Edit tour

Windows Analysis Report
2UoXCbfNSl.msi

Overview

General Information

Sample Name:	2UoXCbfNSl.msi
Original Sample Name:	cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a.msi
Analysis ID:	876164
MD5:	82ff84cb9924f0855a894e75b5d3edb2
SHA1:	df89381239f8a8ececeb697a6a35a573203bac09
SHA256:	cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a
Tags:	gozimsi
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic

Drops executables to the windows directory (C:\Windows) and starts them

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Contains functionality to launch a program with higher privileges

Queries the current domain controller via net

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5424 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2UoXCbfNSl.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6800 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6924 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

MSI2A38.tmp (PID: 2888 cmdline: "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips MD5: 0007940F5479831428131F029D3BD8F7)

MSI2E51.tmp (PID: 5228 cmdline: "C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf MD5: 0007940F5479831428131F029D3BD8F7)

cmd.exe (PID: 6936 cmdline: cmd /c "net group "domain computers" /domain" >> C:\Users\user\AppData\Local\Temp\4505.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

net.exe (PID: 6948 cmdline: net group "domain computers" /domain MD5: 15534275EDAABC58159DD0F8607A71E5)

net1.exe (PID: 6676 cmdline: C:\Windows\system32\net1 group "domain computers" /domain MD5: AF569DE92AB6C1B9C681AF1E799F9983)

cmd.exe (PID: 2184 cmdline: cmd /c "nltest /dclist:" >> C:\Users\user\AppData\Local\Temp\158A.tmp MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

nltest.exe (PID: 5828 cmdline: nltest /dclist: MD5: 3198EC1CA24B6CB75D597CEE39D71E58)

cleanup

Snort Signatures

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.865323532023883 05/26/23-11:41:10.481245
SID:	2023883
Source Port:	65323
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.858581532023883 05/26/23-11:43:55.578387
SID:	2023883
Source Port:	58581
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.863446532023883 05/26/23-11:42:04.741109
SID:	2023883
Source Port:	63446
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.860975532023883 05/26/23-11:42:44.239811
SID:	2023883
Source Port:	60975
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.856687532023883 05/26/23-11:44:33.716234
SID:	2023883
Source Port:	56687
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.856682532023883 05/26/23-11:43:20.455009
SID:	2023883
Source Port:	56682
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query to a *.top domain - Likely Hostile - Source IP: 192.168.2.5 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.58.8.8.861344532023883 05/26/23-11:45:10.193356
SID:	2023883
Source Port:	61344
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 2UoXCbfNSl.msi, MSI26B8.tmp.1.dr, 51235f.msi.1.dr, 51235c.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_013605E9 FindFirstFileExW,

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:65323 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:63446 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:60975 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:56682 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:58581 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:56687 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.5:61344 -> 8.8.8.8:53

Source: unknown

DNS traffic detected: query: sumarno.top replaycode: Server failure (2)

Source: 51235e.rbs.1.dr, MSI29DA.tmp.1.dr	String found in binary or memory: https://sectigo.com
Source: 2UoXCbfNSl.msi, 51235f.msi.1.dr, 51235c.msi.1.dr	String found in binary or memory: https://sectigo.comButtonText_Yes&YesARPCOMMENTSThis

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI26B8.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\51235c.msi

Jump to behavior

Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_01356078
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0132D060
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0135B336
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_01349730
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0134F700
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_01364609
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0135E919
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_013538A0
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_013518EF
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0135DB30
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0134FA8E
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0134ADD9
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_01330E90
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_01362EC5

Source: C:\Windows\Installer\MSI2A38.tmp	Code function: String function: 013485D0 appears 39 times
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: String function: 01348246 appears 69 times
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: String function: 01348213 appears 97 times

Source: 2UoXCbfNSl.msi	Binary or memory string: OriginalFilenameviewer.exeF vs 2UoXCbfNSl.msi
Source: 2UoXCbfNSl.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs 2UoXCbfNSl.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: C:\Windows\Installer\MSI2A38.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2UoXCbfNSl.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI2E51.tmp "C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c "net group "domain computers" /domain" >> C:\Users\user\AppData\Local\Temp\4505.tmp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c "nltest /dclist:" >> C:\Users\user\AppData\Local\Temp\158A.tmp
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /dclist:
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI2E51.tmp "C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /dclist:

Source: C:\Windows\Installer\MSI2A38.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\MultiPlast

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF96E1B63E07A25412.TMP

Jump to behavior

Source: classification engine

Classification label: mal52.evad.winMSI@18/31@0/0

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_01326EE0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,IUnknown_QueryInterface_Proxy,IUnknown_QueryInterface_Proxy,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,LocalFree,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_013261D0 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

Source: 2UoXCbfNSl.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_01

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_01321D70 LoadResource,LockResource,SizeofResource,

Source: 2UoXCbfNSl.msi

Static file information: File size 6096508 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbC source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 2UoXCbfNSl.msi, MSI26B8.tmp.1.dr, 51235f.msi.1.dr, 51235c.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: MSI2A38.tmp, 00000003.00000002.383017362.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2A38.tmp, 00000003.00000000.382068467.000000000136D000.00000002.00000001.01000000.00000003.sdmp, MSI2E51.tmp, 00000005.00000000.384252501.00000000011CD000.00000002.00000001.01000000.00000005.sdmp, 2UoXCbfNSl.msi, 51235f.msi.1.dr, MSI2A38.tmp.1.dr, 51235e.rbs.1.dr, 51235c.msi.1.dr, MSI29DA.tmp.1.dr

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_013481F0 push ecx; ret

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe	Executable created and started: C:\Windows\Installer\MSI2E51.tmp
Source: C:\Windows\System32\msiexec.exe	Executable created and started: C:\Windows\Installer\MSI2A38.tmp

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI28B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\MSTX340\ini.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2841.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27A3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2A38.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2E51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27E3.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI28B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2841.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI26B8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27A3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2A38.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2E51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27E3.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI28B0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\MSTX340\ini.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2841.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI27A3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI27E3.tmp	Jump to dropped file

Source: C:\Windows\Installer\MSI2A38.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "domain computers" /domain

Source: C:\Windows\Installer\MSI2A38.tmp

API coverage: 5.4 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_013605E9 FindFirstFileExW,

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_0134C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_01361533 GetProcessHeap,

Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_013603E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0135843F mov ecx, dword ptr fs:[00000030h]

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Windows\Installer\MSI2A38.tmp "C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips

Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_01348553 SetUnhandledExceptionFilter,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_0134C3B6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_013483BD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: 3_2_01347B9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_01327660 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongW,

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "domain computers" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "domain computers" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /dclist:

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetLocaleInfoEx,FormatMessageA,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetLocaleInfoEx,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: EnumSystemLocalesW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: EnumSystemLocalesW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: EnumSystemLocalesW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: EnumSystemLocalesW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\Installer\MSI2A38.tmp	Code function: GetLocaleInfoW,

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_0134801C cpuid

Source: C:\Windows\System32\nltest.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_01348615 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Windows\Installer\MSI2A38.tmp

Code function: 3_2_0135D192 GetTimeZoneInformation,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	121 Masquerading	OS Credential Dumping	2 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	3 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2UoXCbfNSl.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\MSTX340\ini.dll	0%	ReversingLabs
C:\Windows\Installer\MSI26B8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI27A3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI27E3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2841.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI28B0.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2A38.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2E51.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://sectigo.comButtonText_Yes&YesARPCOMMENTSThis	0%	Avira URL Cloud	safe
https://sectigo.com	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://sectigo.com	51235e.rbs.1.dr, MSI29DA.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.comButtonText_Yes&YesARPCOMMENTSThis	2UoXCbfNSl.msi, 51235f.msi.1.dr, 51235c.msi.1.dr	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	876164
Start date and time:	2023-05-26 11:40:14 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 13s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	2UoXCbfNSl.msi
Original Sample Name:	cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a.msi
Detection:	MAL
Classification:	mal52.evad.winMSI@18/31@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 93%) Quality average: 67.1% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, rundll32.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): sumarno.top, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: 2UoXCbfNSl.msi

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	433224
Entropy (8bit):	6.567843589414793
Encrypted:	false
SSDEEP:	12288:1/ePEitwJH6g7scgFzMzMHf7hM53l6hEFMI:1/EEimJH6g7scSzMQDC51fCI
MD5:	5019AEEF7A712537257F5D833CB69E8E
SHA1:	78E1A5D7A41B0984F9C16F90F887473754ED11F7
SHA-256:	D76A49FAB64EC85290B2524B3C0CFEA2613D80C366C85440B982BF77F08B285E
SHA-512:	E61EE3DA78611724D22617D1A75F9C33B4681B207860A4B0B34737890EBACCFAFD8639F3C14FDF6FF2775C90E40EBC80816CA00464ACCF1A2B3CFE4240CA8739
Malicious:	false
Preview:	...@IXOS.@.....@%].V.@.....@.....@.....@.....@.....@......&.{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}..WinStore..2UoXCbfNSl.msi.@.....@.. ..@.....@........&.{B4B73A8E-7CF9-43FC-9AD7-95DE9F858356}.....@.....@.....@.....@.......@.....@.....@.......@......WinStore......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{00A54C1D-61AC-4347-84F4-40773BC436D4}&.{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}.@......&.{43A22BE9-40D1-42CF-AB41-12C0C42E4C16}&.{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}.@......&.{AB6062B9-9B29-4646-B6E6-7DE312E5AD91}&.{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}.@......&.{92907D8E-DBA9-48A2-A3CB-F9F91EE0E4CE}&.{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}.@........CreateFolders..Creating folders..Folder: [1]#.4.C:\Users\user\AppData\Roaming\MultiPlast\WinStore\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Users\user\AppData\Roaming\MSTX340\..../.C:\Users\alf

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	36
Entropy (8bit):	4.030493056757482
Encrypted:	false
SSDEEP:	3:XT5LzdUA2AGN8y:XtLxUANGN8y
MD5:	C58986635C266E6C06609B908580BEDE
SHA1:	4672DCE03D3DD9560CF74035AFF3D9AEBB7201E4
SHA-256:	A2F1BB2817F976E129974B003E3EC12FB8A644C1952BB667116317FD26416042
SHA-512:	36241E4BDA8AD7E4137624BBFBB999C643D34A2095BA078F9886D92F4726913BDB9DC1E1F44141A6738C1E4D9042B802E49F774C0F1C6901735F4B069834449F
Malicious:	false
Preview:	The command completed successfully..

Process:	C:\Windows\System32\nltest.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.8791536144029335
Encrypted:	false
SSDEEP:	3:YaHNFdAmER2fQsKKrqyav:YQNs92Sfv
MD5:	45B19A8643D9F754F189A9B397DF3722
SHA1:	4A9C4C1A875E5C98353DA157493ED0B4C0A653B5
SHA-256:	BEA3B5810B84EE81FB257645355539BC9BEFA02E457EC4E359BEC21C2BEEB042
SHA-512:	A676AD5D35BE590BC52613499CE6E00452D64C2681E3C23A831BD886350C8EF54BE74FE78A7C6C7ED4984EFFC92F8F7E86B1FD564759156D5A7B288A5754BF38
Malicious:	false
Preview:	Cannot find DC to get DC list from.Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN..

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {B4B73A8E-7CF9-43FC-9AD7-95DE9F858356}, Number of Words: 10, Subject: WinStore, Author: MultiPlast, Name of Creating Application: WinStore, Template: ;1033, Comments: This installer database contains the logic and data required to install WinStore., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 25 16:36:21 2023, Number of Pages: 200
Entropy (8bit):	7.8151534308811135
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	2UoXCbfNSl.msi
File size:	6096508
MD5:	82ff84cb9924f0855a894e75b5d3edb2
SHA1:	df89381239f8a8ececeb697a6a35a573203bac09
SHA256:	cd8393350f7cfc0762e09ee3b0a98002a1b9abf362caf5f210e717e1d4ebe53a
SHA512:	416db643cbfda60b26bb3eac8b6a94b148b506bc016d562bc51e085f765400c56412462b42e2e29dcc44fa621349781c1c225081804c528a0a7fd1822663597b
SSDEEP:	98304:ajJzMUpQ/2zKN5DmsQPKEvia5Zld9l4jH43ZnzgB1wLhQNHFRaFUDAQQHk8iQdvk:M5NzKNgsKKE6UZD9l4IZnzgLwLhQNHFd
TLSH:	36561222B2C3C532C55D0277E968FE5E0539BE73473101E777E9396E99B48C1A27AB02
File Content Preview:	........................>...................^...................................E.......b.......t...............................N...O...P...Q...R...S...T...U...V..............................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 26, 2023 11:41:12.081121922 CEST	53	65323	8.8.8.8	192.168.2.5
May 26, 2023 11:42:19.971673965 CEST	53	56751	8.8.8.8	192.168.2.5
May 26, 2023 11:42:20.961313963 CEST	53	56751	8.8.8.8	192.168.2.5
May 26, 2023 11:42:45.269511938 CEST	53	60975	8.8.8.8	192.168.2.5
May 26, 2023 11:43:10.349685907 CEST	53	55068	8.8.8.8	192.168.2.5
May 26, 2023 11:43:11.648736954 CEST	53	55068	8.8.8.8	192.168.2.5
May 26, 2023 11:43:21.521276951 CEST	53	56682	8.8.8.8	192.168.2.5
May 26, 2023 11:43:23.114259005 CEST	53	56682	8.8.8.8	192.168.2.5
May 26, 2023 11:43:32.659657955 CEST	53	58532	8.8.8.8	192.168.2.5
May 26, 2023 11:43:56.697468042 CEST	53	58581	8.8.8.8	192.168.2.5
May 26, 2023 11:43:57.602169991 CEST	53	58581	8.8.8.8	192.168.2.5
May 26, 2023 11:44:34.737889051 CEST	53	56687	8.8.8.8	192.168.2.5
May 26, 2023 11:44:46.149173021 CEST	53	64419	8.8.8.8	192.168.2.5
May 26, 2023 11:45:11.309842110 CEST	53	61344	8.8.8.8	192.168.2.5

Target ID:	0
Start time:	11:41:06
Start date:	26/05/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2UoXCbfNSl.msi"
Imagebase:	0x7ff79d900000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	11:41:08
Start date:	26/05/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding EA13B634406DD4E4E1EC4CF54DDC47D4
Imagebase:	0x11f0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	3
Start time:	11:41:09
Start date:	26/05/2023
Path:	C:\Windows\Installer\MSI2A38.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI2A38.tmp" /DontWait C:\Windows\System32\rundll32.exe C:\Users\user\AppData\Roaming\MSTX340\ini.dll,vips
Imagebase:	0x1320000
File size:	423936 bytes
MD5 hash:	0007940F5479831428131F029D3BD8F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Target ID:	5
Start time:	11:41:10
Start date:	26/05/2023
Path:	C:\Windows\Installer\MSI2E51.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI2E51.tmp" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" file://C:\Users\user\AppData\Roaming\MSTX340/Information_psw.pdf
Imagebase:	0x1180000
File size:	423936 bytes
MD5 hash:	0007940F5479831428131F029D3BD8F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Target ID:	8
Start time:	11:41:55
Start date:	26/05/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c "net group "domain computers" /domain" >> C:\Users\user\AppData\Local\Temp\4505.tmp
Imagebase:	0x7ff627730000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	12
Start time:	11:42:09
Start date:	26/05/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c "nltest /dclist:" >> C:\Users\user\AppData\Local\Temp\158A.tmp
Imagebase:	0x7ff627730000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2UoXCbfNSl.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\51235e.rbs

C:\Users\user\AppData\Local\Temp\158A.tmp

C:\Users\user\AppData\Local\Temp\4505.tmp

C:\Users\user\AppData\Roaming\MSTX340\Information_psw.pdf

C:\Users\user\AppData\Roaming\MSTX340\ini.dll

C:\Windows\Installer\51235c.msi

C:\Windows\Installer\51235f.msi

C:\Windows\Installer\MSI26B8.tmp

C:\Windows\Installer\MSI27A3.tmp

C:\Windows\Installer\MSI27E3.tmp

C:\Windows\Installer\MSI2841.tmp

C:\Windows\Installer\MSI28B0.tmp

C:\Windows\Installer\MSI29DA.tmp

C:\Windows\Installer\MSI2A38.tmp

C:\Windows\Installer\MSI2E51.tmp

C:\Windows\Installer\SourceHash{61FBEA40-2644-43BA-811E-2B6E5B7CAA2A}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF10D2DAB67DA41C8A.TMP

C:\Windows\Temp\~DF1227C6BDFAEB717C.TMP

C:\Windows\Temp\~DF68D74EC899244EDA.TMP

C:\Windows\Temp\~DF7FE13E1A7726FEE7.TMP

C:\Windows\Temp\~DF8512FFC219F00200.TMP

C:\Windows\Temp\~DF95C513D54DE54DBD.TMP

C:\Windows\Temp\~DF96E1B63E07A25412.TMP

Windows Analysis Report
2UoXCbfNSl.msi

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre