Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2UoXCbfNSl.msi

Overview

General Information

Sample Name:2UoXCbfNSl.msi
Original Sample Name:cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a.msi
Analysis ID:876164
MD5:82ff84cb9924f0855a894e75b5d3edb2
SHA1:df89381239f8a8ececeb697a6a35a573203bac09
SHA256:cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a
Tags:gozimsi
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic
Drops executables to the windows directory (C:\Windows) and starts them
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains functionality to launch a program with higher privileges
Queries the current domain controller via net
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • msiexec.exe (PID: 5424 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2UoXCbfNSl.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 6800 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 6924 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • MSI2A38.tmp (PID: 2888 cmdline: "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips MD5: 0007940F5479831428131F029D3BD8F7)
    • MSI2E51.tmp (PID: 5228 cmdline: "C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf MD5: 0007940F5479831428131F029D3BD8F7)
  • cmd.exe (PID: 6936 cmdline: cmd /c "net group "domain computers" /domain" >> C:\Users\user\AppData\Local\Temp\4505.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • net.exe (PID: 6948 cmdline: net group "domain computers" /domain MD5: 15534275EDAABC58159DD0F8607A71E5)
      • net1.exe (PID: 6676 cmdline: C:\Windows\system32\net1 group "domain computers" /domain MD5: AF569DE92AB6C1B9C681AF1E799F9983)
  • cmd.exe (PID: 2184 cmdline: cmd /c "nltest /dclist:" >> C:\Users\user\AppData\Local\Temp\158A.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • nltest.exe (PID: 5828 cmdline: nltest /dclist: MD5: 3198EC1CA24B6CB75D597CEE39D71E58)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
Timestamp:192.168.2.58.8.8.865323532023883 05/26/23-11:41:10.481245
SID:2023883
Source Port:65323
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic
Timestamp:192.168.2.58.8.8.858581532023883 05/26/23-11:43:55.578387
SID:2023883
Source Port:58581
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic
Timestamp:192.168.2.58.8.8.863446532023883 05/26/23-11:42:04.741109
SID:2023883
Source Port:63446
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic
Timestamp:192.168.2.58.8.8.860975532023883 05/26/23-11:42:44.239811
SID:2023883
Source Port:60975
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic
Timestamp:192.168.2.58.8.8.856687532023883 05/26/23-11:44:33.716234
SID:2023883
Source Port:56687
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic
Timestamp:192.168.2.58.8.8.856682532023883 05/26/23-11:43:20.455009
SID:2023883
Source Port:56682
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic
Timestamp:192.168.2.58.8.8.861344532023883 05/26/23-11:45:10.193356
SID:2023883
Source Port:61344
Destination Port:53
Protocol:UDP
Classtype:Potentially Bad Traffic

Click to jump to signature section

Show All Signature Results
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 2UoXCbfNSl.msi, MSI26B8.tmp.1.dr, 51235f.msi.1.dr, 51235c.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\System32\msiexec.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_013605E9 FindFirstFileExW,

Networking

barindex
Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:65323 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:63446 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:60975 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:56682 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:58581 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:56687 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:61344 -> 8.8.8.8:53
Source: unknownDNS traffic detected: query: sumarno.top replaycode: Server failure (2)
Source: 51235e.rbs.1.dr, MSI29DA.tmp.1.drString found in binary or memory: https://sectigo.com
Source: 2UoXCbfNSl.msi, 51235f.msi.1.dr, 51235c.msi.1.drString found in binary or memory: https://sectigo.comButtonText_Yes&YesARPCOMMENTSThis
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI26B8.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\51235c.msiJump to behavior
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01356078
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0132D060
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0135B336
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01349730
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0134F700
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01364609
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0135E919
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_013538A0
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_013518EF
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0135DB30
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0134FA8E
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0134ADD9
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01330E90
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01362EC5
Source: C:\Windows\Installer\MSI2A38.tmpCode function: String function: 013485D0 appears 39 times
Source: C:\Windows\Installer\MSI2A38.tmpCode function: String function: 01348246 appears 69 times
Source: C:\Windows\Installer\MSI2A38.tmpCode function: String function: 01348213 appears 97 times
Source: 2UoXCbfNSl.msiBinary or memory string: OriginalFilenameviewer.exeF vs 2UoXCbfNSl.msi
Source: 2UoXCbfNSl.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs 2UoXCbfNSl.msi
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\Installer\MSI2A38.tmpKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2UoXCbfNSl.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI2E51.tmp "C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c "net group "domain computers" /domain" >> C:\Users\user\AppData\Local\Temp\4505.tmp
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c "nltest /dclist:" >> C:\Users\user\AppData\Local\Temp\158A.tmp
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI2E51.tmp "C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:
Source: C:\Windows\Installer\MSI2A38.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\MultiPlastJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF96E1B63E07A25412.TMPJump to behavior
Source: classification engineClassification label: mal52.evad.winMSI@18/31@0/0
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01326EE0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_013261D0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,
Source: 2UoXCbfNSl.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_01
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01321D70 LoadResource,LockResource,SizeofResource,
Source: 2UoXCbfNSl.msiStatic file information: File size 6096508 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 2UoXCbfNSl.msi, MSI26B8.tmp.1.dr, 51235f.msi.1.dr, 51235c.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_013481F0 push ecx; ret

Persistence and Installation Behavior

barindex
Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI2E51.tmp
Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSI2A38.tmp
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI28B0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\MSTX340\ini.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2841.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI26B8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27A3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A38.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E51.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27E3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI28B0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2841.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI26B8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27A3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A38.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E51.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI27E3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI28B0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\MSTX340\ini.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2841.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI27A3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI27E3.tmpJump to dropped file
Source: C:\Windows\Installer\MSI2A38.tmpCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\Installer\MSI2A38.tmpAPI coverage: 5.4 %
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformation
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_013605E9 FindFirstFileExW,
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0134C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01361533 GetProcessHeap,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_013603E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0135843F mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01348553 SetUnhandledExceptionFilter,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0134C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_013483BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01347B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01327660 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetLocaleInfoEx,FormatMessageA,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetLocaleInfoEx,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: EnumSystemLocalesW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: EnumSystemLocalesW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: EnumSystemLocalesW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: EnumSystemLocalesW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0134801C cpuid
Source: C:\Windows\System32\nltest.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_01348615 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
Source: C:\Windows\Installer\MSI2A38.tmpCode function: 3_2_0135D192 GetTimeZoneInformation,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media
1
Native API
1
DLL Side-Loading
1
Exploitation for Privilege Escalation
121
Masquerading
OS Credential Dumping2
System Time Discovery
1
Replication Through Removable Media
1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
Process Injection
1
Disable or Modify Tools
LSASS Memory3
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)1
DLL Side-Loading
11
Process Injection
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information
NTDS11
Peripheral Device Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information
LSA Secrets1
File and Directory Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
DLL Side-Loading
Cached Domain Credentials34
System Information Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
File Deletion
DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 876164 Sample: 2UoXCbfNSl.msi Startdate: 26/05/2023 Architecture: WINDOWS Score: 52 41 Snort IDS alert for network traffic 2->41 7 msiexec.exe 84 40 2->7         started        11 cmd.exe 2 2->11         started        13 cmd.exe