kensingtonworks_2.2.7.msi
This report is generated from a file or URL submitted to this webservice on May 10th 2021 08:24:33 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.48.1 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Evasive
- Possibly tries to implement anti-virtualization techniques
- Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
Installation/Persistence
-
Writes data to a remote process
- details
-
"msiexec.exe" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 488)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 488)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 488)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 488)
"msiexec.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 524)
"msiexec.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 524)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 524)
"msiexec.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 432)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 432)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 432)
"msiexec.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 432)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 432)
"msiexec.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 484)
"msiexec.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 488)
"msiexec.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 496)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 496)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 496)
"msiexec.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 496)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 496)
"msiexec.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 520)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 520)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 520)
"msiexec.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 520)
"msiexec.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 520)
"msiexec.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 524)
"msiexec.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 524) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "msiexec.exe" with commandline "/i "C:\kensingtonworks_2.2.7.msi"" (Show Process)
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding D0E9D73C43F427C05952BAD0E9A78629 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 159FC296033A51F524D0B1B66E172776 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 242463F851DFFD856BDC3349861B4AF3 C" (Show Process)
Spawned process "DismHost.exe" with commandline "{6C65D686-5C57-4EEC-8AA4-A654482C3931}" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 74B66DD9B1AA342303D931B52A5EE856 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding E1B3DE53CDA8C418DCF34BA4EBA0BB9B C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding DE05DE6924C07612E56AA3CD88A706EE C" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 10
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"msiexec.exe" at 00065923-00003532-00000033-72116982
"msiexec.exe" at 00066622-00001664-00000033-9172920897381704
"msiexec.exe" at 00072204-00003168-00000033-3734628
"msiexec.exe" at 00073926-00001920-00000033-167401240
"msiexec.exe" at 00075649-00002900-00000033-183764473
"DismHost.exe" at 00076660-00000408-00000033-1758783
"msiexec.exe" at 00077373-00003844-00000033-200196805
"msiexec.exe" at 00079098-00003348-00000033-2578473
"msiexec.exe" at 00080826-00001656-00000033-9172920738593369 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"vboxvideo.inf" (Indicator: "vbox")
"2021-05-10 08:46:58, Error DISM DISM Driver Manager: PID=408 Failed opening driver package for x86: INF Name='%WINDIR%\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_54dffbe2252403f6\vboxguest.inf' - CDriverPackage::OpenDmi" (Indicator: "vbox")
"2021-05-10 08:46:58, Error DISM DISM Driver Manager: PID=408 Failed opening driver package for x86: INF Name='C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_54dffbe2252403f6\vboxguest.inf' - CDriverPackage::OpenDmi" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_282ccc1684d6e163\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\VBoxGuest.cat]" (Indicator: "vbox")
"2017-12-11 20:24:00, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\VBoxGuest.cat]" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_bc42bb1917d1bc65\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\VBoxGuest.cat]" (Indicator: "vbox")
"2018-02-20 09:38:55, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\VBoxGuest.cat]" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_e9f3789e40cc2499\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vbox")
"2019-01-03 17:11:42, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vbox")
"2019-01-03 17:11:43, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest") - source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Found a potential E-Mail address in binary/memory
- details
- Pattern match: "g.@.d.b.f.a.e.c"
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistence
-
Creates new processes
- details
-
"msiexec.exe" is creating a new process (Name: "%WINDIR%\SysWOW64\msiexec.exe", Handle: )
"msiexec.exe" is creating a new process (Name: "%WINDIR%\SysWOW64\msiexec.exe", Handle: 520)
"msiexec.exe" is creating a new process (Name: "%WINDIR%\SysWOW64\msiexec.exe", Handle: 524) - source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
-
"DISMHOST.EXE.6098F25B.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"MSI932.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI725C.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI9FF7.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSIDBB6.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI366E.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4510.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Creates new processes
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 52.255.188.83 on port 443 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"msiexec.exe" wrote bytes "40130000" to virtual address "0xFCB98538" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "40130000" to virtual address "0xFCB98478" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "0010b8fcfe070000" to virtual address "0xFCB9FE18" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "0010b8fcfe070000" to virtual address "0xFCB9FB18" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "00100000" to virtual address "0xFE401748" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "4013b8fcfe070000" to virtual address "0xFCB9FE10" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "0010b8fcfe070000" to virtual address "0xFCB9FE50" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4013b8fcfe070000" to virtual address "0xFCB9FB10" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "0010b8fcfe070000" to virtual address "0xFCB9FB50" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "00100000" to virtual address "0xFCB98468" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4013b8fcfe070000" to virtual address "0xFCB9FE48" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4013b8fcfe070000" to virtual address "0xFCB9FB48" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48b810168df5fe070000ffe0" to virtual address "0xFCB81000" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48b860138df5fe070000ffe0" to virtual address "0xFCB81340" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "00100000" to virtual address "0xFCB985A4" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48b8e0118df5fe070000ffe0" to virtual address "0xFE3D1000" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:"
"msiexec.exe" touched "X:"
"msiexec.exe" touched "Y:"
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 33
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\3D19C8FFEC46CF540B4B264BCF7D1889\INSTALLPROPERTIES")
- source
- Registry Access
- relevance
- 10/10
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00065923-00003532-00000046-1340687
"msiexec.exe" queries volume information of "C:\" at 00066622-00001664-00000046-90298370 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"msiexec.exe" queries volume information of "C:\" at 00065923-00003532-00000046-1340687
"msiexec.exe" queries volume information of "C:\" at 00066622-00001664-00000046-90298370 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/58 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
- "**"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "52.255.188.83:443"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\BaseNamedObjects\Global\WdsSetupLogInit"
"\BaseNamedObjects\DBWinMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "DISMHOST.EXE.6098F25B.bin" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "MSI932.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI725C.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI9FF7.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIDBB6.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI366E.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI4510.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at EFD10000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\CLSID\{000C101C-0000-0000-C000-000000000046}")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{000C103E-0000-0000-C000-000000000046}")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION")
"DismHost.exe" touched "PSSupportErrorInfo" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{DF0B3D60-548F-101B-8E65-08002B2BD119}\TREATAS")
"DismHost.exe" touched "PSDispatch" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "msiexec.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, PROMPT, HOMEPATH, HOMEDRIVE"
Process "msiexec.exe" (Show Process) was launched with new environment variables: "LOGONSERVER="\\HAPUBWS-PC", PROMPT="$P$G", HOMEPATH="\Users\sborlEy", HOMEDRIVE="C:""
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP"
Process "DismHost.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP"
Process "DismHost.exe" (Show Process) was launched with missing environment variables: "LOGONSERVER, PROMPT, HOMEPATH, HOMEDRIVE"
Process "msiexec.exe" (Show Process) was launched with new environment variables: "LOGONSERVER="\\HAPUBWS-PC", PROMPT="$P$G", HOMEPATH="\Users\sborlEy", HOMEDRIVE="C:""
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
Scanning for window names
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding D0E9D73C43F427C05952BAD0E9A78629 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 159FC296033A51F524D0B1B66E172776 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 242463F851DFFD856BDC3349861B4AF3 C" (Show Process)
Spawned process "DismHost.exe" with commandline "{6C65D686-5C57-4EEC-8AA4-A654482C3931}" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 74B66DD9B1AA342303D931B52A5EE856 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding E1B3DE53CDA8C418DCF34BA4EBA0BB9B C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding DE05DE6924C07612E56AA3CD88A706EE C" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding D0E9D73C43F427C05952BAD0E9A78629 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 159FC296033A51F524D0B1B66E172776 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 242463F851DFFD856BDC3349861B4AF3 C" (Show Process)
Spawned process "DismHost.exe" with commandline "{6C65D686-5C57-4EEC-8AA4-A654482C3931}" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding 74B66DD9B1AA342303D931B52A5EE856 C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding E1B3DE53CDA8C418DCF34BA4EBA0BB9B C" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding DE05DE6924C07612E56AA3CD88A706EE C" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.2.5.4.15=Private Organization, SERIALNUMBER=0746624, C=US, S=California, L=San Mateo, O=Kensington Computer Products Group ACCO Brands USA LLC, CN=Kensington Computer Products Group ACCO Brands USA LLC" (SHA1: C8:AA:EF:37:4A:7D:14:24:1B:2C:8C:F4:5B:03:DA:86:4C:60:42:5B: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA SHA2" (SHA1: 60:EE:3F:C5:3D:4B:DF:D1:69:7A:E5:BE:AE:1C:AB:1C:0F:3A:D4:E3: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA" (SHA1: 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses Software Policy Settings
-
Installation/Persistence
-
Connects to LPC ports
- details
- "msiexec.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"DISMHOST.EXE.6098F25B.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"MSI932.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI725C.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D" has type "data"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"
"DA3B6E45325D5FFF28CF6BAD6065C907_97F35FEB6C8EB96D724BCFCDD8B58B1C" has type "data"
"MSI9FF7.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"dism.log" has type "UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"MSIDBB6.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "data"
"MSI366E.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4510.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
- details
-
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4; Subtree: 65536)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 74601217)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPublisher" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4; Subtree: 131072)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 513)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: 5; Subtree: 74601729)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 2830081)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 74601729)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 74601729)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 769) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "msiexec.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Scans for the windows taskbar (may be used for explorer injection)
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files in the Windows directory
- details
-
"msiexec.exe" touched file "%WINDIR%\AppPatch\AppPatch64\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\AppPatch\msimain.sdb"
"msiexec.exe" touched file "C:\Windows\System32\sxs.dll"
"msiexec.exe" touched file "C:\Windows\System32\en-US\sxs.dll.mui"
"msiexec.exe" touched file "C:\Windows\system32\ar-SA\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\bg-BG\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\cs-CZ\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\da-DK\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\de-DE\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\el-GR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\fi-FI\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\fr-FR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\he-IL\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\hr-HR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\hu-HU\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\it-IT\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "o7JK,.uY"
Heuristic match: "p-t/rw3.AL"
Heuristic match: "$d#!fe_rC.ps"
Heuristic match: "lwOy!V.Tf"
Heuristic match: "9WV+@S.kW"
Heuristic match: "jIjA&A.pf"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAqCoBTa0Me"
Pattern match: "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"msiexec.exe" opened "\Device\KsecDD"
"DismHost.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Drops cabinet archive files
- details
- "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4817 bytes 1 file"
- source
- Binary File
- relevance
- 10/10
-
Reads information about supported languages
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops cabinet archive files
File Details
kensingtonworks_2.2.7.msi
- Filename
- kensingtonworks_2.2.7.msi
- Size
- 94MiB (98787328 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: KensingtonWorks 2.2.7.0, Author: Kensington, Keywords: Installer, Comments: This installer database contains the logic and data required to install KensingtonWorks 2.2.7.0., Create Time/Date: Mon Jan 25 10:21:08 2021, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 4, Template: Intel;1033, Last Saved By: Intel;1028, Revision
- Architecture
- WINDOWS
- SHA256
- 3308a55e7903a1b3b6fe7e9c24faff38686bff5e0be6a1fa001078967f1fcb4c
- MD5
- 1ae0a7912f1c30dfe73abc236b9d51c7
- SHA1
- 694b30703c868d6a9bbabc5a25b1d9b0c4c34191
- ssdeep
- 1572864:qnVq6OOxBB+AYbbSfqViEjxPV3w0GTQ904Y/faQRBH+QRIO6AsrKEk8d6p8d:UJ3BB5Yygd3oJJfaQRBHgOK8Y
File Certificates
Certificate chain was successfully validated.
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.2.5.4.15=Private Organization, SERIALNUMBER=0746624, C=US, S=California, L=San Mateo, O=Kensington Computer Products Group ACCO Brands USA LLC, CN=Kensington Computer Products Group ACCO Brands USA LLC | OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.2.5.4.15=Private Organization, SERIALNUMBER=0746624, C=US, S=California, L=San Mateo, O=Kensington Computer Products Group ACCO Brands USA LLC, CN=Kensington Computer Products Group ACCO Brands USA LLC Serial: 0a82a014dad0c7a2c2f73c02e6633454 |
08/22/2018 02:00:00 09/15/2021 14:00:00 |
C8:AA:EF:37:4A:7D:14:24:1B:2C:8C:F4:5B:03:DA:86:4C:60:42:5B: (1.2.840.113549.1.1.11) |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA SHA2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA SHA2 Serial: 03f1b4e15f3a82f1149678b3d7d8475c |
04/18/2012 14:00:00 04/18/2027 14:00:00 |
60:EE:3F:C5:3D:4B:DF:D1:69:7A:E5:BE:AE:1C:AB:1C:0F:3A:D4:E3: (1.2.840.113549.1.1.11) |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA Serial: 02ac5c266a0b409b8f0b79f2ae462577 |
11/10/2006 02:00:00 11/10/2031 02:00:00 |
5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 9 processes in total (System Resource Monitor).
- msiexec.exe /i "C:\kensingtonworks_2.2.7.msi" (PID: 3532)
-
msiexec.exe
/V
(PID: 1664)
- msiexec.exe -Embedding D0E9D73C43F427C05952BAD0E9A78629 C (PID: 3168)
- msiexec.exe -Embedding 159FC296033A51F524D0B1B66E172776 C (PID: 1920)
- msiexec.exe -Embedding 242463F851DFFD856BDC3349861B4AF3 C (PID: 2900)
- msiexec.exe -Embedding 74B66DD9B1AA342303D931B52A5EE856 C (PID: 3844)
- msiexec.exe -Embedding E1B3DE53CDA8C418DCF34BA4EBA0BB9B C (PID: 3348)
- msiexec.exe -Embedding DE05DE6924C07612E56AA3CD88A706EE C (PID: 1656)
- DismHost.exe {6C65D686-5C57-4EEC-8AA4-A654482C3931} (PID: 408)
Network Analysis
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
52.255.188.83 |
443
TCP |
rundll32.exe PID: 4032 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 11 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.
-
Clean 7
-
-
DISMHOST.EXE.6098F25B.bin
- Size
- 95KiB (96768 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/69
- MD5
- 516a5fce06bb388499238a5f9286cb74
- SHA1
- 958be7d02fca674fb386482090b9a5024d0a1538
- SHA256
- 9a4b735603297448841758b29d3c387a4ce84e5fd0dae05622f43ce53b8c85e6
-
MSI932.tmp
- Size
- 113KiB (116144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- MD5
- 4fdd16752561cf585fed1506914d73e0
- SHA1
- f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
- SHA256
- aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
-
MSI725C.tmp
- Size
- 113KiB (116144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- MD5
- 4fdd16752561cf585fed1506914d73e0
- SHA1
- f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
- SHA256
- aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
-
MSI9FF7.tmp
- Size
- 113KiB (116144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- MD5
- 4fdd16752561cf585fed1506914d73e0
- SHA1
- f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
- SHA256
- aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
-
MSIDBB6.tmp
- Size
- 113KiB (116144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- MD5
- 4fdd16752561cf585fed1506914d73e0
- SHA1
- f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
- SHA256
- aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
-
MSI366E.tmp
- Size
- 113KiB (116144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- MD5
- 4fdd16752561cf585fed1506914d73e0
- SHA1
- f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
- SHA256
- aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
-
MSI4510.tmp
- Size
- 113KiB (116144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- MD5
- 4fdd16752561cf585fed1506914d73e0
- SHA1
- f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
- SHA256
- aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
-
-
Informative 4
-
-
57C8EDB95DF3F0AD4EE2DC2B8CFD4157
- Size
- 340B (340 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3532)
- MD5
- 627df3a6d4c23cce61d24c661885a219
- SHA1
- 08cb062014799d1651926fbed54215efbf7c208b
- SHA256
- a605f3bc4f9ebf2eedbd04a85d28feef86332f3b56978bd0e64e68aa5b268967
-
8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
- Size
- 426B (426 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3532)
- MD5
- a91f615a6290271ec293fdba4fd4ee47
- SHA1
- 0c728b1d658265f1b7657568affcb73bdfbaa421
- SHA256
- 93c88b05fac8d0097ab15c0dd3f154cf68eb88e862ad38ece28e59f8cfffd5f2
-
DA3B6E45325D5FFF28CF6BAD6065C907_97F35FEB6C8EB96D724BCFCDD8B58B1C
- Size
- 471B (471 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3532)
- MD5
- 7739ccdb38c0e296337e3d9c66af6d89
- SHA1
- c1f543fdcd676664917781447af7510ad23bae80
- SHA256
- 7de3ec0473e96bbfe3d9e20c527bbb6aa58ae0a6656ca7f22852bb1177259290
-
dism.log
- Size
- 183KiB (187772 bytes)
- Type
- text
- Description
- UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
- Runtime Process
- DismHost.exe (PID: 408)
- MD5
- 9f9942775f145d094e0c63388891b541
- SHA1
- 9a84650af38db8aa7b5dabe301f32b15098e0336
- SHA256
- 1db5c6ba3d06340ceddd7cd22d5845ae0f934a0d2f15b11bfd83f3bb958b2b40
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "string-1" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report