Edit tour
Windows
Analysis Report
https://epicgames-download1.akamaized.net/Builds/UnrealEngineLauncher/Installers/Win32/EpicInstaller-15.17.1.msi?launcherfilename=EpicInstaller-15.17.1-unrealEngine.msi
Overview
General Information
| Sample URL: | https://epicgames-download1.akamaized.net/Builds/UnrealEngineLauncher/Installers/Win32/EpicInstaller-15.17.1.msi?launcherfilename=EpicInstaller-15.17.1-unrealEngine.msi |
| Analysis ID: | 1462579 |
| Infos: |  |
 | |
Detection
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Installs new ROOT certificates
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 2228 cmdline: C:\Windows \system32\ cmd.exe /c wget -t 2 -v -T 60 -P "C:\Use rs\user\De sktop\down load" --no -check-cer tificate - -content-d isposition --user-ag ent="Mozil la/5.0 (Wi ndows NT 6 .1; WOW64; Trident/7 .0; AS; rv :11.0) lik e Gecko" " https://ep icgames-do wnload1.ak amaized.ne t/Builds/U nrealEngin eLauncher/ Installers /Win32/Epi cInstaller -15.17.1.m si?launche rfilename= EpicInstal ler-15.17. 1-unrealEn gine.msi" > cmdline. out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wget.exe (PID: 3812 cmdline: wget -t 2 -v -T 60 - P "C:\User s\user\Des ktop\downl oad" --no- check-cert ificate -- content-di sposition --user-age nt="Mozill a/5.0 (Win dows NT 6. 1; WOW64; Trident/7. 0; AS; rv: 11.0) like Gecko" "h ttps://epi cgames-dow nload1.aka maized.net /Builds/Un realEngine Launcher/I nstallers/ Win32/Epic Installer- 15.17.1.ms i?launcher filename=E picInstall er-15.17.1 -unrealEng ine.msi" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
msiexec.exe (PID: 6996 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ download\E picInstall er-15.17.1 -unrealEng ine.msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 2148 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 5168 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 58A2380 5EF6FEF63B B0D3241077 B6055 C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
rundll32.exe (PID: 2372 cmdline: rundll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\MSI 7BA8.tmp", zzzzInvoke ManagedCus tomActionO utOfProc S fxCA_56378 75 5 Custo mActionMan aged!Custo mActionMan aged.Custo mActions.V alidatePat hLength MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 3408 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 3A9E928 A23721413E D58A57A3ED 0EE78 MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 6544 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI1E C1.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5644000 10 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Te lemetrySen dStart MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 2700 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI2B C2.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5647328 16 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tStartupCm dlineArgs MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5520 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI32 8B.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5649046 22 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Ch eckReparse Points MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5588 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI77 93.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5732234 50 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Te lemetrySen dEnd MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1408 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI90 CA.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5738687 59 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tLauncherE picGamesDi rLoc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 516 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI95 CC.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5739984 65 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tLauncherI nstallDirL oc MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6828 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSI98 8C.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5740671 71 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Se tServiceWr apperDirLo c MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 652 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIA0 8C.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5742718 77 Custom ActionMana ged!Custom ActionMana ged.Teleme tryActions .Telemetry SendStart MD5: 889B99C52A60DD49227C5E485A016679) - msiexec.exe (PID: 4720 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng ADCB3C5 0BD4A94372 326895BA92 37D2A E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) - rundll32.exe (PID: 652 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIE1 1B.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5693781 31 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Mo veChainerT oFolder MD5: 889B99C52A60DD49227C5E485A016679) - icacls.exe (PID: 2276 cmdline:
"icacls.ex e" "C:\Pro gram Files (x86)\Epi c Games\La uncher" /g rant "BUIL TIN\Users" :(OI)(CI)F MD5: 2E49585E4E08565F52090B144062F97E) - conhost.exe (PID: 4404 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - icacls.exe (PID: 6668 cmdline:
"icacls.ex e" "C:\Pro gramData\E pic" /gran t "BUILTIN \Users":(O I)(CI)F MD5: 2E49585E4E08565F52090B144062F97E) - conhost.exe (PID: 6800 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 6784 cmdline:
rundll32.e xe "C:\Win dows\Insta ller\MSIB7 74.tmp",zz zzInvokeMa nagedCusto mActionOut OfProc Sfx CA_5748578 99 Custom ActionMana ged!Custom ActionMana ged.Custom Actions.Re gisterProd uctID MD5: 889B99C52A60DD49227C5E485A016679) 
DXSETUP.exe (PID: 4708 cmdline: "C:\Progra m Files (x 86)\Epic G ames\Direc tXRedist\D XSETUP.exe " /silent MD5: BF3F290275C21BDD3951955C9C3CF32C) - InstallChainer.exe (PID: 4800 cmdline:
"C:\Progra m Files (x 86)\Epic G ames\Launc her\Portal \Extras\EO S\InstallC hainer.exe " 44 "C:\P rogram Fil es (x86)\E pic Games\ Launcher\P ortal\Extr as\EOS\Epi cOnlineSer vices.msi" "EOSPRODU CTID=EpicG amesLaunch er" "C:\Pr ogram File s (x86)\Ep ic Games\L auncher\Po rtal\Binar ies\Win32\ EpicGamesL auncher.ex e" com.epi cgames.lau ncher://un realEngine MD5: 4A3181A2E93579124799A9B81263768E)
- SrTasks.exe (PID: 6208 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB) - conhost.exe (PID: 1292 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | Key value queried: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||