Edit tour

Windows Analysis Report
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Overview

General Information

Sample name:	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Analysis ID:	1528394
MD5:	92681069e44b7c1b334918e0798b8f62
SHA1:	6bcb489231bca02206dbe64b77847845feba886a
SHA256:	3bb7e9cfac722b0bfbbb8764d8916918debf99ff71ccd0979b12e0ab8c60d8cb
Tags:	msi
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Queries Google from non browser process on port 80

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Drops PE files

Found dropped PE file which has not been started or loaded

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 280 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6688 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6732 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 142.250.185.196, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 6732, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715

Suricata Signatures

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T21:53:02.522699+0200	2829202	1	A Network Trojan was detected	192.168.2.6	49715	142.250.185.196	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb( source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB463.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aipackagechainer.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.6:49715 -> 142.250.185.196:80

Queries Google from non browser process on port 80

Source: C:\Windows\SysWOW64\msiexec.exe

HTTP traffic: GET / HTTP/1.1 Accept: */* User-Agent: AdvancedInstaller Host: www.google.com Connection: Keep-Alive Cache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: www.google.comConnection: Keep-AliveCache-Control: no-cache

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr	String found in binary or memory: http://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmp0123456789AaBbCcDdEeFffile:///file://01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IlocalhostROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer []Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute ServerFailed to create IWbemLocator object. Error code: \\NTLMDOMAIN:Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code: Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection equals www.yahoo.com (Yahoo)
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://news.google.com/?tab=wn">News</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> »</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> \| <a href="/preferences?hl=en" class=gb4>Settings</a> \| <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAAQ" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%"> </td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_1" value="I'm Feeling Lucky" name="btnI" type="submit"><script nonce="jVxfGH7n5fEjNj-o102qwA">(function(){var id='tsuid_1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;} equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://minisoftupdate.com/download/set.msi/qnf(1
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: http://ocsp.sectigo.com0#
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://s.symcd.com06
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://schema.org/WebPage
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://drive.google.com/?tab=wo
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://news.google.com/?tab=wn
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	String found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: tinB52C.tmp.part.3.dr	String found in binary or memory: https://www.youtube.com/?tab=w1

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	Binary or memory string: OriginalFileNameaipackagechainer.exe vs SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Source: classification engine

Classification label: mal52.winMSI@4/10@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mstask.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Static file information: File size 2909696 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb( source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB521.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB463.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\aipackagechainer.pdb source: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBD40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB474.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSID1C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIB443.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBD40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB463.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB474.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSID1C3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB521.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIB443.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: MSIB521.tmp.0.dr

Binary or memory string: http://www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmp0123456789AaBbCcDdEeFffile:///file://01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IlocalhostROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer []Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute ServerFailed to create IWbemLocator object. Error code: \\NTLMDOMAIN:Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code: Wow64DisableWow64FsRedirectionWow64RevertWow64FsRedirection

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	32 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB443.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB463.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB474.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIB521.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBD40.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID1C3.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://schema.org/WebPage	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.250.185.196	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.google.com/	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/?hl=en&tab=w8	tinB52C.tmp.part.3.dr	false		unknown
https://www.google.com/intl/en/about/products?tab=wh	tinB52C.tmp.part.3.dr	false		unknown
https://www.google.com/imghp?hl=en&tab=wi	tinB52C.tmp.part.3.dr	false		unknown
https://sectigo.com/CPS0	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	false	URL Reputation: safe	unknown
https://www.thawte.com/cps0/	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	false		unknown
http://minisoftupdate.com/download/set.msi/qnf(1	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	false		unknown
http://www.google.com/history/optout?hl=en	tinB52C.tmp.part.3.dr	false		unknown
https://drive.google.com/?tab=wo	tinB52C.tmp.part.3.dr	false		unknown
https://www.thawte.com/repository0W	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	false		unknown
http://maps.google.com/maps?hl=en&tab=wl	tinB52C.tmp.part.3.dr	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	false	URL Reputation: safe	unknown
https://www.advancedinstaller.com	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi, MSIB443.tmp.0.dr, MSIB3C5.tmp.0.dr, MSIB474.tmp.0.dr, MSIB521.tmp.0.dr, MSIBD40.tmp.0.dr, MSID1C3.tmp.0.dr, MSIB463.tmp.0.dr	false		unknown
https://news.google.com/?tab=wn	tinB52C.tmp.part.3.dr	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	false	URL Reputation: safe	unknown
https://mail.google.com/mail/?tab=wm	tinB52C.tmp.part.3.dr	false		unknown
http://ocsp.sectigo.com0#	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi	false		unknown
http://schema.org/WebPage	tinB52C.tmp.part.3.dr	false	URL Reputation: safe	unknown
https://www.youtube.com/?tab=w1	tinB52C.tmp.part.3.dr	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.185.196	www.google.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528394
Start date and time:	2024-10-07 21:52:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
Detection:	MAL
Classification:	mal52.winMSI@4/10@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	AnyDesk.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp	AnyDesk.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSIB443.tmp	AnyDesk.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSIB443.tmp	AnyDesk.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSIB463.tmp	AnyDesk.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSIB463.tmp	AnyDesk.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	345248
Entropy (8bit):	6.433823008299267
Encrypted:	false
SSDEEP:	6144:XRk+8r6fC+fXQMpCNZABJsRrD6ZAOXtAQgxDVkQ:K+8r6ZQMpsZwLNtODVkQ
MD5:	DFE7442A09A0809F22E0806040A0202E
SHA1:	E6F76A86FA46E8E2C659C1C326457E6EB6B253F6
SHA-256:	1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
SHA-512:	331C295D0CAEE203AB3E789F5C1060C3C01E99168C44EA33ECA5252F3BC2D50E4D7AF7DBC7D5F70A4B5FA7C9754DABAA576594B12A68F71BB8E534891045A197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AnyDesk.msi, Detection: malicious, Browse Filename: AnyDesk.msi, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........F.u.F.u.F.u..w..H.u..w....u..w..[.u...v.P.u...q.f.u...p.~.u.O...C.u.O...[.u.F.t.s.u.,.\|...u.,.u.G.u.,...G.u.F...G.u.,.w.G.u.RichF.u.................PE..L...]5.[.........."!.....@...................P...............................`.......U....@.........................@...................0............*....... ..T<...}..p............................}..@............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...P...........................@....rsrc...0...........................@..@.reloc..T<... ...>..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB443.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	345248
Entropy (8bit):	6.433823008299267
Encrypted:	false
SSDEEP:	6144:XRk+8r6fC+fXQMpCNZABJsRrD6ZAOXtAQgxDVkQ:K+8r6ZQMpsZwLNtODVkQ
MD5:	DFE7442A09A0809F22E0806040A0202E
SHA1:	E6F76A86FA46E8E2C659C1C326457E6EB6B253F6
SHA-256:	1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
SHA-512:	331C295D0CAEE203AB3E789F5C1060C3C01E99168C44EA33ECA5252F3BC2D50E4D7AF7DBC7D5F70A4B5FA7C9754DABAA576594B12A68F71BB8E534891045A197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AnyDesk.msi, Detection: malicious, Browse Filename: AnyDesk.msi, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........F.u.F.u.F.u..w..H.u..w....u..w..[.u...v.P.u...q.f.u...p.~.u.O...C.u.O...[.u.F.t.s.u.,.\|...u.,.u.G.u.,...G.u.F...G.u.,.w.G.u.RichF.u.................PE..L...]5.[.........."!.....@...................P...............................`.......U....@.........................@...................0............*....... ..T<...}..p............................}..@............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...P...........................@....rsrc...0...........................@..@.reloc..T<... ...>..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB463.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	345248
Entropy (8bit):	6.433823008299267
Encrypted:	false
SSDEEP:	6144:XRk+8r6fC+fXQMpCNZABJsRrD6ZAOXtAQgxDVkQ:K+8r6ZQMpsZwLNtODVkQ
MD5:	DFE7442A09A0809F22E0806040A0202E
SHA1:	E6F76A86FA46E8E2C659C1C326457E6EB6B253F6
SHA-256:	1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
SHA-512:	331C295D0CAEE203AB3E789F5C1060C3C01E99168C44EA33ECA5252F3BC2D50E4D7AF7DBC7D5F70A4B5FA7C9754DABAA576594B12A68F71BB8E534891045A197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: AnyDesk.msi, Detection: malicious, Browse Filename: AnyDesk.msi, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........F.u.F.u.F.u..w..H.u..w....u..w..[.u...v.P.u...q.f.u...p.~.u.O...C.u.O...[.u.F.t.s.u.,.\|...u.,.u.G.u.,...G.u.F...G.u.,.w.G.u.RichF.u.................PE..L...]5.[.........."!.....@...................P...............................`.......U....@.........................@...................0............*....... ..T<...}..p............................}..@............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...P...........................@....rsrc...0...........................@..@.reloc..T<... ...>..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB474.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	345248
Entropy (8bit):	6.433823008299267
Encrypted:	false
SSDEEP:	6144:XRk+8r6fC+fXQMpCNZABJsRrD6ZAOXtAQgxDVkQ:K+8r6ZQMpsZwLNtODVkQ
MD5:	DFE7442A09A0809F22E0806040A0202E
SHA1:	E6F76A86FA46E8E2C659C1C326457E6EB6B253F6
SHA-256:	1CD91F56352A68EA6B2FE9F67F42F901B8B741E166C2AA6A3ECCC71628EE229D
SHA-512:	331C295D0CAEE203AB3E789F5C1060C3C01E99168C44EA33ECA5252F3BC2D50E4D7AF7DBC7D5F70A4B5FA7C9754DABAA576594B12A68F71BB8E534891045A197
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........F.u.F.u.F.u..w..H.u..w....u..w..[.u...v.P.u...q.f.u...p.~.u.O...C.u.O...[.u.F.t.s.u.,.\|...u.,.u.G.u.,...G.u.F...G.u.,.w.G.u.RichF.u.................PE..L...]5.[.........."!.....@...................P...............................`.......U....@.........................@...................0............*....... ..T<...}..p............................}..@............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...P...........................@....rsrc...0...........................@..@.reloc..T<... ...>..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIB521.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	626336
Entropy (8bit):	6.422854675298111
Encrypted:	false
SSDEEP:	12288:fvnxWW4CU9oAUPUozJDIdGGKU7xZh7Rw4q/+s/BD/vTy:nKb0P3VsVZh7Rw4YP/BD/vTy
MD5:	D8D35C923ABF8429B35EDCD43FBB803A
SHA1:	5184CD865807409C4E9EF0768F58C5FE68D897FF
SHA-256:	3AB49159965665944C8653C74AD21A4FA2AE807E7C0AF6E069E71EAE46155070
SHA-512:	C45F166B0FC04FC1EA6F15294879F2692EA2ED8EFB773A57E7A08802824DE87ED6D6D28BCD6B723884638450DA5E470C9AC703076CD4797DE84BC4B7B182A7E6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0...^...^...^.h[....^.h[..A.^.h[....^...]...^...Z...^...[...^.....^.....^..._...^...W...^...^...^.......^......^...\...^.Rich..^.................PE..L....6.[.........."!.........p...............0............................................@..........................b..t...tb..,....................t..........T.......p...............................@............0.. ............................text...n........................... ..`.rdata...C...0...D..................@..@.data....s.......b...Z..............@....rsrc...............................@..@.reloc..T...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBD40.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	581792
Entropy (8bit):	6.433551101024746
Encrypted:	false
SSDEEP:	12288:Y3KuELqAoc1Y0ShXQ1Kpv+h4I0ey0DnoxGI4QQg3RUhe0wE6:YaBcYt/H8xlD3RUhfwE6
MD5:	52B2B13C45E9423D1F5AD86AD13E421E
SHA1:	7A040F6A2A4D156EF0EFB74C446776877A819700
SHA-256:	98CA98D07E1D55FB64EAB4ECA77237C428863C50A2E22C0F2650114D1528A890
SHA-512:	28BE299868C262F08D9BA80C83AA7EBA3E3273F9721B3B6E6637AA941BBA831BE28E212268DCCF245C78C9C5E8323BE741F53A4356CF9D614BD55DE75F704DAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o.....`.a.....b.......c.r...=...x...=...N...=...Q...f...m...f...n...f...x...o...C...............n.....n.n...o...n.......n...Richo...........PE..L....5.[.........."!.....H..........o~.......`............................................@..........................]..<...L^..........h.......................pV..`...p...............................@............`..\....Z..@....................text....F.......H.................. ..`.rdata..X....`.......L..............@..@.data...$....p.......\..............@....rsrc...h............h..............@..@.reloc..pV.......X...n..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSID1C3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	581792
Entropy (8bit):	6.433551101024746
Encrypted:	false
SSDEEP:	12288:Y3KuELqAoc1Y0ShXQ1Kpv+h4I0ey0DnoxGI4QQg3RUhe0wE6:YaBcYt/H8xlD3RUhfwE6
MD5:	52B2B13C45E9423D1F5AD86AD13E421E
SHA1:	7A040F6A2A4D156EF0EFB74C446776877A819700
SHA-256:	98CA98D07E1D55FB64EAB4ECA77237C428863C50A2E22C0F2650114D1528A890
SHA-512:	28BE299868C262F08D9BA80C83AA7EBA3E3273F9721B3B6E6637AA941BBA831BE28E212268DCCF245C78C9C5E8323BE741F53A4356CF9D614BD55DE75F704DAB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o.....`.a.....b.......c.r...=...x...=...N...=...Q...f...m...f...n...f...x...o...C...............n.....n.n...o...n.......n...Richo...........PE..L....5.[.........."!.....H..........o~.......`............................................@..........................]..<...L^..........h.......................pV..`...p...............................@............`..\....Z..@....................text....F.......H.................. ..`.rdata..X....`.......L..............@..@.data...$....p.......\..............@....rsrc...h............h..............@..@.reloc..pV.......X...n..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIabd89.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	198
Entropy (8bit):	3.447295877169939
Encrypted:	false
SSDEEP:	3:QxtP6nElClDg+OjmlH/wlRlX+PpJlmnmf2KXMFQQK+XlvLlFl8+fKl8RlwlI1:QOnElClDHOjSfwRmlv2K8yQRqVNle
MD5:	E3C578B4DEAF5CB6CF5246DE8CC22D26
SHA1:	1B30125EA6DE6043DED03897AE3316B4B8149249
SHA-256:	0BD301D5BBF88EE9AB98E029354672C21EC311D379669CF1819C021874D63655
SHA-512:	A83F1F4E44698B84C57B6D65A30230989648283EB900B55EE7663174878FD72195C77BFFFEB564F0FF539943D5F9EF023F3232DA9AD1FC3162EF788A32285F9F
Malicious:	false
Preview:	..T.h.i.s. .p.a.c.k.a.g.e. .c.a.n. .o.n.l.y. .b.e. .r.u.n. .f.r.o.m. .a. .b.o.o.t.s.t.r.a.p.p.e.r.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.7./.1.0./.2.0.2.4. . .1.5.:.5.3.:.0.6. .=.=.=.....

C:\Users\user\AppData\Local\Temp\tinB52C.tmp (copy)

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	HTML document, ASCII text, with very long lines (2724)
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.754368213288362
Encrypted:	false
SSDEEP:	384:r7wx8hlIBME/Tspa1ocy4d4lbGaEULHhhbe72Sro2REu4Y0wM1Ot+B1xCejiw:r7sW21ocy4OEahBhbsRrEu4Y0wM1RxPF
MD5:	05834DCC8161C71AD4DA535BC58310AD
SHA1:	15155DEE21D3DFEA007712A43B771507177AF199
SHA-256:	6CF370C75DF5306508D07563BC9E9FF752A15BD18AC8E4623E3512FC138086CD
SHA-512:	3ED70ED0679723D1D23639ED04055A87CE138DFFD2B55237F10DE586832EA4DCEA25F7D6F7691F3BBB0461FA21FF8752257BC36847B0A98CA0195EAD4BCB777E
Malicious:	false
Preview:	<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="jVxfGH7n5fEjNj-o102qwA">(function(){var _g={kEI:'HjwEZ5aSGP-si-gP_ZaHyQU',kEXPI:'0,793344,2906901,704,435,538661,2872,2891,43028,30022,6397,9708,18161,60058,102037,342,23024,6700,126319,8155,8861,14489,22436,5604,4175,62658,6049,30697,3801,2412,18984,14265,17620,7734,18098,9161,276,2413,9400,1634,13493,15784,14187,12896,5203210,6217,3248,997,24,126,5991284,2841102,880,1,4,40,29,2,69,14,3,3,3,3,3,9,69,2,12,3,7440095,20539789,16672,43887,3,1603,3,2124363,23034776,2738,4636,14986,1

C:\Users\user\AppData\Local\Temp\tinB52C.tmp.part

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	HTML document, ASCII text, with very long lines (2724)
Category:	dropped
Size (bytes):	21504
Entropy (8bit):	5.754368213288362
Encrypted:	false
SSDEEP:	384:r7wx8hlIBME/Tspa1ocy4d4lbGaEULHhhbe72Sro2REu4Y0wM1Ot+B1xCejiw:r7sW21ocy4OEahBhbsRrEu4Y0wM1RxPF
MD5:	05834DCC8161C71AD4DA535BC58310AD
SHA1:	15155DEE21D3DFEA007712A43B771507177AF199
SHA-256:	6CF370C75DF5306508D07563BC9E9FF752A15BD18AC8E4623E3512FC138086CD
SHA-512:	3ED70ED0679723D1D23639ED04055A87CE138DFFD2B55237F10DE586832EA4DCEA25F7D6F7691F3BBB0461FA21FF8752257BC36847B0A98CA0195EAD4BCB777E
Malicious:	false
Preview:	<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="jVxfGH7n5fEjNj-o102qwA">(function(){var _g={kEI:'HjwEZ5aSGP-si-gP_ZaHyQU',kEXPI:'0,793344,2906901,704,435,538661,2872,2891,43028,30022,6397,9708,18161,60058,102037,342,23024,6700,126319,8155,8861,14489,22436,5604,4175,62658,6049,30697,3801,2412,18984,14265,17620,7734,18098,9161,276,2413,9400,1634,13493,15784,14187,12896,5203210,6217,3248,997,24,126,5991284,2841102,880,1,4,40,29,2,69,14,3,3,3,3,3,9,69,2,12,3,7440095,20539789,16672,43887,3,1603,3,2124363,23034776,2738,4636,14986,1

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {6042C332-8221-4715-9655-1447102D1357}, Number of Words: 2, Subject: Multibit Core, Author: Multibit Core, Name of Creating Application: Advanced Installer 15.4.1 build d38ed030a8, Template: ;1033, Comments: This installer database contains the logic and data required to install Multibit Core., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	6.555886125801053
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi
File size:	2'909'696 bytes
MD5:	92681069e44b7c1b334918e0798b8f62
SHA1:	6bcb489231bca02206dbe64b77847845feba886a
SHA256:	3bb7e9cfac722b0bfbbb8764d8916918debf99ff71ccd0979b12e0ab8c60d8cb
SHA512:	9d0fdaea2d3f34ac6b245f054d8d54df49adb52e4e7de6f983f5d178cf0fa60422a47b876464542d194b091b4689c239f0c89d5371b3d0930b6c24c1900c3b60
SSDEEP:	49152:q2SYw9Mftgk+AZVqVZ9Rw4YP/BD/vTyPduTRUhfwESB6zDojOwfFlmpqLOSGRRvM:MYSBA/qpPdQBqw6pqLNH
TLSH:	C8D59D11B697C136C97E45711A79EB2A10BE7FA51F7448EB27E85A7F0AB14C20231F23
File Content Preview:	........................>...................-...........................................................6...7...8...9...:...;...<...=...>...?...........................................................................................................t...\..

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T21:53:02.522699+0200	2829202	ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA	1	192.168.2.6	49715	142.250.185.196	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 21:53:01.865628004 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:01.870774984 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:01.870898008 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:01.870980978 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:01.875956059 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522619009 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522646904 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522660017 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522699118 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.522717953 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522730112 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522739887 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.522742033 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522756100 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522811890 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.522917032 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522928953 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522942066 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.522964001 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.522991896 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.527939081 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.528074980 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.528120041 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.528176069 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.528197050 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.528244972 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.604736090 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.604798079 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.609000921 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.609064102 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.609149933 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.609162092 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.609174967 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.609189987 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.609220982 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.609220982 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.609272003 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.613652945 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.613708019 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.613769054 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.613786936 CEST	80	49715	142.250.185.196	192.168.2.6
Oct 7, 2024 21:53:02.613826036 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:02.613850117 CEST	49715	80	192.168.2.6	142.250.185.196
Oct 7, 2024 21:53:08.006764889 CEST	49715	80	192.168.2.6	142.250.185.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 21:53:01.853678942 CEST	63468	53	192.168.2.6	1.1.1.1
Oct 7, 2024 21:53:01.861264944 CEST	53	63468	1.1.1.1	192.168.2.6
Oct 7, 2024 21:53:42.741863012 CEST	53	49578	162.159.36.2	192.168.2.6
Oct 7, 2024 21:53:43.570198059 CEST	53	57612	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 7, 2024 21:53:01.853678942 CEST	192.168.2.6	1.1.1.1	0x20c6	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 21:53:01.861264944 CEST	1.1.1.1	192.168.2.6	0x20c6	No error (0)	www.google.com		142.250.185.196	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	142.250.185.196	80	6732	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 21:53:01.870980978 CEST	133	OUT	GET / HTTP/1.1 Accept: / User-Agent: AdvancedInstaller Host: www.google.com Connection: Keep-Alive Cache-Control: no-cache
Oct 7, 2024 21:53:02.522619009 CEST	1236	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 19:53:02 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-jVxfGH7n5fEjNj-o102qwA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: AEC=AVYB7cpknwE9P2SyMaNX1d68IqhRn-TbW1YUWG04JimvAKiidGKB6hSPBQ; expires=Sat, 05-Apr-2025 19:53:02 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax Set-Cookie: NID=518=enYAorJPT4Y-e1E5qNrDnEm6pMVBT6D9VBKFIFxIBQvqZi7iTqWr8S8p1Q2Lq2GzXD3dSsdcpsDRdBYYiseweNc0jklF8wVXRlDTqIRhvcqCPcRpC05eKxklxOTK5aTa4WldKYid176RXvlxEiDrsakW_-_-7rzG4qad4Hte1Kl6cGJPK13A3LdwMXPUyvDUkg; expires=Tue, 08-Apr-2025 19:53:02 GMT; path=/; domain=.google.com; HttpOnly Accept-Ranges: none Vary: Accept-Encoding Transfer-Encoding: chunked Data Raw: 32 62 65 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 Data Ascii: 2be5<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images, vi
Oct 7, 2024 21:53:02.522646904 CEST	1236	IN	Data Raw: 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 Data Ascii: deos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/imag
Oct 7, 2024 21:53:02.522660017 CEST	448	IN	Data Raw: 2c 31 34 31 38 2c 32 2c 31 2c 36 2c 31 31 36 36 2c 31 2c 31 2c 32 2c 33 2c 35 32 31 34 2c 31 33 34 32 2c 32 2c 33 32 2c 31 35 31 34 2c 32 35 31 2c 32 33 39 39 2c 31 33 31 34 2c 32 30 31 35 2c 32 2c 31 31 36 2c 34 2c 38 39 35 2c 31 35 31 38 2c 33 Data Ascii: ,1418,2,1,6,1166,1,1,2,3,5214,1342,2,32,1514,251,2399,1314,2015,2,116,4,895,1518,347,2933,244,858,1723,1,1066,1,1,2,3,273,2,353,823,41,243,1,963,721,1,1,2,3,1178,231,2197,489,918,179,1388,219,1864,455,828,445,421,293,199,400,1,130,520,969,135,
Oct 7, 2024 21:53:02.522717953 CEST	1236	IN	Data Raw: 34 37 2c 32 35 2c 32 39 33 2c 31 38 33 38 2c 32 35 37 2c 34 2c 31 2c 36 2c 32 30 34 2c 36 39 2c 32 31 39 2c 37 31 38 2c 34 38 34 2c 31 35 36 2c 32 2c 31 36 31 2c 31 33 31 30 2c 38 2c 31 2c 31 2c 34 2c 31 2c 34 2c 36 38 32 2c 35 36 38 2c 36 32 39 Data Ascii: 47,25,293,1838,257,4,1,6,204,69,219,718,484,156,2,161,1310,8,1,1,4,1,4,682,568,629,42,622,2,95,27,20,168,188,387,596,86,35,11,31,11,244,101,5,29,190,25,649,766,86,284,60,17,3,52,4,5,51,23,48,444,259,3,44,74,3,7,54,3,1017,51,29,1,85,138,139,203
Oct 7, 2024 21:53:02.522730112 CEST	1236	IN	Data Raw: 3d 22 22 3b 76 61 72 20 67 3d 62 2e 73 65 61 72 63 68 28 22 26 63 73 68 69 64 3d 22 29 3d 3d 3d 2d 31 26 26 61 21 3d 3d 22 73 6c 68 22 2c 66 3d 5b 5d 3b 66 2e 70 75 73 68 28 5b 22 7a 78 22 2c 44 61 74 65 2e 6e 6f 77 28 29 2e 74 6f 53 74 72 69 6e Data Ascii: ="";var g=b.search("&cshid=")===-1&&a!=="slh",f=[];f.push(["zx",Date.now().toString()]);h._cshid&&g&&f.push(["cshid",h._cshid]);c=c();c!=null&&f.push(["opi",c.toString()]);for(c=0;c<f.length;c++){if(c===0\|\|c>0)d+="&";d+=f[c][0]+"="+f[c][1]}ret
Oct 7, 2024 21:53:02.522742033 CEST	1236	IN	Data Raw: 5d 29 7d 29 3b 67 6f 6f 67 6c 65 2e 71 63 65 3d 6c 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 67 6f 6f 67 6c 65 2e 66 3d 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e Data Ascii: ])});google.qce=l;}).call(this);google.f={};(function(){document.documentElement.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a=c==="1"\|\|c==="q"&&!a.elements.q.value?!0:!1}else a=!1;a&&(b
Oct 7, 2024 21:53:02.522756100 CEST	1236	IN	Data Raw: 6f 6c 64 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 7d 2e 6c 73 74 7b 68 65 69 67 68 74 3a 32 35 70 78 3b 77 69 64 74 68 3a 34 39 36 70 78 7d 2e 67 73 66 69 2c 2e 6c 73 74 7b 66 6f 6e 74 3a 31 38 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 Data Ascii: old;font-style:normal}.lst{height:25px;width:496px}.gsfi,.lst{font:18px arial,sans-serif}.gsfs{font:17px arial,sans-serif}.ds{display:inline-box;display:inline-block;margin:3px 0 4px;margin-left:4px}input{font-family:inherit}body{background:#f
Oct 7, 2024 21:53:02.522917032 CEST	1236	IN	Data Raw: 6f 6f 67 6c 65 2e 61 70 6c 65 3b 69 66 28 67 6f 6f 67 6c 65 2e 64 6c 29 72 65 74 75 72 6e 20 67 6f 6f 67 6c 65 2e 64 6c 28 61 2c 65 2c 64 2c 21 30 29 2c 6e 75 6c 6c 3b 62 3d 64 3b 69 66 28 76 3c 30 29 7b 77 69 6e 64 6f 77 2e 63 6f 6e 73 6f 6c 65 Data Ascii: oogle.aple;if(google.dl)return google.dl(a,e,d,!0),null;b=d;if(v<0){window.console&&console.error(a,b);if(v===-2)throw a;b=!1}else b=!a\|\|!a.message\|\|a.message==="Error loading script"\|\|q>=l&&!m?!1:!0;if(!b)return null;q++;d=d\|\|{};b=encodeURICo
Oct 7, 2024 21:53:02.522928953 CEST	928	IN	Data Raw: 6c 3b 70 26 26 71 3e 3d 6c 26 26 28 77 69 6e 64 6f 77 2e 6f 6e 65 72 72 6f 72 3d 6e 75 6c 6c 29 7d 3b 7d 29 28 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 22 3e 3c 73 63 72 69 70 Data Ascii: l;p&&q>=l&&(window.onerror=null)};})();</script></head><body bgcolor="#fff"><script nonce="jVxfGH7n5fEjNj-o102qwA">(function(){var src='/images/nav_logo229.png';var iesg=false;document.body.onload = function(){window.n && window.n();if (docume
Oct 7, 2024 21:53:02.522942066 CEST	1236	IN	Data Raw: 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6e 74 6c 2f 65 6e 2f 61 62 6f 75 74 2f 70 72 6f 64 75 63 74 73 3f 74 61 62 3d 77 68 22 3e 3c 75 3e 4d 6f 72 65 3c Data Ascii: oration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> »</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.go
Oct 7, 2024 21:53:02.527939081 CEST	1236	IN	Data Raw: 73 3d 22 6c 73 74 22 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 35 70 78 20 38 70 78 20 30 20 36 70 78 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 74 6f 70 3b 63 6f 6c 6f 72 3a 23 30 30 30 22 20 61 75 74 6f 63 Data Ascii: s="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class

Target ID:	0
Start time:	15:52:58
Start date:	07/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi"
Imagebase:	0x7ff6fb150000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:52:58
Start date:	07/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6fb150000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:52:59
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 50AE91573DE534A9A96FD2BF23C4165F C
Imagebase:	0x2b0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSIB3C5.tmp

C:\Users\user\AppData\Local\Temp\MSIB443.tmp

C:\Users\user\AppData\Local\Temp\MSIB463.tmp

C:\Users\user\AppData\Local\Temp\MSIB474.tmp

C:\Users\user\AppData\Local\Temp\MSIB521.tmp

C:\Users\user\AppData\Local\Temp\MSIBD40.tmp

C:\Users\user\AppData\Local\Temp\MSID1C3.tmp

C:\Users\user\AppData\Local\Temp\MSIabd89.LOG

C:\Users\user\AppData\Local\Temp\tinB52C.tmp (copy)

C:\Users\user\AppData\Local\Temp\tinB52C.tmp.part

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Windows Analysis Report
SecuriteInfo.com.Backdoor.OLE2.RA-Based.a.22874.1945.msi