nms_clients_setup.exe
This report is generated from a file or URL submitted to this webservice on October 8th 2019 08:19:26 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "nms_clients_setup.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"nms_clients_setup.exe" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 372)
"nms_clients_setup.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 372)
"nms_clients_setup.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 372)
"nms_clients_setup.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 372) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 19
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"nms_clients_setup.exe" at 00029234-00002984-00000105-19218724207
"msiexec.exe" at 00029753-00001020-00000105-17252352362 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
-
"nms_clients_setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\C2E90D5581A325D448BEA71F100413B7\INSTALLPROPERTIES")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\C2E90D5581A325D448BEA71F100413B7\INSTALLPROPERTIES") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
- details
-
"nms_clients_setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"nms_clients_setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
FindResourceExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
LoadResource@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
LoadResource@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
LoadResource@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"nms_clients_setup.exe" read file "%TEMP%\{CA46E01A-A575-41DF-BA99-DFE693761E74}\Setup.INI"
"nms_clients_setup.exe" read file "%TEMP%\{CA46E01A-A575-41DF-BA99-DFE693761E74}\_ISMSIDEL.INI"
"nms_clients_setup.exe" read file "%TEMP%\{CA46E01A-A575-41DF-BA99-DFE693761E74}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "iDIRECT NMS Clients 21.0.3.0"
"4.05.0.0"
Heuristic match: "%IS_PREREQ%-iDIRECT NMS Clients 21.0.3.0"
Heuristic match: "%IS_PREREQF%-iDIRECT NMS Clients 21.0.3.0"
"2.9.0.0"
Heuristic match: "/i "%LOCALAPPDATA%\Downloaded Installations\{D6CEA28D-D6DC-44BA-BC8F-94850015C3EC}\iDIRECT NMS Clients 21.0.3.0.msi" SETUPEXEDIR="C:" SETUPEXENAME="nms_clients_setup.exe""
Heuristic match: "iDIRECT NMS Clients 21.0.3.0.msi=%TEMP%\{CA46E01A-A575-41DF-BA99-DFE693761E74}\iDIRECT NMS Clients 21.0.3.0.msi"
Heuristic match: "ScriptVer=1.0.0.1"
Heuristic match: "Product=iDIRECT NMS Clients 21.0.3.0"
Heuristic match: "PackageName=iDIRECT NMS Clients 21.0.3.0.msi"
Heuristic match: "ProductVersion=21.0.3.0"
Heuristic match: "[iDIRECT NMS Clients 21.0.3.0.msi]"
Heuristic match: "Location=iDIRECT NMS Clients 21.0.3.0.msi" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
- "bw')/_w|Z5ZPcmD=v)=z0X3=Siz2TRSqL!" (Indicator: "cmd=")
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
System Destruction
-
Marks file for deletion
- details
-
"C:\nms_clients_setup.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\nms_clients_setup.exe" marked "%TEMP%\~31A.tmp" for deletion
"C:\nms_clients_setup.exe" marked "%TEMP%\~33B.tmp" for deletion
"C:\nms_clients_setup.exe" marked "%TEMP%\~EF4.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"nms_clients_setup.exe" opened "%TEMP%\_MSI5166._IS" with delete access
"nms_clients_setup.exe" opened "%TEMP%\~31A.tmp" with delete access
"nms_clients_setup.exe" opened "%TEMP%\~33B.tmp" with delete access
"nms_clients_setup.exe" opened "%TEMP%\~EF4.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetEntriesInAclW@ADVAPI32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"msiexec.exe" wrote bytes "68130000" to virtual address "0x76C11680" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "6012f671" to virtual address "0x7687E324" (part of module "WININET.DLL")
"msiexec.exe" wrote bytes "b8c015f671ffe0" to virtual address "0x74F111F8" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "b83012f671ffe0" to virtual address "0x76C11368" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "48120000" to virtual address "0x74F1139C" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48120000" to virtual address "0x74F112DC" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4812f174" to virtual address "0x74F283DC" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "c04e1b7720541c77e0651c77b5381d770000000000d0407500000000c5ea40750000000088ea407500000000e968297582281d77ee291d7700000000d2692975000000007dbb40750000000009be297500000000ba18407500000000" to virtual address "0x77301000" (part of module "NSI.DLL")
"msiexec.exe" wrote bytes "4812f174" to virtual address "0x74F283C0" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f811f174" to virtual address "0x74F283E0" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f811f174" to virtual address "0x74F283C4" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4812f174" to virtual address "0x74F28364" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8110000" to virtual address "0x74F11408" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "b84013f671ffe0" to virtual address "0x74F11248" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4812f174" to virtual address "0x74F28348" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f811f174" to virtual address "0x74F28368" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8110000" to virtual address "0x74F112CC" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f811f174" to virtual address "0x74F2834C" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"nms_clients_setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 19
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
- Found reference to API InitCommonControlsEx@COMCTL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetLocalTime@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersionExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersionExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersion@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersionExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersionExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersionExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersion@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersionExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetVersion@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceExW@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from nms_clients_setup.exe (PID: 2984) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp word ptr [ebp-00000CE4h], ax" and "jnc 00434C59h" from nms_clients_setup.exe (PID: 2984) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-000001E8h], 05h" and "jne 00437CD8h" from nms_clients_setup.exe (PID: 2984) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from nms_clients_setup.exe (PID: 2984) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetProcessHeap@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetProcessHeap@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream)
GetProcessHeap@KERNEL32.DLL from nms_clients_setup.exe (PID: 2984) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
- "msiexec.exe" queries volume information of "C:\" at 00029753-00001020-0000010C-18043813702
- source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00029753-00001020-0000010C-18043813702
- source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"nms_clients_setup.exe" created file "%TEMP%\{CA46E01A-A575-41DF-BA99-DFE693761E74}\iDIRECT NMS Clients 21.0.3.0.msi"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~EF4.tmp"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{CA46E01A-A575-41DF-BA99-DFE693761E74}\Setup.INI"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{CA46E01A-A575-41DF-BA99-DFE693761E74}\_ISMSIDEL.INI"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{CA46E01A-A575-41DF-BA99-DFE693761E74}\0x0409.ini"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~31A.tmp"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~33B.tmp"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{CA46E01A-A575-41DF-BA99-DFE693761E74}\Microsoft Windows Update KB2999226 (x86).prq"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{CA46E01A-A575-41DF-BA99-DFE693761E74}\Microsoft Visual C++ 2015 Update 3 Redistributable Package (x86).prq"
"nms_clients_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{CA46E01A-A575-41DF-BA99-DFE693761E74}\MSXML 6.0 SP1.prq" - source
- API Call
- relevance
- 1/10
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\CLSID\{000C101C-0000-0000-C000-000000000046}\TREATAS")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{000C103E-0000-0000-C000-000000000046}\TREATAS")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION") - source
- Registry Access
- relevance
- 3/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{D6CEA28D-D6DC-44BA- ..." (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{D6CEA28D-D6DC-44BA- ..." (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"nms_clients_setup.exe" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"iDIRECT NMS Clients 21.0.3.0.msi" has type "Composite Document File V2 Document Can't read SAT"
"~EF4.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Microsoft Visual C_ 2015 Update 3 Redistributable Package _x86_.prq" has type "XML 1.0 document ASCII text with CRLF line terminators"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"Microsoft Windows Update KB2999226 _x86_.prq" has type "XML 1.0 document ASCII text with CRLF line terminators"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~33B.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~31A.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"MSXML 6.0 SP1.prq" has type "XML 1.0 document ASCII text with CRLF line terminators"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"nms_clients_setup.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"nms_clients_setup.exe" touched file "C:\Windows\System32\msxml6.dll"
"nms_clients_setup.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"nms_clients_setup.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"nms_clients_setup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"nms_clients_setup.exe" touched file "C:\Windows\System32\rsaenh.dll"
"msiexec.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\System32\msiexec.exe"
"msiexec.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "C:\Windows\AppPatch\AcGenral.dll"
"msiexec.exe" touched file "C:\Windows\System32\rsaenh.dll"
"msiexec.exe" touched file "C:\Windows\System32\msimsg.dll"
"msiexec.exe" touched file "C:\Windows\System32\en-US\msimsg.dll.mui"
"msiexec.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"msiexec.exe" touched file "C:\Windows\AppPatch\msimain.sdb"
"msiexec.exe" touched file "C:\Windows\System32\sxs.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Heuristic match: "3xl>\g.aC"
Heuristic match: "mWT@87~.mm"
Heuristic match: "Am5n~v.FI"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "www.idirect.netARPHELPTELEPHONEARPPRODUCTICON.exeARPPRODUCTICONARPURLINFOABOUT30DWUSINTERVALCEDBB0FFAE0CC09FA9AC971FBE9C978F89EC308FFE8B1038CE3CD78F99CBE0FF6E8CE768CEACDWUSLINKTahoma8DefaultUIFontInstallShield"
Pattern match: "https://\W%V%V4&V848%toys::file"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://logo.verisign.com/vslogo.gif0Ue0C93130"
Pattern match: "http://sv.symcb.com/sv.crl0fU"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0UF'Sbk!,0`HB0"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Pattern match: "http://www.flexerasoftware.com0"
Heuristic match: "~W2+pj?sMM{[-~0A?]3Ep]%nT~L-!NS`0qaBFV3j|54a7D+5/VVC9~!*-b202.bT"
Pattern match: "http://schemas.microsoft.com/office/word/2003/wordml}{\xmlns2"
Pattern match: "r.Rj//~h"
Pattern match: "G.dEVq/.3I4C=\.mWHuPk4"
Pattern match: "HG.BYkC/EKC"
Pattern match: "7.FJp/#RwxW"
Pattern match: "http://saturn.installshield.com/devstudio/setuprequirements/MSXML60sp1/x86/msxml6_x86.msi"
Pattern match: "http://saturn.installshield.com/devstudio/setuprequirements/MSXML60sp1/MSXML"
Pattern match: "https://download.microsoft.com/download/4/F/E/4FE73868-5EDD-4B47-8B33-CE1BB7B2B16A/Windows6.1-KB2999226-x86.msu"
Pattern match: "https://download.microsoft.com/download/9/a/2/9a2a7e36-a8af-46c0-8a78-a5eb111eefe2/vc_redist.x86.exe"
Pattern match: "http://saturn.installshield.com/is/prerequisites/Microsoft" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"nms_clients_setup.exe" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
nms_clients_setup.exe
- Filename
- nms_clients_setup.exe
- Size
- 36MiB (37733929 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 372e2313609951d3ca86d54fe3d005d07de173d9cb8f8d8c3f13cc7f7388581c
- MD5
- 0ab61bd5e58ae1b50d9dd3287a5f171e
- SHA1
- 77c127589a61a43334044ba0f99e63241cf0676f
Classification (TrID)
- 72.3% (.EXE) Win64 Executable (generic)
- 11.8% (.EXE) Win32 Executable (generic)
- 5.3% (.EXE) OS/2 Executable (generic)
- 5.2% (.EXE) Generic Win/DOS Executable
- 5.2% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
nms_clients_setup.exe
(PID: 2984)
- msiexec.exe /i "%LOCALAPPDATA%\Downloaded Installations\{D6CEA28D-D6DC-44BA-BC8F-94850015C3EC}\iDIRECT NMS Clients 21.0.3.0.msi" SETUPEXEDIR="C:" SETUPEXENAME="nms_clients_setup.exe" (PID: 1020)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00029234-00002984-887-1582-0041A07D |
2.0.0.0 | Domain/IP reference | 00029234-00002984-887-1256-0043AF0B |
2.9.0.0 | Domain/IP reference | 00029234-00002984-887-1257-0044F3DD |
3.0.0.0 | Domain/IP reference | 00029234-00002984-887-1256-0043AF0B |
Extracted Strings
Extracted Files
-
Informative Selection 4
-
-
iDIRECT NMS Clients 21.0.3.0.msi
- Size
- 5MiB (5232389 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- fc3e1097238a951cc132b84a9f1f9e31
- SHA1
- 04316c1710f65b2bcbc24da3a8c0009d3af0e284
- SHA256
- 069e4cdca172d99c56c07d75556ad8237a1acf3b3cf48bf89acaa85e28cd9ef1
-
Setup.INI
- Size
- 5.7KiB (5838 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- a9be9a025f791e6838f91796b64c2e52
- SHA1
- cb0e2cc25072146b1d5f384ad47263ebb49a2f3b
- SHA256
- 4578ed977f9f671051fa80f6cf97d5b458428324d6e4a542f0ec3830c42e0220
-
~31A.tmp
- Size
- 5.7KiB (5838 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- a9be9a025f791e6838f91796b64c2e52
- SHA1
- cb0e2cc25072146b1d5f384ad47263ebb49a2f3b
- SHA256
- 4578ed977f9f671051fa80f6cf97d5b458428324d6e4a542f0ec3830c42e0220
-
~33B.tmp
- Size
- 5.7KiB (5838 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- a9be9a025f791e6838f91796b64c2e52
- SHA1
- cb0e2cc25072146b1d5f384ad47263ebb49a2f3b
- SHA256
- 4578ed977f9f671051fa80f6cf97d5b458428324d6e4a542f0ec3830c42e0220
-
-
Informative 6
-
-
0x0409.ini
- Size
- 22KiB (22480 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- a108f0030a2cda00405281014f897241
- SHA1
- d112325fa45664272b08ef5e8ff8c85382ebb991
- SHA256
- 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
-
MSXML 6.0 SP1.prq
- Size
- 1.4KiB (1449 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- 8a768768de69767be3c35c9bf5c2890e
- SHA1
- cf66aad86f3e9b4f96fd0c582e770aa831ca5c56
- SHA256
- e5bfb83faadd5b2a5ad51961b685aaf1e41918ef03d9f8ba3cd21858ac15a3eb
-
_ISMSIDEL.INI
- Size
- 1.6KiB (1676 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- ce6d79fd21807fbc997b44741a41f4a7
- SHA1
- f43d190b3cbde3664adb475b15ccf282ea7a06d8
- SHA256
- a6d5dac20b2eae2ef426127a663f80f8994f58c4eafe5a0b83c979df319d30bc
-
~EF4.tmp
- Size
- 5.7KiB (5838 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- a9be9a025f791e6838f91796b64c2e52
- SHA1
- cb0e2cc25072146b1d5f384ad47263ebb49a2f3b
- SHA256
- 4578ed977f9f671051fa80f6cf97d5b458428324d6e4a542f0ec3830c42e0220
-
Microsoft Visual C_ 2015 Update 3 Redistributable Package _x86_.prq
- Size
- 1.8KiB (1838 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- 415e046094417f2983766c7dff657dc5
- SHA1
- d095662c3a2e9f6767ee887a92b34ed5dfd6b287
- SHA256
- 577d9970b5ddc4cd7f56452a0b154d0665529e68ed46f2a322de0c8b19036edf
-
Microsoft Windows Update KB2999226 _x86_.prq
- Size
- 1.3KiB (1341 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- nms_clients_setup.exe (PID: 2984)
- MD5
- b536c9eab347b955e0bbfbb2d001575b
- SHA1
- cacc57c5ba833f9751cbe7c98dcd01313d2b9f8a
- SHA256
- fa90f52766c1dea3f8e60187cc4a80ccb47fc4f4c3d7281a0255c0c5e0f49709
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report