automated malware analysis report for mremoteng-installer
TRANSCRIPT
ID: 365336Sample Name: mRemoteNG-Installer-1.76.20.24615.msiCookbook: default.jbsTime: 13:31:46Date: 09/03/2021Version: 31.0.0 Emerald
24444444444555566777788888899
101010101010101011141415151515151515151616
16161616
1616
Table of Contents
Table of ContentsAnalysis Report mRemoteNG-Installer-1.76.20.24615.msi
OverviewGeneral InformationDetectionSignaturesClassificationAnalysis Advice
StartupMalware ConfigurationYara OverviewSigma OverviewSignature OverviewMitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPsPublic
General InformationSimulations
Behavior and APIsJoe Sandbox View / Context
IPsDomainsASNJA3 FingerprintsDropped Files
Created / dropped FilesStatic File Info
GeneralFile Icon
Network BehaviorCode ManipulationsStatistics
BehaviorSystem Behavior
Analysis Process: msiexec.exe PID: 4012 Parent PID: 5632GeneralFile ActivitiesRegistry Activities
Analysis Process: msiexec.exe PID: 6168 Parent PID: 1688GeneralFile Activities
File Read
Analysis Process: rundll32.exe PID: 6212 Parent PID: 6168General
Copyright Joe Security LLC 2021 Page 2 of 21
1717171719
202020
20202121
2121
File ActivitiesFile CreatedFile DeletedFile WrittenFile Read
Analysis Process: msiexec.exe PID: 6824 Parent PID: 1688GeneralFile Activities
Analysis Process: rundll32.exe PID: 6912 Parent PID: 6824GeneralFile Activities
File Read
DisassemblyCode Analysis
Copyright Joe Security LLC 2021 Page 3 of 21
Analysis Report mRemoteNG-Installer-1.76.20.24615.msi
Overview
General Information
Sample Name:
mRemoteNG-Installer-1.76.20.24615.msi
Analysis ID: 365336
MD5: 4c91d6006cd729…
SHA1: eecea9ef7a9f0c8…
SHA256: 2c4d1efb90124f8…
Infos:
Most interesting Screenshot:
Detection
Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 40%
Signatures
Checks for available system drives
Checks for available system drives
Checks for available system drives
Checks for available system drives
Checks for available system drives
Checks for available system drives
Checks for available system drives Checks for available system drives ……
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direc
Creates files inside the system direcCreates files inside the system direc……
Deletes files inside the Windows fold
Deletes files inside the Windows fold
Deletes files inside the Windows fold
Deletes files inside the Windows fold
Deletes files inside the Windows fold
Deletes files inside the Windows fold
Deletes files inside the Windows foldDeletes files inside the Windows fold……
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE filesDrops PE files
Drops PE files to the windows direct
Drops PE files to the windows direct
Drops PE files to the windows direct
Drops PE files to the windows direct
Drops PE files to the windows direct
Drops PE files to the windows direct
Drops PE files to the windows directDrops PE files to the windows direct……
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has no
Found dropped PE file which has noFound dropped PE file which has no……
Monitors certain registry keys / valu
Monitors certain registry keys / valu
Monitors certain registry keys / valu
Monitors certain registry keys / valu
Monitors certain registry keys / valu
Monitors certain registry keys / valu
Monitors certain registry keys / valuMonitors certain registry keys / valu……
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (namQueries the volume information (nam……
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLs
Tries to load missing DLLsTries to load missing DLLs
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (Uses code obfuscation techniques (……
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Malware Configuration
Yara Overview
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w10x64
msiexec.exe (PID: 4012 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\mRemoteNG-Installer-1.76.20.24615.msi' MD5:
4767B71A318E201188A0D0A420C8B608)msiexec.exe (PID: 6168 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9A457BA9350AB52CD6224C77842F306E C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
rundll32.exe (PID: 6212 cmdline: rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSID272.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_4379734 1 Custo
mActions!CustomActions.CustomActions.IsLegacyVersionInstalled MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)msiexec.exe (PID: 6824 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C5E791AEF0AFC094AD8BF38E49FAA265 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
rundll32.exe (PID: 6912 cmdline: rundll32.exe 'C:\Windows\Installer\MSI17D.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_4402859 2 CustomActions!Cust
omActions.CustomActions.IsLegacyVersionInstalled MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)cleanup
No configs have been found
No yara matches
Startup
Copyright Joe Security LLC 2021 Page 4 of 21
Sigma Overview
No Sigma rule has matched
Signature Overview
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
Click to jump to signature section
There are no malicious signatures, There are no malicious signatures, click here to show all signaturesclick here to show all signatures ..
Mitre Att&ck Matrix
InitialAccess Execution Persistence
PrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
NetworkEffects
RemoteServiceEffects
ReplicationThroughRemovableMedia 1
WindowsManagementInstrumentation
DLL Side-Loading 1
ProcessInjection 1
Masquerading 2 1 OSCredentialDumping
QueryRegistry 1
ReplicationThroughRemovableMedia 1
Data fromLocalSystem
ExfiltrationOver OtherNetworkMedium
DataObfuscation
Eavesdrop onInsecureNetworkCommunication
RemotelyTrack DeviceWithoutAuthorization
DefaultAccounts
ScheduledTask/Job
Boot orLogonInitializationScripts
DLL Side-Loading 1
Rundll32 1 LSASSMemory
PeripheralDeviceDiscovery 1 1
RemoteDesktopProtocol
Data fromRemovableMedia
ExfiltrationOverBluetooth
Junk Data Exploit SS7 toRedirect PhoneCalls/SMS
RemotelyWipe DataWithoutAuthorization
DomainAccounts
At (Linux) Logon Script(Windows)
LogonScript(Windows)
Disable or ModifyTools 1
SecurityAccountManager
File andDirectoryDiscovery 1
SMB/WindowsAdmin Shares
Data fromNetworkSharedDrive
AutomatedExfiltration
Steganography Exploit SS7 toTrack DeviceLocation
ObtainDeviceCloudBackups
LocalAccounts
At (Windows) Logon Script(Mac)
LogonScript(Mac)
Process Injection 1 NTDS SystemInformationDiscovery 1 3
DistributedComponentObject Model
InputCapture
ScheduledTransfer
ProtocolImpersonation
SIM CardSwap
CloudAccounts
Cron NetworkLogon Script
NetworkLogonScript
DLL Side-Loading 1
LSASecrets
Remote SystemDiscovery
SSH Keylogging DataTransferSize Limits
FallbackChannels
ManipulateDeviceCommunication
ReplicationThroughRemovableMedia
Launchd Rc.common Rc.common Obfuscated Files orInformation 1
CachedDomainCredentials
SystemOwner/UserDiscovery
VNC GUI InputCapture
ExfiltrationOver C2Channel
MultibandCommunication
Jamming orDenial ofService
ExternalRemoteServices
ScheduledTask
StartupItems
StartupItems
File Deletion 1 DCSync NetworkSniffing
WindowsRemoteManagement
Web PortalCapture
ExfiltrationOverAlternativeProtocol
CommonlyUsed Port
Rogue Wi-FiAccess Points
Behavior GraphCopyright Joe Security LLC 2021 Page 5 of 21
Behavior GraphID: 365336
Sample: mRemoteNG-Installer-1.76.20...
Startdate: 09/03/2021
Architecture: WINDOWS
Score: 3
msiexec.exe
started
msiexec.exe
started
msiexec.exe
7
started
rundll32.exe
6
started
rundll32.exe
5
started
1.76.20.24
DOCOMONTTDOCOMOINCJP
Japan
C:\Users\user\AppData\Local\...\MSID272.tmp, PE32
dropped
Microsoft.Deployme...indowsInstaller.dll, PE32
dropped
C:\Users\user\AppData\...\CustomActions.dll, PE32
dropped
Microsoft.Deployme...indowsInstaller.dll, PE32
dropped
C:\Windows\Installer\...\CustomActions.dll, PE32
dropped
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Screenshots
Copyright Joe Security LLC 2021 Page 6 of 21
Source Detection Scanner Label Link
mRemoteNG-Installer-1.76.20.24615.msi 0% Virustotal Browse
mRemoteNG-Installer-1.76.20.24615.msi 0% Metadefender Browse
mRemoteNG-Installer-1.76.20.24615.msi 0% ReversingLabs
Source Detection Scanner Label Link
C:\Users\user\AppData\Local\Temp\MSID272.tmp 0% Virustotal Browse
C:\Users\user\AppData\Local\Temp\MSID272.tmp 2% ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll 0% Virustotal Browse
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll 0% ReversingLabs
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll 0% Metadefender Browse
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll 0% ReversingLabs
C:\Windows\Installer\MSI17D.tmp-\CustomActions.dll 0% ReversingLabs
C:\Windows\Installer\MSI17D.tmp-\Microsoft.Deployment.WindowsInstaller.dll 0% Metadefender Browse
C:\Windows\Installer\MSI17D.tmp-\Microsoft.Deployment.WindowsInstaller.dll 0% ReversingLabs
No Antivirus matches
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Unpacked PE Files
Copyright Joe Security LLC 2021 Page 7 of 21
No Antivirus matches
Source Detection Scanner Label Link
ts-crl.ws.symantec. 0% Virustotal Browse
ts-crl.ws.symantec. 0% Avira URL Cloud safe
crl4.digicert. 0% Avira URL Cloud safe
ocsp.thawte.com0 0% URL Reputation safe
ocsp.thawte.com0 0% URL Reputation safe
ocsp.thawte.com0 0% URL Reputation safe
ocsp.thawte.com0 0% URL Reputation safe
No contacted domains info
Name Source Malicious Antivirus Detection Reputation
wixtoolset.org/releases/ Microsoft.Deployment.WindowsInstaller.dll.11.dr
false high
ts-crl.ws.symantec. msiexec.exe, 00000000.00000002.325074448.0000027CCED32000.00000004.00000001.sdmp
false 0%, Virustotal, BrowseAvira URL Cloud: safe
unknown
www.mremoteng.org msiexec.exe, 00000000.00000003.322330831.0000027CD0A1E000.00000004.00000001.sdmp
false high
crl4.digicert. msiexec.exe, 00000000.00000002.325074448.0000027CCED32000.00000004.00000001.sdmp
false Avira URL Cloud: safe unknown
wixtoolset.org/news/ Microsoft.Deployment.WindowsInstaller.dll.11.dr
false high
ocsp.thawte.com0 msiexec.exe, 00000000.00000002.325074448.0000027CCED32000.00000004.00000001.sdmp
false URL Reputation: safeURL Reputation: safeURL Reputation: safeURL Reputation: safe
unknown
wixtoolset.org/Whttp://wixtoolset.org/telemetry/v Microsoft.Deployment.WindowsInstaller.dll.11.dr
false high
Domains
URLs
Domains and IPs
Contacted Domains
URLs from Memory and Binaries
Contacted IPs
Copyright Joe Security LLC 2021 Page 8 of 21
General Information
Joe Sandbox Version: 31.0.0 Emerald
Analysis ID: 365336
Start date: 09.03.2021
Start time: 13:31:46
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 10m 56s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: mRemoteNG-Installer-1.76.20.24615.msi
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed: 22
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: CLEAN
Classification: clean3.winMSI@7/9@0/1
EGA Information: Failed
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
IP Domain Country Flag ASN ASN Name Malicious
1.76.20.24 unknown Japan 9605 DOCOMONTTDOCOMOINCJP
false
Public
Copyright Joe Security LLC 2021 Page 9 of 21
HDC Information: Failed
HCA Information: Successful, ratio: 98%Number of executed functions: 0Number of non-executed functions: 0
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .msi
Warnings:Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exeExecution Graph export aborted for target rundll32.exe, PID 6212 because it is emptyExecution Graph export aborted for target rundll32.exe, PID 6912 because there are no executed functionReport size getting too big, too many NtEnumerateValueKey calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtSetInformationFile calls found.
No simulations
No context
No context
Match Associated Sample Name / URL SHA 256 Detection Link Context
DOCOMONTTDOCOMOINCJP bin.sh Get hash malicious Browse 157.116.228.108
oHqMFmPndx.exe Get hash malicious Browse 49.103.16.65
fil1 Get hash malicious Browse 146.162.49.11
i Get hash malicious Browse 49.101.60.201
mssecsvc.exe Get hash malicious Browse 211.14.116.15
juice.exe Get hash malicious Browse 146.99.74.4
KqwIJuLhAp.dll Get hash malicious Browse 148.68.2.6
No context
Show All
Simulations
Behavior and APIs
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Dropped Files
Copyright Joe Security LLC 2021 Page 10 of 21
Match Associated Sample Name / URL SHA 256 Detection Link Context
C:\Windows\Installer\MSI17D.tmp-\Microsoft.Deployment.WindowsInstaller.dll
tetration_installer_bancopopular_enforcer_windows.ps1 Get hash malicious Browse
Fireboy&Watergirl_Elements_installer_20623948.exe Get hash malicious Browse
install.nitropdf.com/professional_1391155/de/retail/nitro_pro13_ba_x64.msi
Get hash malicious Browse
TheSimsSeason_installer_19318915.exe Get hash malicious Browse
services.3manager.com/Downloads/Agents/Latest?type=ExeInstaller&id=fdbd6a6e-7ae4-4c0d-bad0-c31795c494f7&canary=False
Get hash malicious Browse
VAExcelPluginSetup0.9.18113.exe Get hash malicious Browse
install.nitropdf.com/professional_12101487/en/burn/nitro_pro12_ba_x64.msi
Get hash malicious Browse
Automate.msi Get hash malicious Browse
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll
tetration_installer_bancopopular_enforcer_windows.ps1 Get hash malicious Browse
Fireboy&Watergirl_Elements_installer_20623948.exe Get hash malicious Browse
install.nitropdf.com/professional_1391155/de/retail/nitro_pro13_ba_x64.msi
Get hash malicious Browse
TheSimsSeason_installer_19318915.exe Get hash malicious Browse
services.3manager.com/Downloads/Agents/Latest?type=ExeInstaller&id=fdbd6a6e-7ae4-4c0d-bad0-c31795c494f7&canary=False
Get hash malicious Browse
VAExcelPluginSetup0.9.18113.exe Get hash malicious Browse
install.nitropdf.com/professional_12101487/en/burn/nitro_pro12_ba_x64.msi
Get hash malicious Browse
Automate.msi Get hash malicious Browse
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logProcess: C:\Windows\SysWOW64\rundll32.exe
File Type: ASCII text, with CRLF line terminators
Category: dropped
Size (bytes): 651
Entropy (8bit): 5.347236198415341
Encrypted: false
SSDEEP: 12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaOK9eDLI4MNJK9zKHK9yiv:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFb
MD5: 885F8A93C0BC47F2C05B5702E49A06CE
SHA1: C9945AF95217F2BDBBB967E65091B8EA21976F36
SHA-256: 8268A83751122A58D99D6949BFFE44B9BF905E40827CC4321677BF551BF4DD40
SHA-512: 84BC9C0FEFADE6BBFEC86F6AAA28CC7F4F4B3927A7C21D559F14A9CD9C7F3247210FFD0391DCD7FC08E255779D993E8586EC46A142981B9103BC9EC77CD7A361
Malicious: false
Reputation: moderate, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..
C:\Users\user\AppData\Local\Temp\MSI2cbf9.LOGProcess: C:\Windows\System32\msiexec.exe
File Type: Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR, LF line terminators
Category: dropped
Size (bytes): 101372
Entropy (8bit): 3.772006041376459
Encrypted: false
SSDEEP: 1536:d32fHXGj5nb52DYeYrWg3njsgbo5VtsiLZHVXMfxPlP5PlPt3LZHVXMfxPlP5PlG:/a6q3pFk
MD5: 999866083D2F6E701FB83E376EDF8441
SHA1: 516736AA37FF64886B5208E5CE292C34382B34B5
SHA-256: CDEF75B0A5630B2A604350CA3EFB2B9CB02B45A4C1B40F6D8DF9E02AC0679B6C
SHA-512: 9B5EA543F3CE7DD8DFEE0E8C5D3B74F256E8B33F7AF780C6B534D572593F6221BA6F06AD20A6B23D57D079C47E1B9786284A542553CF7B76B41F1D878333568B
Malicious: false
Reputation: low
Created / dropped Files
Copyright Joe Security LLC 2021 Page 11 of 21
Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .3./.9./.2.0.2.1. . .1.3.:.3.2.:.3.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.A.C.:.C.C.). .[.1.3.:.3.2.:.3.7.:.0.0.8.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.A.C.:.C.C.). .[.1.3.:.3.2.:.3.7.:.0.0.8.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.A.C.:.C.0.). .[.1.3.:.3.2.:.3.7.:.1.1.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.A.C.:.C.0.). .[.1.3.:.3.2.:.3.7.:.1.1.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0...
C:\Users\user\AppData\Local\Temp\MSI2cbf9.LOG
C:\Users\user\AppData\Local\Temp\MSID272.tmp
Process: C:\Windows\System32\msiexec.exe
File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category: dropped
Size (bytes): 246238
Entropy (8bit): 6.145265903989616
Encrypted: false
SSDEEP: 3072:p1sACXS63fn8qf1in/OGBbwbetCLXye1gx5ChqlyLovlJsBtGbUwDsiercy2:p1sA6fnlk/4D1gxE7MvvqtGB
MD5: 0046B24E470EA8A69A381A454D9A71A2
SHA1: 285A92AA7F2B0DDED84D809C73DAF5B96851A38E
SHA-256: 4C9598C6A9BB386DC899F5A49C88F9191293665BF59CAA8A2B8CAEEBE4EA7C65
SHA-512: 0F27398C6F5F639A6E6458F799587CEA65A982FA86AE0D8E0094BF03F77277DF93CDDF16365C0453B18CCAD149FEEEBE8B8C96854634AF700656830CBCBA2F08
Malicious: false
Antivirus: Antivirus: Virustotal, Detection: 0%, BrowseAntivirus: ReversingLabs, Detection: 2%
Reputation: low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L...*..Z...........!.....B...|.......L.......`............................................@..........................{...*......x............................... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@[email protected][email protected]...............................@[email protected].. [email protected]................................................................................................................................................................................................................................................................................................
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.configProcess: C:\Windows\SysWOW64\rundll32.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Category: dropped
Size (bytes): 1494
Entropy (8bit): 4.730688431065547
Encrypted: false
SSDEEP: 24:2dhmhx0PY6Iee7LfKhT06XWwlTh17jJB7ZtG9jDqRp:c0nd5t7q7WwFD7tztG96n
MD5: 4933C1E1BE5973187E991EA2ED9E6451
SHA1: B16B52BA34A835B5BB8665F502E7E37985B6776E
SHA-256: DC44FB3A0CE9CB88926B2D91EC3CC5A5C5D694B02415C4B2459090F08F08ED58
SHA-512: 766ED216354A9D0F681607577E586E89DC82729CED58C328676771178BA547CD87878A1F5955CD46B197672753BC693D08246A7A11CEB8A7F255E1321403E805
Malicious: false
Reputation: moderate, very likely benign file
Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies .. by using the lates
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll
Process: C:\Windows\SysWOW64\rundll32.exe
File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category: dropped
Size (bytes): 9216
Entropy (8bit): 4.698358487152108
Encrypted: false
SSDEEP: 192:cUnpOBzZGoyQBK0FffGdSYA/mkfMcuIGiTdj:cCpWzmaKpd8/mkfMcuIGiTdj
MD5: 2CBA4EED328AE484EFF294F25826208F
SHA1: 1B76C625CB58A7DF59CD967BAE28721839FA0269
SHA-256: 532C90726BBF339B13E386B58CC0730A008AEE0570510503E45EBE552B8945AC
SHA-512: 924B94884DEE6DEDE16948D3D20A08B81FB3E06792458C99DE48001A915E3B30E48FFC619109EA483AD9CDFA9B6A17558C880E78A003F7F68F4A88113855B30A
Malicious: false
Antivirus: Antivirus: Virustotal, Detection: 0%, BrowseAntivirus: ReversingLabs, Detection: 0%
Copyright Joe Security LLC 2021 Page 12 of 21
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.........." ..0..............;... ...@....... ....................................@.................................p;..O....@.......................`......8:............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@[email protected].......`......."[email protected].................;......H.......<%...............................................................0..9.............%..r...po.....%..r...po......r%..p..s......o....&.*....0.."........ra..po.....ry..p..s......o....&.*...0..F........r...po....s....o....,..r...pr...po....+..r...pr...po.....r!..po.....*..r[..po....s....%o....&.o.....r...po.....*..(....*f.(.....s....}......}....*J.......%....(....*...0..V........{....r...po.....{.....o........(.....{....r...po..........{....r+..p.(....o.........*..........
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Process: C:\Windows\SysWOW64\rundll32.exe
File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category: dropped
Size (bytes): 176128
Entropy (8bit): 5.775039237799255
Encrypted: false
SSDEEP: 3072:2kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyF:w+c7b1W4R6joxfQ8
MD5: 4E04A4CB2CF220AECC23EA1884C74693
SHA1: A828C986D737F89EE1D9B50E63C540D48096957F
SHA-256: CFED1841C76C9731035EBB61D5DC5656BABF1BEFF6ED395E1C6B85BB9C74F85A
SHA-512: C0B850FBC24EFAD8207A3FCCA11217CB52F1D08B14DEB16B8E813903FECD90714EB1A4B91B329CF779AFFF3D90963380F7CFD1555FFC27BD4AC6598C709443C4
Malicious: false
Antivirus: Antivirus: Metadefender, Detection: 0%, BrowseAntivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:
Filename: tetration_installer_bancopopular_enforcer_windows.ps1, Detection: malicious, BrowseFilename: Fireboy&Watergirl_Elements_installer_20623948.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: TheSimsSeason_installer_19318915.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: VAExcelPluginSetup0.9.18113.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: Automate.msi, Detection: malicious, Browse
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@[email protected][email protected]........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
C:\Windows\Installer\MSI17D.tmp-\CustomAction.configProcess: C:\Windows\SysWOW64\rundll32.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Category: dropped
Size (bytes): 1494
Entropy (8bit): 4.730688431065547
Encrypted: false
SSDEEP: 24:2dhmhx0PY6Iee7LfKhT06XWwlTh17jJB7ZtG9jDqRp:c0nd5t7q7WwFD7tztG96n
MD5: 4933C1E1BE5973187E991EA2ED9E6451
SHA1: B16B52BA34A835B5BB8665F502E7E37985B6776E
SHA-256: DC44FB3A0CE9CB88926B2D91EC3CC5A5C5D694B02415C4B2459090F08F08ED58
SHA-512: 766ED216354A9D0F681607577E586E89DC82729CED58C328676771178BA547CD87878A1F5955CD46B197672753BC693D08246A7A11CEB8A7F255E1321403E805
Malicious: false
Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies .. by using the lates
C:\Windows\Installer\MSI17D.tmp-\CustomActions.dll
Process: C:\Windows\SysWOW64\rundll32.exe
File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category: dropped
Size (bytes): 9216
Entropy (8bit): 4.698358487152108
Encrypted: false
SSDEEP: 192:cUnpOBzZGoyQBK0FffGdSYA/mkfMcuIGiTdj:cCpWzmaKpd8/mkfMcuIGiTdj
MD5: 2CBA4EED328AE484EFF294F25826208F
SHA1: 1B76C625CB58A7DF59CD967BAE28721839FA0269
SHA-256: 532C90726BBF339B13E386B58CC0730A008AEE0570510503E45EBE552B8945AC
SHA-512: 924B94884DEE6DEDE16948D3D20A08B81FB3E06792458C99DE48001A915E3B30E48FFC619109EA483AD9CDFA9B6A17558C880E78A003F7F68F4A88113855B30A
Malicious: false
Copyright Joe Security LLC 2021 Page 13 of 21
Static File Info
GeneralFile type: Composite Document File V2 Document, Little Endian,
Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: mRemoteNG, Author: Next Generation Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install mRemoteNG., Template: Intel;1033, Revision Number: {A161AC1F-EB51-4E97-9C32-2B2C6B3CFF06}, Create Time/Date: Fri Apr 12 14:41:28 2019, Last Saved Time/Date: Fri Apr 12 14:41:28 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
Entropy (8bit): 7.984728543058491
TrID: Microsoft Windows Installer (77509/1) 63.77%ClickyMouse macro set (36024/1) 29.64%Generic OLE2 / Multistream Compound File (8008/1) 6.59%
File name: mRemoteNG-Installer-1.76.20.24615.msi
File size: 43593728
MD5: 4c91d6006cd7291df9bb0e16010c1e07
SHA1: eecea9ef7a9f0c8d99a094d48722b5fe9d7b03fb
SHA256: 2c4d1efb90124f885215f88304c9ecc8bbeecc9cca285f6d17baae43b49f6227
SHA512: ae7406070f1b4c328c716356a6e1de3cba0eaeeaa8f0f490c82073ba511968cf97583d0136b38d69c15ea5c1ef0c41f74a974a7200d13099522867ff6b387338
SSDEEP: 786432:jWidZ68yWLITDZabrDhJAOSzsBdAZqFuo/ZYD98dGmWCIuLueSOZKS9eMpwF:FdxyEyDZmPAx988o/ZM9shIuJhZZeM
Antivirus: Antivirus: ReversingLabs, Detection: 0%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.........." ..0..............;... ...@....... ....................................@.................................p;..O....@.......................`......8:............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@[email protected].......`......."[email protected].................;......H.......<%...............................................................0..9.............%..r...po.....%..r...po......r%..p..s......o....&.*....0.."........ra..po.....ry..p..s......o....&.*...0..F........r...po....s....o....,..r...pr...po....+..r...pr...po.....r!..po.....*..r[..po....s....%o....&.o.....r...po.....*..(....*f.(.....s....}......}....*J.......%....(....*...0..V........{....r...po.....{.....o........(.....{....r...po..........{....r+..p.(....o.........*..........
C:\Windows\Installer\MSI17D.tmp-\CustomActions.dll
C:\Windows\Installer\MSI17D.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Process: C:\Windows\SysWOW64\rundll32.exe
File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category: dropped
Size (bytes): 176128
Entropy (8bit): 5.775039237799255
Encrypted: false
SSDEEP: 3072:2kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyF:w+c7b1W4R6joxfQ8
MD5: 4E04A4CB2CF220AECC23EA1884C74693
SHA1: A828C986D737F89EE1D9B50E63C540D48096957F
SHA-256: CFED1841C76C9731035EBB61D5DC5656BABF1BEFF6ED395E1C6B85BB9C74F85A
SHA-512: C0B850FBC24EFAD8207A3FCCA11217CB52F1D08B14DEB16B8E813903FECD90714EB1A4B91B329CF779AFFF3D90963380F7CFD1555FFC27BD4AC6598C709443C4
Malicious: false
Antivirus: Antivirus: Metadefender, Detection: 0%, BrowseAntivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:
Filename: tetration_installer_bancopopular_enforcer_windows.ps1, Detection: malicious, BrowseFilename: Fireboy&Watergirl_Elements_installer_20623948.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: TheSimsSeason_installer_19318915.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: VAExcelPluginSetup0.9.18113.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: Automate.msi, Detection: malicious, Browse
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@[email protected][email protected]........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Copyright Joe Security LLC 2021 Page 14 of 21
File Content Preview: ........................>.................................................................................... ...$...(.........................................................................................................................................
General
File Icon
Icon Hash: a2a0b496b2caca72
No network behavior found
Code Manipulations
Statistics
Behavior
• msiexec.exe
• msiexec.exe
• rundll32.exe
• msiexec.exe
• rundll32.exe
Click to jump to process
System Behavior
Network Behavior
Start time: 13:32:34
Start date: 09/03/2021
Path: C:\Windows\System32\msiexec.exe
Wow64 process (32bit): false
Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\mRemoteNG-Installer-1.76.20.24615.msi'
Imagebase: 0x7ff627560000
File size: 66048 bytes
Analysis Process: msiexec.exe PID: 4012 Parent PID: 5632Analysis Process: msiexec.exe PID: 4012 Parent PID: 5632
General
Copyright Joe Security LLC 2021 Page 15 of 21
File ActivitiesFile Activities
Registry ActivitiesRegistry Activities
MD5 hash: 4767B71A318E201188A0D0A420C8B608
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 13:32:38
Start date: 09/03/2021
Path: C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit): true
Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding 9A457BA9350AB52CD6224C77842F306E C
Imagebase: 0xc20000
File size: 59904 bytes
MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Offset Length Completion CountSourceAddress Symbol
\Device\NamedPipe\SfxCA_4379734 0 4 success or wait 2 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 32 success or wait 30 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 4 pending 28 6D922B0A ReadFile
Start time: 13:32:39
Start date: 09/03/2021
Path: C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit): true
Analysis Process: msiexec.exe PID: 6168 Parent PID: 1688Analysis Process: msiexec.exe PID: 6168 Parent PID: 1688
General
File ReadFile Read
Analysis Process: rundll32.exe PID: 6212 Parent PID: 6168Analysis Process: rundll32.exe PID: 6212 Parent PID: 6168
General
Copyright Joe Security LLC 2021 Page 16 of 21
File ActivitiesFile Activities
Commandline: rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSID272.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_4379734 1 CustomActions!CustomActions.CustomActions.IsLegacyVersionInstalled
Imagebase: 0x1080000
File size: 61952 bytes
MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges: true
Has administrator privileges: true
Programmed in: .Net C# or VB.NET
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\MSID272.tmp- read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
success or wait 1 6D923EE0 CreateDirectoryW
C:\Users\user\AppData\Local\Temp\MSID272.tmp- read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 3 6D92173B CreateDirectoryW
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll read attributes | synchronize | generic write
device sequential only | synchronous io non alert | non directory file
success or wait 1 6D9267C2 CreateFileW
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll
read attributes | synchronize | generic write
device sequential only | synchronous io non alert | non directory file
success or wait 1 6D9267C2 CreateFileW
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config read attributes | synchronize | generic write
device sequential only | synchronous io non alert | non directory file
success or wait 1 6D9267C2 CreateFileW
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
read attributes | synchronize | generic write
device synchronous io non alert | non directory file
success or wait 1 6D6BC78D CreateFileW
File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config success or wait 1 6D923D53 DeleteFileW
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll success or wait 1 6D923D53 DeleteFileW
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll success or wait 1 6D923D53 DeleteFileW
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File CreatedFile Created
File DeletedFile Deleted
File WrittenFile Written
Copyright Joe Security LLC 2021 Page 17 of 21
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll
unknown 9216 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 80 95 b0 5c 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 1c 00 00 00 06 00 00 00 00 00 00 c2 3b 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.........." ..0..............;... ...@....... ....................................@................................
success or wait 1 6D92839F WriteFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll
unknown 23552 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 26 ad 10 5a 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 80 02 00 00 20 00 00 00 00 00 00 7e 97 02 00 00 20 00 00 00 a0 02 00 00 00 00 10 00 20 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 10 00 00 a9 a8 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@................................
success or wait 6 6D92839F WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2021 Page 18 of 21
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config
unknown 1494 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c 73 74 61 72 74 75 70 20 75 73 65 4c 65 67 61 63 79 56 32 52 75 6e 74 69 6d 65 41 63 74 69 76 61 74 69 6f 6e 50 6f 6c 69 63 79 3d 22 74 72 75 65 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 0d 0a 20 20 20 20 20 20 20 20 20 20 55 73 65 20 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 74 61 67 73 20 74 6f 20 65 78 70 6c 69 63 69 74 6c 79 20 73 70 65 63 69 66 79 20 74 68 65 20 76 65 72 73 69 6f 6e 28 73 29 20 6f 66 20 74 68 65 20 2e 4e 45 54 20 46 72 61 6d 65 77 6f 72 6b 20 72 75 6e 74 69 6d 65 20 74 68 61 74 0d 0a 20 20 20 20 20 20 20 20 20 20 74 68 65 20 63
<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the c
success or wait 1 6D92839F WriteFile
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
unknown 651 31 2c 22 66 75 73 69 6f 6e 22 2c 22 47 41 43 22 2c 30 0d 0a 31 2c 22 57 69 6e 52 54 22 2c 22 4e 6f 74 41 70 70 22 2c 31 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 4e 61 74 69 76 65 49 6d 61 67 65 73 5f 76 34 2e 30 2e 33 30 33 31 39 5f 33 32 5c 53 79 73 74 65 6d 5c 34 66 30 61 37 65 65 66 61 33 63 64 33 65 30 62 61 39 38 62 35 65 62 64 64 62 62 63 37 32 65 36 5c 53 79 73 74 65 6d 2e 6e 69 2e 64 6c 6c 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2e 43 6f 72 65 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30
1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0
success or wait 1 6D6BC907 WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
\Device\NamedPipe\SfxCA_4379734 0 4 pending 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 32 success or wait 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 4 pending 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 32 success or wait 1 6D922B0A ReadFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp unknown 36 success or wait 707 6D927AF5 ReadFile
File ReadFile Read
Copyright Joe Security LLC 2021 Page 19 of 21
C:\Users\user\AppData\Local\Temp\MSID272.tmp unknown 36 success or wait 707 6D927AF5 ReadFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp unknown 36 success or wait 1 6D927AF5 ReadFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp unknown 16 success or wait 3 6D927AF5 ReadFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp unknown 8 success or wait 1 6D927AF5 ReadFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp unknown 8 success or wait 1 6D927AF5 ReadFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp unknown 8 success or wait 5 6D927AF5 ReadFile
\Device\NamedPipe\SfxCA_4379734 0 4 pending 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 32 success or wait 1 6D922B0A ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D385705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D385705 unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux
unknown 176 success or wait 1 6D2E03DE ReadFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config unknown 4095 success or wait 1 6D38CA54 ReadFile
C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config unknown 6697 end of file 1 6D38CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D38CA54 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux
unknown 620 success or wait 1 6D2E03DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux
unknown 864 success or wait 1 6D2E03DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux
unknown 900 success or wait 1 6D2E03DE ReadFile
\Device\NamedPipe\SfxCA_4379734 0 4 pending 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 32 success or wait 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 4 pending 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 32 success or wait 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 4 pending 1 6D922B0A ReadFile
\Device\NamedPipe\SfxCA_4379734 0 32 success or wait 1 6D922B0A ReadFile
File Path Offset Length Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 13:33:01
Start date: 09/03/2021
Path: C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit): true
Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding C5E791AEF0AFC094AD8BF38E49FAA265
Imagebase: 0xc20000
File size: 59904 bytes
MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges: true
Has administrator privileges: true
Programmed in: C, C++ or other language
Reputation: high
File Path Offset Length Completion CountSourceAddress Symbol
Start time: 13:33:02
Start date: 09/03/2021
Path: C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit): true
Commandline: rundll32.exe 'C:\Windows\Installer\MSI17D.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_4402859 2 CustomActions!CustomActions.CustomActions.IsLegacyVersionInstalled
Analysis Process: msiexec.exe PID: 6824 Parent PID: 1688Analysis Process: msiexec.exe PID: 6824 Parent PID: 1688
General
Analysis Process: rundll32.exe PID: 6912 Parent PID: 6824Analysis Process: rundll32.exe PID: 6912 Parent PID: 6824
General
Copyright Joe Security LLC 2021 Page 20 of 21
Disassembly
Code Analysis
File ActivitiesFile Activities
Imagebase: 0xd70000
File size: 61952 bytes
MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges: true
Has administrator privileges: true
Programmed in: .Net C# or VB.NET
Reputation: high
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D3E5705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D3E5705 unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux
unknown 176 success or wait 1 6D3403DE ReadFile
C:\Windows\Installer\MSI17D.tmp-\CustomAction.config unknown 4095 success or wait 1 6D3ECA54 ReadFile
C:\Windows\Installer\MSI17D.tmp-\CustomAction.config unknown 6697 end of file 1 6D3ECA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D3ECA54 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux
unknown 620 success or wait 1 6D3403DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux
unknown 864 success or wait 1 6D3403DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux
unknown 900 success or wait 1 6D3403DE ReadFile
\Device\NamedPipe\SfxCA_4402859 0 4 pending 1 6D281D50 unknown
\Device\NamedPipe\SfxCA_4402859 0 32 success or wait 1 6D281D50 unknown
\Device\NamedPipe\SfxCA_4402859 0 4 pending 1 6D27EAF6 unknown
\Device\NamedPipe\SfxCA_4402859 0 32 success or wait 1 6D27EAF6 unknown
\Device\NamedPipe\SfxCA_4402859 0 4 pending 1 6D27EAF6 unknown
\Device\NamedPipe\SfxCA_4402859 0 32 success or wait 1 6D27EAF6 unknown
File ReadFile Read
Copyright Joe Security LLC 2021 Page 21 of 21