Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FACT64708.msi

Overview

General Information

Sample Name:FACT64708.msi
Analysis ID:876175
MD5:03fc44504a830c0bde2155d2343c07bd
SHA1:99927989853f4d8b4a1180f25c48c37a3c763f65
SHA256:6dfd76c513f8c4216b7c0efeab797f22db13bb265fafffbb69d735b64801c4a8
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
May check the online IP address of the machine
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Entry point lies outside standard sections
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains more sections than normal
Checks for available system drives (often done to infect USB drives)
Dropped file seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6836 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FACT64708.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 6800 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 6920 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EC16BF9ACD034E20C79A272C76FEE245 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: FACT64708.msiReversingLabs: Detection: 22%
Source: FACT64708.msiVirustotal: Detection: 20%Perma Link
Antivirus detection for dropped file
Source: C:\Windows\Installer\MSI5D1B.tmpAvira: detection malicious, Label: HEUR/AGEN.1360814
Multi AV Scanner detection for dropped file
Source: C:\Windows\Installer\MSI5D1B.tmpReversingLabs: Detection: 47%
Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49692 version: TLS 1.2
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

Networking

barindex
May check the online IP address of the machine
Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: ipinfo.io
Source: C:\Windows\SysWOW64\msiexec.exeDNS query: name: ipinfo.io
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global trafficTCP traffic: 192.168.2.4:49693 -> 89.44.9.236:9911
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.236
Source: unknownTCP traffic detected without corresponding DNS query: 89.44.9.236
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://t2.symcb.com0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://tl.symcd.com0&
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: json[1].json.2.drString found in binary or memory: https://ipinfo.io/missingauth
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: https://www.advancedinstaller.com
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: https://www.thawte.com/cps0/
Source: FACT64708.msi, MSI5AF4.tmp.1.dr, MSI5A28.tmp.1.dr, MSI5B53.tmp.1.dr, MSI5BB2.tmp.1.dr, 3e573a.msi.1.drString found in binary or memory: https://www.thawte.com/repository0W
Source: unknownDNS traffic detected: queries for: ipinfo.io
Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.4:49692 version: TLS 1.2

System Summary

barindex
PE file contains section with special chars
Source: MSI5D1B.tmp.1.drStatic PE information: section name: -)JCkFdG
Source: MSI5D1B.tmp.1.drStatic PE information: section name: tUKiKjI(
Source: MSI5D1B.tmp.1.drStatic PE information: section name: >FM3ptLM
Source: MSI5D1B.tmp.1.drStatic PE information: section name: o[K?gVK3
Source: MSI5D1B.tmp.1.drStatic PE information: section name: QX]dab$M
Source: MSI5D1B.tmp.1.drStatic PE information: section name: 3MpwCE=\
Source: MSI5D1B.tmp.1.drStatic PE information: section name: i%>mQ21J
Source: MSI5D1B.tmp.1.drStatic PE information: section name: zG.-OP"_
Source: MSI5D1B.tmp.1.drStatic PE information: section name: N/Q"D33i
Source: MSI5D1B.tmp.1.drStatic PE information: section name: /1Noi&/e
Source: MSI5D1B.tmp.1.drStatic PE information: section name: H)8.=c%s
Source: MSI5D1B.tmp.1.drStatic PE information: section name: ]K1?IQ),
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI5A28.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3e573a.msiJump to behavior