1550.lnk.3.dr

LNK file: ..\..\..\..\..\Installer\{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}\_8FE7F6AC6251280AFC5837.exe

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Altronic LLC

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Installer

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI584F.tmp

Jump to behavior

Source: classification engine

Classification label: clean5.winMSI@6/33@0/0

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: MSI591B.tmp.2.dr, MSI584F.tmp.2.dr, 118801b.msi.3.dr, 118801d.msi.3.dr, MSI81A2.tmp.3.dr, MSI80E6.tmp.3.dr

Binary or memory string: SELECT `Directory`, `DefaultDir` FROM `Directory` WHERE `Directory_Parent` = '%s'Software\Microsoft\NET Framework Setup\NDP\v3.%lu%sSOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5Software\Microsoft\NET Framework Setup\NDPSELECT * FROM `%s`Custom action not implemented.ToggleNearestAppRoot.kernel32IsWow64ProcessProcess call was successful.The error indicates that IIS is in 64 bit mode, while this application is a 32 bit application and thus not compatible.The error indicates that IIS is in 32 bit mode, while this application is a 64 bit application and thus not compatible.The error indicates that this version of ASP.NET must first be registered on the machine.Unknown Error.The call to aspnet_regiis.exe was failed. Path: '%s'Process Call Result Code: '%ld'Process Exit Code: '%ld'.Create Process failed.Running process '%s' with parameters '%s' silently...Access denied.CoInitializeEx - COM initialization Free Threaded.FAILED:%ldCoInitializeEx - COM initialization Apartment Threaded...Attach Debugger To MeVSCADEBUGATTACHSetTARGETSITETargetVersion%s\v%d\%sGatherWebSitesGatherAppPoolsSetTARGETAPPPOOLTARGETIISPATHRoot//LM/TARGETVDIRTARGETSITESetTARGETIISPATHaspnet_regiis.exeRESULTPath = PathUsing 64 bit registry key...Reading registry value Path from key 'HKLM\%s'...Software\Microsoft\ASP.NET\%sProductNameRunning show message with fUseMessageBox = %sFALSETRUEVSDINVALIDURLMSGHideFatalErrorFormopenExecuting URL '%s' with source directory '%s'...SourceDirRESULT:Condition is false.RESULT:Condition is true. Nothing more to do.Evaluating condition '%s'...Getting the condition to evaluate...A launch condition has already fired. My work is done here.Checking a launch condition..."/><supportedRuntime version=";VSDFxConfigFile

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >

Source:	Binary string: C:\Dev\@Altronic\de1550_pcapp\DE-1550\obj\x86\Debug\Altronic DE-1550.pdb source: Altronic DE-1550.exe.3.dr
Source:	Binary string: DPCA.pdb source: DE-1550 Installer v1.03_rev1 07-23-2018.msi, MSI591B.tmp.2.dr, MSI584F.tmp.2.dr, 118801b.msi.3.dr, 118801d.msi.3.dr, MSI81A2.tmp.3.dr, MSI80E6.tmp.3.dr
Source:	Binary string: C:\Dev\@Altronic\de1550_pcapp\DE-1550\obj\x86\Debug\Altronic DE-1550.pdbDp source: Altronic DE-1550.exe.3.dr
Source:	Binary string: DPCA.pdb<0 source: DE-1550 Installer v1.03_rev1 07-23-2018.msi, MSI591B.tmp.2.dr, MSI584F.tmp.2.dr, 118801b.msi.3.dr, 118801d.msi.3.dr, MSI81A2.tmp.3.dr, MSI80E6.tmp.3.dr

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI584F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Altronic LLC\Altronic DE-1550\Altronic DE-1550.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI591B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI80E6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI81A2.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI80E6.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI81A2.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Altronic LLC	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Altronic LLC\DE-1550	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Altronic LLC\DE-1550\DE-1550.lnk	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Altronic LLC\Altronic DE-1550\Altronic DE-1550.exe			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI81A2.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	Windows Management Instrumentation	1 Windows Service	1 Windows Service	22 Masquerading	OS Credential Dumping	1 Process Discovery	1 Replication Through Removable Media	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 DLL Side-Loading	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	1 File Deletion	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DE-1550 Installer v1.03_rev1 07-23-2018.msi	2%	ReversingLabs
DE-1550 Installer v1.03_rev1 07-23-2018.msi	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSI584F.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI584F.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI591B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI591B.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI80E6.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI80E6.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI81A2.tmp	0%	ReversingLabs

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831165
Start date and time:	2023-03-21 07:25:37 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	DE-1550 Installer v1.03_rev1 07-23-2018.msi
Detection:	CLEAN
Classification:	clean5.winMSI@6/33@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, VSSVC.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.0, 20.190.159.23, 20.190.159.4, 40.126.31.71, 40.126.31.73, 40.126.31.69, 20.190.159.75, 20.190.159.71, 51.124.57.242
Excluded domains from analysis (whitelisted): prdv6a.aadg.msidentity.com, wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, www.tm.lg.prod.aadmsa.akadns.net, www.tm.v6.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, wdcp.microsoft.com, wd-prod-cp.trafficmanager.net, login.msa.msidentity.com, wd-prod-cp-eu-west-3-fe.westeurope.cloudapp.azure.com

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	10406
Entropy (8bit):	5.703198333877612
Encrypted:	false
SSDEEP:	96:3TMeruVzD2weQDSwU+v9wTCsThqvU+v9wTC6jH1pFThqrHMSjH1wNymVwr6lPs+5:3G/eRPhOIdhO8Z8Lpq
MD5:	DCCCB8C335FFC3BBE967A10EAD28AA88
SHA1:	8B8268AFE4C0238E32DD60D0F202C5B91E6A2955
SHA-256:	12576A38F48B08D81C3685203E910C55278DABFC9AEA98340AB28B9ED5E3B0B3
SHA-512:	A27079FD4EAED83CE7A71A0771AC5F4ED498EC54F7752AA5BBBD3EC53E2A0B4E0928ACFD1F04E62D05C231B9AA6CB6B7A2C5AC8E875A834744498B4F25F88725
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@u;uV.@.....@.....@.....@.....@.....@......&.{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}..Altronic DE-1550+.DE-1550 Installer v1.03_rev1 07-23-2018.msi.@.....@.....@.....@........&.{F6296E9E-3D64-43FF-B0A4-736C96B15080}.....@.....@.....@.....@.......@.....@.....@.......@......Altronic DE-1550......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{FBEE690E-63CA-9123-3429-448ED52CA353}&.{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}.@......&.{6DA9B1AE-EC52-644E-A521-C6CA345CA92A}&.{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}.@......&.{511939AB-4664-F9F3-9CAC-7D981D8D374C}&.{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}.@......&.{B9B828B7-EE55-8389-D0EC-44437CC85274}&.{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}.@......&.{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}&.{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}.@......&.{7F7B0467-8E0A-A0F2-C00F-02CD8E033A5D}&.{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}.@......&.{92BAF562-34CE-7769

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	117
Entropy (8bit):	4.772296691735276
Encrypted:	false
SSDEEP:	3:vFWWMNHUz/cIMOoT02V7VKXRAmIRMNHjKboe+RAW4QIMOov:TMV0kI002V7VQ7V2boeuAW4QIm
MD5:	3C3D11B78E4C077C083F0B6B527D146E
SHA1:	C210C08BB3BDA4D775AA4F23BD177DBEF0BC1378
SHA-256:	55DB6CC3FCF27F20362198F28B652889F7808FFA206E2140D3F3AB3ECE879EB9
SHA-512:	03A2F82C58A640314D90070375D6AD6193E705AC63E3463511EBDDE5B727463BBD3D98C9E163A6A21C76A723E28DC9B8D94574DC2D2ECFC8CDB18CB9188C27AF
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>...<startup><supportedRuntime version="v4.0"/>...</startup>..</configuration>..

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {F6296E9E-3D64-43FF-B0A4-736C96B15080}, Title: DE-1550 Installer, Author: Altronic LLC, Number of Words: 2, Last Saved Time/Date: Tue Jul 24 03:15:26 2018, Last Printed: Tue Jul 24 03:15:26 2018
Entropy (8bit):	6.217058975674071
TrID:	Microsoft Windows Installer (77509/1) 90.64% Generic OLE2 / Multistream Compound File (8008/1) 9.36%
File name:	DE-1550 Installer v1.03_rev1 07-23-2018.msi
File size:	544256
MD5:	08af3aac53f698f92b16583e6a76b2aa
SHA1:	f34527fe04eded912253b494e4b7b9dc29150283
SHA256:	cdec38d9934ee64d57f09ce851de1b9f3b4f823e4b7b5420a8c1254f53eabdee
SHA512:	13d9a8dede785ff6e1293a7b7251ec86af6d2a71f0169700eb2837cb44c6c9fb7b1180837dffdd28c013d42bdf119669b083f50d27ff18d26f9408231592ee22
SSDEEP:	6144:ded/UBn3Nn7ByILdEODlcOnlpOuodL+8sBn512bojn45S7Ix6XrU/X:8Jk3Nn7ByIuyBlpOuq+8sB512VcRXg
TLSH:	31C4AD2136C79B32D4D3127156BEA3704A7EEC304B7082C7A2987B9E6EB56C06735787
File Content Preview:	........................>...................................8...................f...g...h...i...e.......`...a..................................................................................................................................................

Target ID:	2
Start time:	07:27:30
Start date:	21/03/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\DE-1550 Installer v1.03_rev1 07-23-2018.msi"
Imagebase:	0x7ff73cc90000
File size:	69632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	8
Start time:	07:27:41
Start date:	21/03/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding C6401D95ECC4BE08AAC131C3978679E2
Imagebase:	0x7ff6fb380000
File size:	59904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DE-1550 Installer v1.03_rev1 07-23-2018.msi

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\118801c.rbs

C:\Program Files (x86)\Altronic LLC\Altronic DE-1550\Altronic DE-1550.exe

C:\Program Files (x86)\Altronic LLC\Altronic DE-1550\Altronic DE-1550.exe.config

C:\Program Files (x86)\Altronic LLC\Altronic DE-1550\Altronic.ico

C:\Program Files (x86)\Altronic LLC\Altronic DE-1550\Configuration Files\DEFAULT.afd

C:\Program Files (x86)\Altronic LLC\Altronic DE-1550\Configuration Files\DEFAULT.pgd

C:\Program Files (x86)\Altronic LLC\Altronic DE-1550\Configuration Files\DEFAULT.trd

C:\Users\user\AppData\Local\Temp\CFG58FB.tmp

C:\Users\user\AppData\Local\Temp\CFG8182.tmp

C:\Users\user\AppData\Local\Temp\MSI584F.tmp

C:\Users\user\AppData\Local\Temp\MSI591B.tmp

C:\Users\user\AppData\Roaming\Microsoft\Installer\{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}\_8FE7F6AC6251280AFC5837.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Altronic LLC\DE-1550\DE-1550.lnk

C:\Windows\Installer\118801b.msi

C:\Windows\Installer\118801d.msi

C:\Windows\Installer\MSI80E6.tmp

C:\Windows\Installer\MSI81A2.tmp

C:\Windows\Installer\MSI8211.tmp

C:\Windows\Installer\SourceHash{78411DF8-DB18-4774-A9F4-A5D6D0DA787C}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF164F575F959CA334.TMP

C:\Windows\Temp\~DF1AD6B9B44D290FF8.TMP

C:\Windows\Temp\~DF22D2B4B04A4971FD.TMP

C:\Windows\Temp\~DF23FA9ACE23FCD44B.TMP

C:\Windows\Temp\~DF7B53429BE2301499.TMP

C:\Windows\Temp\~DF8B370F716CC75002.TMP

C:\Windows\Temp\~DFA27904E46FB322E6.TMP

Windows Analysis Report
DE-1550 Installer v1.03_rev1 07-23-2018.msi