Loading... Additional Content is being loaded
Windows
Analysis Report
2UoXCbfNSl.msi
Overview
General Information
| Sample Name: | 2UoXCbfNSl.msi |
| Original Sample Name: | cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a.msi |
| Analysis ID: | 876164 |
| MD5: | 82ff84cb9924f0855a894e75b5d3edb2 |
| SHA1: | df89381239f8a8ececeb697a6a35a573203bac09 |
| SHA256: | cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a |
| Tags: | gozimsi |
| Infos: | |
 |
|
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Snort IDS alert for network traffic
Drops executables to the windows directory (C:\Windows) and starts them
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
Queries the current domain controller via net
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
File opened: |
Jump to behavior | ||
| Source: |
Code function: |
3_2_013605E9 | |
Networking |
  |
|---|
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
Snort IDS: |
||
| Source: |
DNS traffic detected: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
String found in binary or memory: |
||
| Source: |
File deleted: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Code function: |
3_2_01356078 | |
| Source: |
Code function: |
3_2_0132D060 | |
| Source: |
Code function: |
3_2_0135B336 | |
| Source: |
Code function: |
3_2_01349730 | |
| Source: |
Code function: |
3_2_0134F700 | |
| Source: |
Code function: |
3_2_01364609 | |
| Source: |
Code function: |
3_2_0135E919 | |
| Source: |
Code function: |
3_2_013538A0 | |
| Source: |
Code function: |
3_2_013518EF | |
| Source: |
Code function: |
3_2_0135DB30 | |
| Source: |
Code function: |
3_2_0134FA8E | |
| Source: |
Code function: |
3_2_0134ADD9 | |
| Source: |
Code function: |
3_2_01330E90 | |
| Source: |
Code function: |
3_2_01362EC5 | |
| Source: |
Binary or memory string: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Section loaded: |
Jump to behavior | ||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Classification label: |
||
| Source: |
Code function: |
3_2_01326EE0 | |
| Source: |
Code function: |
3_2_013261D0 | |
| Source: |
Static file information: |
||
| Source: |
Mutant created: |
||
| Source: |
Mutant created: |
||
| Source: |
Code function: |
3_2_01321D70 | |
| Source: |
Static file information: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
3_2_01348203 | |
Persistence and Installation Behavior |
|
|---|
| Source: |
Executable created and started: |
Jump to behavior | ||
| Source: |
Executable created and started: |
Jump to behavior | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Last function: |
||
| Source: |
Last function: |
||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Dropped PE file which has not been started: |
Jump to dropped file | ||
| Source: |
Check user administrative privileges: |
||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
API coverage: |
||
| Source: |
Process information queried: |
Jump to behavior | ||
| Source: |
Code function: |
3_2_013605E9 | |
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
File Volume queried: |
Jump to behavior | ||
| Source: |
Code function: |
3_2_0134C3B6 | |
| Source: |
Code function: |
3_2_01361533 | |
| Source: |
Code function: |
3_2_013603E8 | |
| Source: |
Code function: |
3_2_0135843F | |
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Code function: |
3_2_01348553 | |
| Source: |
Code function: |
3_2_0134C3B6 | |
| Source: |
Code function: |
3_2_013483BD | |
| Source: |
Code function: |
3_2_01347B9C | |
| Source: |
Code function: |
3_2_01327660 | |
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Queries volume information: |
Jump to behavior | ||
| Source: |
Code function: |
3_2_01332161 | |
| Source: |
Code function: |
3_2_013471C1 | |
| Source: |
Code function: |
3_2_01363414 | |
| Source: |
Code function: |
3_2_01363701 | |
| Source: |
Code function: |
3_2_0135C7A2 | |
| Source: |
Code function: |
3_2_0136379C | |
| Source: |
Code function: |
3_2_013636B6 | |
| Source: |
Code function: |
3_2_01363827 | |
| Source: |
Code function: |
3_2_01363BA3 | |
| Source: |
Code function: |
3_2_01363A7A | |
| Source: |
Code function: |
3_2_0135CD1F | |
| Source: |
Code function: |
3_2_01363D78 | |
| Source: |
Code function: |
3_2_01363CA9 | |
| Source: |
Code function: |
3_2_0134801C | |
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
Code function: |
3_2_01348615 | |
| Source: |
Code function: |
3_2_0135D192 | |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
⊘No contacted IP infos