Edit tour
Windows
Analysis Report
https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngine
Overview
General Information
| Sample URL: | https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngine |
| Analysis ID: | 1334820 |
| Infos: | |
 | |
Detection
| Score: | 48 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Modifies existing windows services
PE file contains an invalid checksum
Adds / modifies Windows certificates
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Contains functionality to retrieve information about pressed keystrokes
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
cmd.exe (PID: 7476 cmdline: C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://la uncher-pub lic-servic e-prod06.o l.epicgame s.com/laun cher/api/i nstaller/d ownload/Ep icGamesLau ncherInsta ller.msi?p roductName =unrealEng ine" > cmd line.out 2 >&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wget.exe (PID: 7564 cmdline: wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://lau ncher-publ ic-service -prod06.ol .epicgames .com/launc her/api/in staller/do wnload/Epi cGamesLaun cherInstal ler.msi?pr oductName= unrealEngi ne" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
msiexec.exe (PID: 7612 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ download\E picInstall er-15.17.1 -unrealEng ine.msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 8128 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 8156 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 3BBD1DD 15089631A9 AFCF430459 5035B C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
rundll32.exe (PID: 7320 cmdline: rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\MSI BB31.tmp", zzzzInvoke ManagedCus tomActionO utOfProc S fxCA_71614 84 5 Custo mActionMan aged!Custo mActionMan aged.Custo mActions.V alidatePat hLength MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 7244 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 5854640 CF7E0C4E3D EBC704E369 1BC11 MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 7592 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI61 87.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7168421 10 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Te lemetrySen dStart MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7356 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI6C 17.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7171125 16 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tStartupCm dlineArgs MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 352 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI74 47.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7173218 22 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Ch eckReparse Points MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3452 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIA4 9E.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7251093 50 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Te lemetrySen dEnd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4592 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIBD 1A.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7257359 59 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tLauncherE picGamesDi rLoc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7136 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIC0 19.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7258125 65 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tLauncherI nstallDirL oc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6692 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIC3 E2.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7259093 71 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tServiceWr apperDirLo c MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7516 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSICB 46.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7260984 77 Custom ActionMana ged!Custom ActionMana ged.Teleme tryActions .Telemetry SendStart MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 5928 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 326B4F7 43620B4FBE 5E3F09E4CC FA871 E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 6492 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI19 B0.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7215609 31 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Mo veChainerT oFolder MD5: 889B99C52A60DD49227C5E485A016679) - icacls.exe (PID: 7832 cmdline:
"icacls.ex e" "C:\Pro gram Files (x86)\Epi c Games\La uncher" /g rant "BUIL TIN\Users" :(OI)(CI)F MD5: 2E49585E4E08565F52090B144062F97E) - conhost.exe (PID: 4520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - icacls.exe (PID: 5752 cmdline:
"icacls.ex e" "C:\Pro gramData\E pic" /gran t "BUILTIN \Users":(O I)(CI)F MD5: 2E49585E4E08565F52090B144062F97E) - conhost.exe (PID: 3864 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7580 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIE2 CA.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_7267015 99 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Re gisterProd uctID MD5: 889B99C52A60DD49227C5E485A016679) 
DXSETUP.exe (PID: 7320 cmdline: "C:\Progra m Files (x 86)\Epic G ames\Direc tXRedist\D XSETUP.exe " /silent MD5: BF3F290275C21BDD3951955C9C3CF32C) - InstallChainer.exe (PID: 6688 cmdline:
"C:\Progra m Files (x 86)\Epic G ames\Launc her\Portal \Extras\EO S\InstallC hainer.exe " 44 "C:\P rogram Fil es (x86)\E pic Games\ Launcher\P ortal\Extr as\EOS\Epi cOnlineSer vices.msi" "EOSPRODU CTID=EpicG amesLaunch er" "C:\Pr ogram File s (x86)\Ep ic Games\L auncher\Po rtal\Binar ies\Win32\ EpicGamesL auncher.ex e" com.epi cgames.lau ncher://un realEngine MD5: 4A3181A2E93579124799A9B81263768E)
- SrTasks.exe (PID: 3568 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB) - conhost.exe (PID: 2448 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Binary or memory string: | memstr_7992d738-c | |
| Source: | Key value queried: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||