Windows Analysis Report
0ZIA3G5du5.msi

Overview

General Information

Sample name:	0ZIA3G5du5.msi renamed because original name is a hash value
Original sample name:	7e77e6fe78a251876f9eabc44371d3468997b0294839bef525f61a14399a1aaa.msi
Analysis ID:	1527962
MD5:	e242caca61066e26952263bf8adcc37e
SHA1:	e63ca3dc01ac4fda3a6ece6ff6a2cb38135def9e
SHA256:	7e77e6fe78a251876f9eabc44371d3468997b0294839bef525f61a14399a1aaa
Tags:	msiuser-JAMESWT_MHT
Infos:

Detection

Score:	42
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Checks for available system drives (often done to infect USB drives)

Queries the volume information (name, serial number etc) of a device

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0ZIA3G5du5.msi

Avira: detected

Multi AV Scanner detection for submitted file

Source: 0ZIA3G5du5.msi

ReversingLabs: Detection: 13%

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: 0ZIA3G5du5.msi	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: 0ZIA3G5du5.msi	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
Source: 0ZIA3G5du5.msi	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: 0ZIA3G5du5.msi	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: 0ZIA3G5du5.msi	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: 0ZIA3G5du5.msi	String found in binary or memory: http://ocsps.ssl.com0
Source: 0ZIA3G5du5.msi	String found in binary or memory: http://ocsps.ssl.com0?
Source: 0ZIA3G5du5.msi	String found in binary or memory: http://ocsps.ssl.com0Q
Source: 0ZIA3G5du5.msi	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: 0ZIA3G5du5.msi	String found in binary or memory: https://www.ssl.com/repository0

Source: classification engine

Classification label: mal42.winMSI@2/0@0/0

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 0ZIA3G5du5.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: 0ZIA3G5du5.msi

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\0ZIA3G5du5.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK
Source: C:\Windows\System32\msiexec.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0ZIA3G5du5.msi

Static file information: File size 12447744 > 1048576

Source: C:\Windows\System32\msiexec.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1527962
Product:	CloudBasic
Start time:	13:25:17
Start date:	07.10.2024
Sample:	0ZIA3G5du5.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e242caca61066e26952263bf8adcc37e
SHA1:	e63ca3dc01ac4fda3a6ece6ff6a2cb38135def9e
SHA256:	7e77e6fe78a251876f9eabc44371d3468997b0294839bef525f61a14399a1aaa
Filetype:	Microsoft Windows Installer (60509/1) 88.31%

Windows Analysis Report
0ZIA3G5du5.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 0ZIA3G5du5.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
0ZIA3G5du5.msi