Windows Analysis Report
FACT64708.msi

Overview

General Information

Sample Name:	FACT64708.msi
Analysis ID:	876175
MD5:	03fc44504a830c0bde2155d2343c07bd
SHA1:	99927989853f4d8b4a1180f25c48c37a3c763f65
SHA256:	6dfd76c513f8c4216b7c0efeab797f22db13bb265fafffbb69d735b64801c4a8
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

May check the online IP address of the machine

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

Creates files inside the system directory

PE file contains sections with non-standard names

JA3 SSL client fingerprint seen in connection with other malware

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Entry point lies outside standard sections

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

PE file contains more sections than normal

Checks for available system drives (often done to infect USB drives)

Dropped file seen in connection with other malware

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: FACT64708.msi	ReversingLabs: Detection: 22%
Source: FACT64708.msi	Virustotal: Detection: 20%			Perma Link

Antivirus detection for dropped file

Source: C:\Windows\Installer\MSI5D1B.tmp

Avira: detection malicious, Label: HEUR/AGEN.1360814

Multi AV Scanner detection for dropped file

Source: C:\Windows\Installer\MSI5D1B.tmp

ReversingLabs: Detection: 47%

Source: unknown

HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49692 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

May check the online IP address of the machine

Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: ipinfo.io
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: ipinfo.io

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49693 -> 89.44.9.236:9911

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.236

Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: json[1].json.2.dr	String found in binary or memory: https://ipinfo.io/missingauth
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: global traffic

Source: unknown

HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49692 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: MSI5D1B.tmp.1.dr	Static PE information: section name: -)JCkFdG
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: tUKiKjI(
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: >FM3ptLM
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: o[K?gVK3
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: QX]dab$M
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: 3MpwCE=\
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: i%>mQ21J
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: zG.-OP"_
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: N/Q"D33i
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: /1Noi&/e
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: H)8.=c%s
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: ]K1?IQ),

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI5A28.tmp

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3e573a.msi

Jump to behavior

Sample file is different than original file name gathered from version info

Source: FACT64708.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs FACT64708.msi

Tries to load missing DLLs

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: security.dll	Jump to behavior

PE file contains more sections than normal

Source: MSI5D1B.tmp.1.dr

Static PE information: Number of sections : 12 > 10

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSI5A28.tmp 5316CFAE8B4D28AB7CBC5CAB60E27B0C0F5A3210A921A4B0560769C5021C911B

Source: FACT64708.msi	ReversingLabs: Detection: 22%
Source: FACT64708.msi	Virustotal: Detection: 20%

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FACT64708.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EC16BF9ACD034E20C79A272C76FEE245
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EC16BF9ACD034E20C79A272C76FEE245	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\52612023

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF0B319199736319C6.TMP

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winMSI@4/13@1/2

Source: FACT64708.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.16%

Source: C:\Windows\SysWOW64\msiexec.exe

Mutant created: \Sessions\1\BaseNamedObjects\OdoRxkqMGqDlwzYxLLNSWKJJNPqGTKcQ

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: FACT64708.msi

Static file information: File size 6022656 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr

PE file contains sections with non-standard names

Source: MSI5D1B.tmp.1.dr	Static PE information: section name: -)JCkFdG
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: tUKiKjI(
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: >FM3ptLM
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: o[K?gVK3
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: QX]dab$M
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: 3MpwCE=\
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: i%>mQ21J
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: zG.-OP"_
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: N/Q"D33i
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: /1Noi&/e
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: H)8.=c%s
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: ]K1?IQ),

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: H)8.=c%s

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5A28.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5AF4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B53.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BB2.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5A28.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5AF4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B53.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BB2.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: D50007 value: E9 7B 4C 05 77	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 77DA4C80 value: E9 8E B3 FA 88	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: D60005 value: E9 FB BF FD 76	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 77D3C000 value: E9 0A 40 02 89	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 4580008 value: E9 AB E0 7F 73	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 77D7E0B0 value: E9 60 1F 80 8C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 45A0005 value: E9 CB 5A 03 73	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 775D5AD0 value: E9 3A A5 FC 8C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 45B0005 value: E9 5B B0 04 73	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 775FB060 value: E9 AA 4F FB 8C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 45C0005 value: E9 DB F8 56 70	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 74B2F8E0 value: E9 2A 07 A9 8F	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 45E0005 value: E9 FB 42 57 70	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 74B54300 value: E9 0A BD A8 8F	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5AF4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5B53.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5BB2.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
89.44.9.236	unknown	Romania		9009	M247GB	false

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.59.81	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/json	false		high

AV Detection

Multi AV Scanner detection for submitted file

Source: FACT64708.msi	ReversingLabs: Detection: 22%
Source: FACT64708.msi	Virustotal: Detection: 20%			Perma Link

Antivirus detection for dropped file

Source: C:\Windows\Installer\MSI5D1B.tmp

Avira: detection malicious, Label: HEUR/AGEN.1360814

Multi AV Scanner detection for dropped file

Source: C:\Windows\Installer\MSI5D1B.tmp

ReversingLabs: Detection: 47%

Source: unknown

HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49692 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

May check the online IP address of the machine

Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: ipinfo.io
Source: C:\Windows\SysWOW64\msiexec.exe	DNS query: name: ipinfo.io

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Uses a known web browser user agent for HTTP communication

Source: global traffic

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49693 -> 89.44.9.236:9911

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknown	TCP traffic detected without corresponding DNS query: 89.44.9.236

Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: json[1].json.2.dr	String found in binary or memory: https://ipinfo.io/missingauth
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: global traffic

Source: unknown

HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49692 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: MSI5D1B.tmp.1.dr	Static PE information: section name: -)JCkFdG
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: tUKiKjI(
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: >FM3ptLM
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: o[K?gVK3
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: QX]dab$M
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: 3MpwCE=\
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: i%>mQ21J
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: zG.-OP"_
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: N/Q"D33i
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: /1Noi&/e
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: H)8.=c%s
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: ]K1?IQ),

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI5A28.tmp

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3e573a.msi

Jump to behavior

Sample file is different than original file name gathered from version info

Source: FACT64708.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs FACT64708.msi

Tries to load missing DLLs

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: security.dll	Jump to behavior

PE file contains more sections than normal

Source: MSI5D1B.tmp.1.dr

Static PE information: Number of sections : 12 > 10

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSI5A28.tmp 5316CFAE8B4D28AB7CBC5CAB60E27B0C0F5A3210A921A4B0560769C5021C911B

Source: FACT64708.msi	ReversingLabs: Detection: 22%
Source: FACT64708.msi	Virustotal: Detection: 20%

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FACT64708.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EC16BF9ACD034E20C79A272C76FEE245
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EC16BF9ACD034E20C79A272C76FEE245	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\52612023

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF0B319199736319C6.TMP

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winMSI@4/13@1/2

Source: FACT64708.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.16%

Source: C:\Windows\SysWOW64\msiexec.exe

Mutant created: \Sessions\1\BaseNamedObjects\OdoRxkqMGqDlwzYxLLNSWKJJNPqGTKcQ

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: FACT64708.msi

Static file information: File size 6022656 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr

PE file contains sections with non-standard names

Source: MSI5D1B.tmp.1.dr	Static PE information: section name: -)JCkFdG
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: tUKiKjI(
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: >FM3ptLM
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: o[K?gVK3
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: QX]dab$M
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: 3MpwCE=\
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: i%>mQ21J
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: zG.-OP"_
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: N/Q"D33i
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: /1Noi&/e
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: H)8.=c%s
Source: MSI5D1B.tmp.1.dr	Static PE information: section name: ]K1?IQ),

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: H)8.=c%s

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5A28.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5AF4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B53.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BB2.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5A28.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5AF4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D1B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B53.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5BB2.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: D50007 value: E9 7B 4C 05 77	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 77DA4C80 value: E9 8E B3 FA 88	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: D60005 value: E9 FB BF FD 76	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 77D3C000 value: E9 0A 40 02 89	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 4580008 value: E9 AB E0 7F 73	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 77D7E0B0 value: E9 60 1F 80 8C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 45A0005 value: E9 CB 5A 03 73	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 775D5AD0 value: E9 3A A5 FC 8C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 45B0005 value: E9 5B B0 04 73	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 775FB060 value: E9 AA 4F FB 8C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 45C0005 value: E9 DB F8 56 70	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 74B2F8E0 value: E9 2A 07 A9 8F	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 45E0005 value: E9 FB 42 57 70	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Memory written: PID: 6920 base: 74B54300 value: E9 0A BD A8 8F	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5AF4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5B53.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5BB2.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\SysWOW64\msiexec.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread information set: HideFromDebugger			Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

ID:	876175
Product:	CloudBasic
Start time:	12:27:38
Start date:	26.05.2023
Sample:	FACT64708.msi
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	03fc44504a830c0bde2155d2343c07bd
SHA1:	99927989853f4d8b4a1180f25c48c37a3c763f65
SHA256:	6dfd76c513f8c4216b7c0efeab797f22db13bb265fafffbb69d735b64801c4a8
Filetype:	Microsoft Windows Installer (77509/1) 52.16%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\json[1].json	JSON data	040A92AD0D71B75A0D1B5A297F0494CB	7817841B5594768C433D5BA8C60219B512EBEF71	4F216FD803061045D0E9B593D4C68F0AAFED3877110B4B3616503F1C359B3D58
C:\Windows\Installer\3e573a.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {99C5E16F-1B9A-4372-8446-788EB651135D}, Number of Words: 10, Subject: window1, Author: window1, Name of Creating Application: Advanced Installer 18.1 build 4fb1edbd, Template: ;1033, Comments: window1, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	03FC44504A830C0BDE2155D2343C07BD	99927989853F4D8B4A1180F25C48C37A3C763F65	6DFD76C513F8C4216B7C0EFEAB797F22DB13BB265FAFFFBB69D735B64801C4A8
C:\Windows\Installer\MSI5A28.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E12C5BCC254C953B1A46D1434804F4D2	99F67ACF34AF1294F3C6E5EB521C862E1C772397	5316CFAE8B4D28AB7CBC5CAB60E27B0C0F5A3210A921A4B0560769C5021C911B
C:\Windows\Installer\MSI5AF4.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E12C5BCC254C953B1A46D1434804F4D2	99F67ACF34AF1294F3C6E5EB521C862E1C772397	5316CFAE8B4D28AB7CBC5CAB60E27B0C0F5A3210A921A4B0560769C5021C911B
C:\Windows\Installer\MSI5B53.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E12C5BCC254C953B1A46D1434804F4D2	99F67ACF34AF1294F3C6E5EB521C862E1C772397	5316CFAE8B4D28AB7CBC5CAB60E27B0C0F5A3210A921A4B0560769C5021C911B
C:\Windows\Installer\MSI5BB2.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E12C5BCC254C953B1A46D1434804F4D2	99F67ACF34AF1294F3C6E5EB521C862E1C772397	5316CFAE8B4D28AB7CBC5CAB60E27B0C0F5A3210A921A4B0560769C5021C911B
C:\Windows\Installer\MSI5CBC.tmp	data	DFD2E812A18033D5509D6CF512ABDFA1	96BEA2FFD51F2F955B861202ED03CCA656AFD7C4	349749063EF9F847A3B30DE5CDDA8FDD82B1BD70C212B0D44335091A65298C51
C:\Windows\Installer\MSI5D1B.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9736B1A5AC470116328B9584DF71F894	77AA1DDBC5CC4498E2E50AD6CE0E425F880BAC97	4EF0B46B027AB3F1471ACAA34729ABEA1E510566004AD294AFAB6AA4A6486493
C:\Windows\Installer\SourceHash{391D3F83-F57B-4C37-B67D-2C3B478539D3}	Composite Document File V2 Document, Cannot read section info	6F1766C739CC71014660EDB94C55B05B	5B390204B4DCC92D44C79978A61AE33D1F8BE002	762561EC2CE9C880B42035172C21BD53D34E9C4DFBE92C824D83D7D489C5B14C
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	F091DDDBA714EF7B3D0C7E83A88DFC42	961D33CEDF0FD59C73A5E06177BEC29D145701D5	81EF78D941207840609ABBF8BCB5DD24D7F9D22CC13BB72A8171BBD6EE9B842E
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0F8E7E29DFD57561C000A643111249AA	AF9C1EF33092ED1FA7C83737AD4D5E625E8EB03D	20E7D66BF3CC068B3CF33E3A439A3D9C675816C9DF6C1E14840084E8945850A6
C:\Windows\Temp\~DF0B319199736319C6.TMP	data	0C3FD0990472F91DFE16EBEBD0223A9E	B7874C1367C579C0636B34F3AD102B8940206192	D10108090EF28311493E15F235D747D5314030DDA129AE1C3CD53632D3718766
C:\Windows\Temp\~DF15E57EF7A6220754.TMP	data	233821E6E7EA055562D01EB0E131F060	AF8EA0EF631A62B57DE9B4FBA4958EED62441C0F	B58A16F69A1AA9C80FBD02B0F282EBBCF9C3EE5497AF01DF15DF5EFE485ABF18

Windows Analysis Report
FACT64708.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report FACT64708.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
FACT64708.msi