Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
._WinSitu-5.7.8.0.msi

Overview

General Information

Sample name:._WinSitu-5.7.8.0.msi
Analysis ID:1545013
MD5:4b727a821f9e95373d63665d682c199a
SHA1:3b4420390f54e03befe3aa523b508d68af359337
SHA256:dc67d7a6ae0d2dd5fe97f8eae6c1793ce084fadad1c64e194c06d7e8a8122d3e

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7356 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\._WinSitu-5.7.8.0.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: ._WinSitu-5.7.8.0.msiString found in binary or memory: https://insituinc.sharepoint.com/sites/main/rd/Software%20Artifacts/Forms/AllItems.aspx?id=%2Fsites%
Source: ._WinSitu-5.7.8.0.msiString found in binary or memory: https://insituinc.sharepoint.com/sites/main/rd/_layouts/15/download.aspx?SourceUrl=%2Fsites%2Fmain%2
Source: classification engineClassification label: clean0.winMSI@1/0@0/0
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
._WinSitu-5.7.8.0.msi0%ReversingLabs
._WinSitu-5.7.8.0.msi0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://insituinc.sharepoint.com/sites/main/rd/_layouts/15/download.aspx?SourceUrl=%2Fsites%2Fmain%20%VirustotalBrowse
https://insituinc.sharepoint.com/sites/main/rd/Software%20Artifacts/Forms/AllItems.aspx?id=%2Fsites%0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://insituinc.sharepoint.com/sites/main/rd/Software%20Artifacts/Forms/AllItems.aspx?id=%2Fsites%._WinSitu-5.7.8.0.msifalseunknown
https://insituinc.sharepoint.com/sites/main/rd/_layouts/15/download.aspx?SourceUrl=%2Fsites%2Fmain%2._WinSitu-5.7.8.0.msifalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1545013
Start date and time:2024-10-30 00:59:36 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:._WinSitu-5.7.8.0.msi
Detection:CLEAN
Classification:clean0.winMSI@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .msi
  • Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:AppleDouble encoded Macintosh file
Entropy (8bit):5.574176621052749
TrID:
  • Mac AppleDouble encoded (4004/1) 79.97%
  • MacBinary 2 header (1003/3) 20.03%
File name:._WinSitu-5.7.8.0.msi
File size:1'014 bytes
MD5:4b727a821f9e95373d63665d682c199a
SHA1:3b4420390f54e03befe3aa523b508d68af359337
SHA256:dc67d7a6ae0d2dd5fe97f8eae6c1793ce084fadad1c64e194c06d7e8a8122d3e
SHA512:3ecd2665c546e2f4acefc023cb6cddfedc374f026ce139298102818106e4fb74f9f87285f44c5c0a107ca717585af113fe1a7f39cbbaece2bad5e5e8d87b5d2f
SSDEEP:24:PgImxklrleBrjhklsrsghWqvNLJ3oQdP+uGw:IImxMrlMrtMsrNjYQEuGw
TLSH:AC119B6971D6420ADD746EB639E3F509222396BCFA4A8988D4D5C4406B019CFA4319AF
File Content Preview:........Mac OS X .........2..................................................ATTR..........................................%com.apple.metadata:kMDItemWhereFroms........<...com.apple.quarantine.bplist00..._..https://insituinc.sharepoint.com/sites/ma

File Icon

Icon Hash:2d2e3797b32b2b99

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:20:00:33
Start date:29/10/2024
Path:C:\Windows\System32\msiexec.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\._WinSitu-5.7.8.0.msi"
Imagebase:0x7ff75d6e0000
File size:69'632 bytes
MD5 hash:E5DA170027542E25EDE42FC54C929077
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly