Edit tour
Windows
Analysis Report
https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngine
Overview
General Information
| Sample URL: | https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=unrealEngine |
| Analysis ID: | 1389703 |
| Infos: |  |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Installs new ROOT certificates
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 7376 cmdline: C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://la uncher-pub lic-servic e-prod06.o l.epicgame s.com/laun cher/api/i nstaller/d ownload/Ep icGamesLau ncherInsta ller.msi?p roductName =unrealEng ine" > cmd line.out 2 >&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7420 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wget.exe (PID: 7468 cmdline: wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://lau ncher-publ ic-service -prod06.ol .epicgames .com/launc her/api/in staller/do wnload/Epi cGamesLaun cherInstal ler.msi?pr oductName= unrealEngi ne" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
msiexec.exe (PID: 7512 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ download\E picInstall er-15.17.1 -unrealEng ine.msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 7620 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7688 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 3379FA0 05630E2810 21E10ABF08 33973 C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
rundll32.exe (PID: 7832 cmdline: rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\MSI F205.tmp", zzzzInvoke ManagedCus tomActionO utOfProc S fxCA_62580 31 5 Custo mActionMan aged!Custo mActionMan aged.Custo mActions.V alidatePat hLength MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 8008 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 6DDBC61 23A982D9C4 D5B9AF95A1 55AEC MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 8060 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI97 AF.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6264812 10 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Te lemetrySen dStart MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6764 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIA2 8D.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6267546 16 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tStartupCm dlineArgs MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 8148 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIAB B7.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6269906 22 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Ch eckReparse Points MD5: 889B99C52A60DD49227C5E485A016679) - dllhost.exe (PID: 8060 cmdline:
C:\Windows \system32\ DllHost.ex e /Process id:{F32D97 DF-E3E5-4C B9-9E3E-0E B5B4E49801 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) - rundll32.exe (PID: 5896 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIFF 36.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6356796 50 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Te lemetrySen dEnd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7056 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI1A 42.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6363718 59 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tLauncherE picGamesDi rLoc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7120 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI1D 31.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6364453 65 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tLauncherI nstallDirL oc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6384 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI20 AC.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6365343 71 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tServiceWr apperDirLo c MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6912 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI27 A3.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6367140 77 Custom ActionMana ged!Custom ActionMana ged.Teleme tryActions .Telemetry SendStart MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 7344 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 5E1CFD1 B25D2F4396 E43D244C9E 329C6 E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 7568 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI59 3D.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6314375 31 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Mo veChainerT oFolder MD5: 889B99C52A60DD49227C5E485A016679) - icacls.exe (PID: 7220 cmdline:
"icacls.ex e" "C:\Pro gram Files (x86)\Epi c Games\La uncher" /g rant "BUIL TIN\Users" :(OI)(CI)F MD5: 2E49585E4E08565F52090B144062F97E) - conhost.exe (PID: 1900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - icacls.exe (PID: 5812 cmdline:
"icacls.ex e" "C:\Pro gramData\E pic" /gran t "BUILTIN \Users":(O I)(CI)F MD5: 2E49585E4E08565F52090B144062F97E) - conhost.exe (PID: 5580 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 2688 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI3F A3.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_6373250 99 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Re gisterProd uctID MD5: 889B99C52A60DD49227C5E485A016679) 
DXSETUP.exe (PID: 8 cmdline: "C:\Progra m Files (x 86)\Epic G ames\Direc tXRedist\D XSETUP.exe " /silent MD5: BF3F290275C21BDD3951955C9C3CF32C) - InstallChainer.exe (PID: 6668 cmdline:
"C:\Progra m Files (x 86)\Epic G ames\Launc her\Portal \Extras\EO S\InstallC hainer.exe " 44 "C:\P rogram Fil es (x86)\E pic Games\ Launcher\P ortal\Extr as\EOS\Epi cOnlineSer vices.msi" "EOSPRODU CTID=EpicG amesLaunch er" "C:\Pr ogram File s (x86)\Ep ic Games\L auncher\Po rtal\Binar ies\Win32\ EpicGamesL auncher.ex e" com.epi cgames.lau ncher://un realEngine MD5: 4A3181A2E93579124799A9B81263768E)
- SrTasks.exe (PID: 1848 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB) - conhost.exe (PID: 3128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Key value queried: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||