Edit tour
Windows
Analysis Report
15e7232gfN.msi
Overview
General Information
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for domain / URL
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Creates a thread in another existing process (thread injection)
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
AV process strings found (often used to terminate AV products)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a start menu entry (Start Menu\Programs\Startup)
Yara detected Keylogger Generic
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- msiexec.exe (PID: 7028 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ 15e7232gfN .msi" MD5: 4767B71A318E201188A0D0A420C8B608)
- msiexec.exe (PID: 4764 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: 4767B71A318E201188A0D0A420C8B608) - msiexec.exe (PID: 7100 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng D8DD1A2 B41DAA758F A08D3E8507 7DC6F MD5: 12C17B5A5C2A7B97342C362CA467E9A2) - icacls.exe (PID: 7068 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- bbb409b2-5 2bd-4ce9-a b77-086847 a644a4\." /SETINTEGR ITYLEVEL ( CI)(OI)HIG H MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 1236 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - expand.exe (PID: 5484 cmdline:
"C:\Window s\system32 \EXPAND.EX E" -R file s.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D) - conhost.exe (PID: 6052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - Autoit3.exe (PID: 4108 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\MW-bbb 409b2-52bd -4ce9-ab77 -086847a64 4a4\files\ Autoit3.ex e" UGtZgHH T.au3 MD5: C56B5F0201A3B3DE53E561FE76912BFD) - cmd.exe (PID: 4696 cmdline:
cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - OLicenseHeartbeat.exe (PID: 3132 cmdline:
C:\Program Files (x8 6)\common files\micr osoft shar ed\OFFICE1 6\OLicense Heartbeat. exe MD5: CFD37109A4E595C2957C5E0ACC198E8A) - icacls.exe (PID: 6980 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- bbb409b2-5 2bd-4ce9-a b77-086847 a644a4\." /SETINTEGR ITYLEVEL ( CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 4952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- Autoit3.exe (PID: 7204 cmdline:
"C:\Progra mData\fkea bad\Autoit 3.exe" C:\ ProgramDat a\fkeabad\ efghhgd.au 3 MD5: C56B5F0201A3B3DE53E561FE76912BFD) - cmd.exe (PID: 7404 cmdline:
cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D) - ADelRCP.exe (PID: 8100 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4) - SciTE.exe (PID: 7396 cmdline:
C:\Program Files (x8 6)\autoit3 \SciTE\Sci TE.exe MD5: 91EE39F4A80F60A938095424EEF2C709) - msinfo32.exe (PID: 5644 cmdline:
C:\Program Files (x8 6)\common files\micr osoft shar ed\MSInfo\ msinfo32.e xe MD5: 29F917BF3DE95D7CE5B6B38CB7A895AB) - MyProg.exe (PID: 8056 cmdline:
C:\Program Files (x8 6)\autoit3 \Examples\ Helpfile\E xtras\MyPr og.exe MD5: FE48113F3A78F980634E8CDACABF5091)
- ADelRCP.exe (PID: 8016 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
- ADelRCP.exe (PID: 8024 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
- ADelRCP.exe (PID: 8032 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
- ADelRCP.exe (PID: 8040 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
- ADelRCP.exe (PID: 8048 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
- ADelRCP.exe (PID: 8064 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
- ADelRCP.exe (PID: 8072 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
- ADelRCP.exe (PID: 8080 cmdline:
C:\Program Files (x8 6)\adobe\A crobat Rea der DC\Rea der\ADelRC P.exe MD5: 408995FA63F7BA3E059C8E32356B86C4)
- cleanup
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security | ||
JoeSecurity_Keylogger_Generic | Yara detected Keylogger Generic | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link | ||
Source: | Virustotal: | Perma Link |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Code function: | ||
Source: | Code function: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Networking |
---|
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |