Windows Analysis Report
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Overview

General Information

Sample name:	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Analysis ID:	1528394
MD5:	92681069e44b7c1b334918e0798b8f62
SHA1:	6bcb489231bca02206dbe64b77847845feba886a
SHA256:	3bb7e9cfac722b0bfbbb8764d8916918debf99ff71ccd0979b12e0ab8c60d8cb
Tags:	msi
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Queries Google from non browser process on port 80

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Drops PE files

Found dropped PE file which has not been started or loaded

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Classification

Signatures

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb( source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB463.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aipackagechainer.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.6:49715 -> 142.250.185.196:80

Queries Google from non browser process on port 80

Source: C:\Windows\SysWOW64\msiexec.exe

HTTP traffic: GET / HTTP/1.1 Accept: */* User-Agent: AdvancedInstaller Host: www.google.com Connection: Keep-Alive Cache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: www.google.comConnection: Keep-AliveCache-Control: no-cache

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr	String found in binary or memory: http://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmp0123456789AaBbCcDdEeFffile:///file://01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IlocalhostROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer []Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute ServerFailed to create IWbemLocator object. Error code: \\NTLMDOMAIN:Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code: Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection equals www.yahoo.com (Yahoo)
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://news.google.com/?tab=wn">News</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> »</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> \| <a href="/preferences?hl=en" class=gb4>Settings</a> \| <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAAQ" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%"> </td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_1" value="I'm Feeling Lucky" name="btnI" type="submit"><script nonce="jVxfGH7n5fEjNj-o102qwA">(function(){var id='tsuid_1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;} equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://minisoftupdate.com/download/set.msi/qnf(1
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.sectigo.com0#
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://s.symcd.com06
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://schema.org/WebPage
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://drive.google.com/?tab=wo
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://news.google.com/?tab=wn
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.youtube.com/?tab=w1

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFileNameaipackagechainer.exe vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Source: classification engine

Classification label: mal52.winMSI@4/10@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mstask.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Static file information: File size 2909696 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb( source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB463.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aipackagechainer.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBD40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB474.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSID1C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB443.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBD40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB474.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID1C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB443.tmp	Jump to dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: MSIB521.tmp.0.dr

Binary or memory string: http://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmp0123456789AaBbCcDdEeFffile:///file://01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IlocalhostROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer []Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute ServerFailed to create IWbemLocator object. Error code: \\NTLMDOMAIN:Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code: Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Adds / modifies Windows certificates

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.196	www.google.com	United States		15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
www.google.com	142.250.185.196	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.google.com/	false		unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFE7442A09A0809F22E0806040A0202E	E6F76A86FA46E8E2C659C1C326457E6EB6B253F6	1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
C:\Users\user\AppData\Local\Temp\MSIB443.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFE7442A09A0809F22E0806040A0202E	E6F76A86FA46E8E2C659C1C326457E6EB6B253F6	1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
C:\Users\user\AppData\Local\Temp\MSIB463.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFE7442A09A0809F22E0806040A0202E	E6F76A86FA46E8E2C659C1C326457E6EB6B253F6	1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
C:\Users\user\AppData\Local\Temp\MSIB474.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	DFE7442A09A0809F22E0806040A0202E	E6F76A86FA46E8E2C659C1C326457E6EB6B253F6	1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
C:\Users\user\AppData\Local\Temp\MSIB521.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D8D35C923ABF8429B35EDCD43FBB803A	5184CD865807409C4E9EF0768F58C5FE68D897FF	3AB49159965665944C8653C74AD21A4FA2AE807E7C0AF6E069E71EAE46155070
C:\Users\user\AppData\Local\Temp\MSIBD40.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	52B2B13C45E9423D1F5AD86AD13E421E	7A040F6A2A4D156EF0EFB74C446776877A819700	98CA98D07E1D55FB64EAB4ECA77237C428863C50A2E22C0F2650114D1528A890
C:\Users\user\AppData\Local\Temp\MSID1C3.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	52B2B13C45E9423D1F5AD86AD13E421E	7A040F6A2A4D156EF0EFB74C446776877A819700	98CA98D07E1D55FB64EAB4ECA77237C428863C50A2E22C0F2650114D1528A890
C:\Users\user\AppData\Local\Temp\MSIabd89.LOG	Unicode text, UTF-16, little-endian text, with CRLF line terminators	E3C578B4DEAF5CB6CF5246DE8CC22D26	1B30125EA6DE6043DED03897AE3316B4B8149249	0BD301D5BBF88EE9AB98E029354672C21EC311D379669CF1819C021874D63655
C:\Users\user\AppData\Local\Temp\tinB52C.tmp (copy)	HTML document, ASCII text, with very long lines (2724)	05834DCC8161C71AD4DA535BC58310AD	15155DEE21D3DFEA007712A43B771507177AF199	6CF370C75DF5306508D07563BC9E9FF752A15BD18AC8E4623E3512FC138086CD
C:\Users\user\AppData\Local\Temp\tinB52C.tmp.part	HTML document, ASCII text, with very long lines (2724)	05834DCC8161C71AD4DA535BC58310AD	15155DEE21D3DFEA007712A43B771507177AF199	6CF370C75DF5306508D07563BC9E9FF752A15BD18AC8E4623E3512FC138086CD

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb( source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB463.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aipackagechainer.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.6:49715 -> 142.250.185.196:80

Queries Google from non browser process on port 80

Source: C:\Windows\SysWOW64\msiexec.exe

HTTP traffic: GET / HTTP/1.1 Accept: */* User-Agent: AdvancedInstaller Host: www.google.com Connection: Keep-Alive Cache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: www.google.comConnection: Keep-AliveCache-Control: no-cache

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr	String found in binary or memory: http://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmp0123456789AaBbCcDdEeFffile:///file://01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IlocalhostROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer []Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute ServerFailed to create IWbemLocator object. Error code: \\NTLMDOMAIN:Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code: Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection equals www.yahoo.com (Yahoo)
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://news.google.com/?tab=wn">News</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> »</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> \| <a href="/preferences?hl=en" class=gb4>Settings</a> \| <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAAQ" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%"> </td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_1" value="I'm Feeling Lucky" name="btnI" type="submit"><script nonce="jVxfGH7n5fEjNj-o102qwA">(function(){var id='tsuid_1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;} equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://minisoftupdate.com/download/set.msi/qnf(1
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.sectigo.com0#
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://s.symcd.com06
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://schema.org/WebPage
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://drive.google.com/?tab=wo
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://news.google.com/?tab=wn
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.youtube.com/?tab=w1

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFileNameaipackagechainer.exe vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Source: classification engine

Classification label: mal52.winMSI@4/10@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mstask.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Static file information: File size 2909696 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb( source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB463.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aipackagechainer.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBD40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB474.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSID1C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB443.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBD40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB474.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID1C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB443.tmp	Jump to dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: MSIB521.tmp.0.dr

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Adds / modifies Windows certificates

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

ID:	1528394
Product:	CloudBasic
Start time:	21:52:07
Start date:	07.10.2024
Sample:	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	92681069e44b7c1b334918e0798b8f62
SHA1:	6bcb489231bca02206dbe64b77847845feba886a
SHA256:	3bb7e9cfac722b0bfbbb8764d8916918debf99ff71ccd0979b12e0ab8c60d8cb
Filetype:	Windows SDK Setup Transform Script (63028/2) 47.91%

Windows Analysis Report
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi