Windows Analysis Report
msiexec.exe

Overview

General Information

Sample name: msiexec.exe
Analysis ID: 1523484
MD5: c0d3bdde74c1ec82f75681d4d5ed44c8
SHA1: 8e743c5c800ce7f26d91c4bc9c5be41ab15d9bf9
SHA256: ea2aa4ed1ff50d0f2e0a9c1df1960265aa28bf8da542469c0530a09b6da445d2
Infos:

Detection

Score: 25
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Sigma detected: System File Execution Location Anomaly
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Source: msiexec.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: msiexec.pdb source: msiexec.exe
Source: Binary string: msiexec.pdbOGPS source: msiexec.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8916068 0_2_00007FF7E8916068
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E89135D4 0_2_00007FF7E89135D4
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E891819B 0_2_00007FF7E891819B
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8913F08 0_2_00007FF7E8913F08
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8913AF0 0_2_00007FF7E8913AF0
Sample file is different than original file name gathered from version info
Source: msiexec.exe Binary or memory string: OriginalFilename vs msiexec.exe
Source: classification engine Classification label: sus25.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E89120BC GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError, 0_2_00007FF7E89120BC
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E89191BC StartServiceCtrlDispatcherW,GetLastError, 0_2_00007FF7E89191BC
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E89191BC StartServiceCtrlDispatcherW,GetLastError, 0_2_00007FF7E89191BC
Source: msiexec.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\msiexec.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: msiexec.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: msiexec.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: msiexec.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: msiexec.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: msiexec.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: msiexec.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: msiexec.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: msiexec.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: msiexec.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msiexec.pdb source: msiexec.exe
Source: Binary string: msiexec.pdbOGPS source: msiexec.exe
Source: msiexec.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: msiexec.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: msiexec.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: msiexec.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: msiexec.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: msiexec.exe Static PE information: 0xFE3155BD [Sat Feb 21 07:54:37 2105 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8912A08 LoadLibraryW,GetProcAddress, 0_2_00007FF7E8912A08
PE file contains sections with non-standard names
Source: msiexec.exe Static PE information: section name: .didat
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E89191BC StartServiceCtrlDispatcherW,GetLastError, 0_2_00007FF7E89191BC
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\msiexec.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\msiexec.exe API coverage: 6.9 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\msiexec.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E891A560 DelayLoadFailureHook,LdrResolveDelayLoadedAPI,LoadLibraryExA,memset,FreeLibrary,GetProcAddress,DelayLoadFailureHook, 0_2_00007FF7E891A560
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8915934 GetLastError,RegQueryValueExW,RegCloseKey,GlobalFree,RegCreateKeyExW,RegSetValueExW,lstrlenW,RegSetValueExW,RegCloseKey,memset,OutputDebugStringW,SetLastError, 0_2_00007FF7E8915934
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8912A08 LoadLibraryW,GetProcAddress, 0_2_00007FF7E8912A08
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E89118FE SetUnhandledExceptionFilter, 0_2_00007FF7E89118FE
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E89114B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7E89114B4
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8913F08 AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,GetLengthSid,memset,GlobalAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetAce,GetLastError,GetLastError,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetSecurityDescriptorLength,MakeSelfRelativeSD,GetLastError,GetLastError,GetLastError, 0_2_00007FF7E8913F08
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E89138C8 AllocateAndInitializeSid,GetLastError,GetLengthSid,FreeSid,GetLengthSid,FreeSid, 0_2_00007FF7E89138C8
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\msiexec.exe Code function: memset,GetACP,LoadLibraryW,GetProcAddress,GetLocaleInfoW,FreeLibrary,FormatMessageW,memset,GetVersionExW,GlobalFree,lstrlenW,WriteFile,WriteFile, 0_2_00007FF7E8912F1C
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8911AD4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter, 0_2_00007FF7E8911AD4
Source: C:\Users\user\Desktop\msiexec.exe Code function: 0_2_00007FF7E8916068 GetVersionExW,GetCommandLineW,GetStdHandle,GetFileType,memset,memset,GlobalFree,RegQueryValueExW,RegCloseKey,RegQueryValueExW,RegCloseKey,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CompareStringW,CompareStringW,CompareStringW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,memset,lstrlenW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CoInitialize,CoRegisterClassObject,GlobalFree,OpenEventW,WaitForSingleObject,CloseHandle,GlobalFree,GetCurrentThread,OpenThreadToken,GetLastError,GlobalFree,RevertToSelf,RegCloseKey,RegEnumKeyW,RevertToSelf,GetCurrentProcess,OpenProcessToken,GetTokenInformation,EqualSid,CloseHandle,GetLastError,memset,GlobalFree,GlobalFree,CloseHandle,GlobalFree,MakeAbsoluteSD,GetLastError,CloseHandle,CloseHandle,CreateEventW,CloseHandle,GetLastError,CreateEventW,CloseHandle,GetLastError,GlobalFree,CloseHandle,CloseHandle,CloseHandle,OpenProcess,CloseHandle,GetLastError,CloseHandle,CloseHandle,GlobalFree,MsgWaitForMultipleObjects,CloseHandle,OpenProcess,PeekMessageW,TranslateMessage,DispatchMessageW,CloseHandle,GetLastError,CloseHandle,CloseHandle,CoRevokeClassObject,CoUninitialize,GlobalFree,GlobalFree,GetLastError,GetMessageW,TranslateMessage,DispatchMessageW, 0_2_00007FF7E8916068
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523484 Sample: msiexec.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 25 7 Sigma detected: System File Execution Location Anomaly 2->7 5 msiexec.exe 2->5         started        process3
No contacted IP infos