ezq202_setup.exe
This report is generated from a file or URL submitted to this webservice on January 26th 2020 14:52:38 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "ezq202_setup.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"ezq202_setup.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"ezq202_setup.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"ezq202_setup.exe" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"ezq202_setup.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to access unusual system drive letters
-
Suspicious Indicators 21
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"ezq202_setup.exe" at 00031492-00003300-00000105-10052402161
"msiexec.exe" at 00031959-00002220-00000105-15226834388 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "c74e00dc552080b3e5fb4ad0388b830fc2f6843e4218c5975cb56a84d5d5a558.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
-
"ezq202_setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\69103F9C977714E478E31BEBEF9FCDF5\INSTALLPROPERTIES")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\69103F9C977714E478E31BEBEF9FCDF5\INSTALLPROPERTIES") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
- details
-
"ezq202_setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"ezq202_setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.dll (Show Stream)
LockResource@KERNEL32.dll (Show Stream)
SizeofResource@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"ezq202_setup.exe" read file "%TEMP%\{70297AEC-B96E-458D-846C-19DA6FF13126}\Setup.INI"
"ezq202_setup.exe" read file "%TEMP%\{70297AEC-B96E-458D-846C-19DA6FF13126}\_ISMSIDEL.INI"
"ezq202_setup.exe" read file "%TEMP%\{70297AEC-B96E-458D-846C-19DA6FF13126}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"C:\ezq202_setup.exe" marked "%TEMP%\_is89FE.tmp" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is8A4D.tmp" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is8A8D.tmp" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~8A8C.tmp" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is9510.tmp" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~950F.tmp" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is8B2B.tmp" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\0x0409.ini" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\EZQuote.msi" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\Setup.INI" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\_ISMSIDEL.INI" for deletion
"C:\ezq202_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}" for deletion
"%WINDIR%\System32\msiexec.exe" marked "C:\MSIf7c90.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"ezq202_setup.exe" opened "%TEMP%\_is89FE.tmp" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is8A4D.tmp" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is8A8D.tmp" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~8A8C.tmp" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is9510.tmp" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~950F.tmp" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is8B2B.tmp" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\0x0409.ini" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\EZQuote.msi" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\Setup.INI" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\_ISMSIDEL.INI" with delete access
"ezq202_setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}" with delete access
"msiexec.exe" opened "C:\MSIf7c90.tmp" with delete access
"msiexec.exe" opened "%SAMPLEDIR%\MSIf7c91.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegOpenKeyW
RegOpenKeyExA
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
GetFileAttributesW
LoadLibraryExW
GetThreadContext
FindResourceExW
CopyFileW
WriteProcessMemory
GetModuleFileNameW
GetVersionExA
GetModuleFileNameA
UnhandledExceptionFilter
CreateThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
LoadLibraryA
GetStartupInfoA
GetFileSize
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
CreateFileMappingA
FindFirstFileW
GetProcAddress
CreateFileW
CreateFileA
FindResourceW
LockResource
GetCommandLineW
GetCommandLineA
MapViewOfFile
GetModuleHandleA
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteW
ShellExecuteExW
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"msiexec.exe" wrote bytes "c04e077720540877e0650877b53809770000000000d0d57600000000c5ead5760000000088ead57600000000e968177582280977ee29097700000000d2691775000000007dbbd5760000000009be177500000000ba18d57600000000" to virtual address "0x76A01000" (part of module "NSI.DLL")
"msiexec.exe" wrote bytes "4812e074" to virtual address "0x74E183C0" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f811e074" to virtual address "0x74E183E0" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f811e074" to virtual address "0x74E183C4" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4812e074" to virtual address "0x74E18364" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "b83012b06effe0" to virtual address "0x76CD1368" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "f8110000" to virtual address "0x74E01408" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "b84013b06effe0" to virtual address "0x74E01248" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4812e074" to virtual address "0x74E18348" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f811e074" to virtual address "0x74E18368" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8110000" to virtual address "0x74E012CC" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f811e074" to virtual address "0x74E1834C" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "68130000" to virtual address "0x76CD1680" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "75dc9776273e977651c19576ee9c9576949895760fb39b7610999576909795760000000042c6d576152ed576c0d9d5761bf7d576c108d776e0c2d57636dad57630c6d576d5d9d57686c4d57600000000" to virtual address "0x7031E000" (part of module "MSLS31.DLL")
"msiexec.exe" wrote bytes "b8c015b06effe0" to virtual address "0x74E011F8" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48120000" to virtual address "0x74E0139C" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48120000" to virtual address "0x74E012DC" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "4812e074" to virtual address "0x74E183DC" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "6012b06e" to virtual address "0x759BE324" (part of module "WININET.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"ezq202_setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 7 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 22
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.dll directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "jne 0043CA57h" (Show Stream)
Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jbe 004471A6h" (Show Stream)
Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jbe 0044C0C9h" (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 004632CDh" (Show Stream)
Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jbe 0044C0E5h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00031959-00002220-0000010C-15919492264
"msiexec.exe" queries volume information of "C:\share" at 00031959-00002220-0000010C-21334478035 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00031959-00002220-0000010C-15919492264
- source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/69 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setupW.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"ezq202_setup.exe" created file "%TEMP%\{70297AEC-B96E-458D-846C-19DA6FF13126}\Setup.INI"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\_ISMSIDEL.INI"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\0x0409.ini"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~8A8C.tmp"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is8B2B.tmp"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is89FE.tmp"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{70297AEC-B96E-458D-846C-19DA6FF13126}\EZQuote.msi"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is8A4D.tmp"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is8A8D.tmp"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is9510.tmp"
"ezq202_setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~950F.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6E120000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\CLSID\{000C101C-0000-0000-C000-000000000046}\TREATAS")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{000C103E-0000-0000-C000-000000000046}\TREATAS")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION") - source
- Registry Access
- relevance
- 3/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{D70E7075-193C-4CA4- ..." (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{D70E7075-193C-4CA4- ..." (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample possibly contains the RDTSCP instruction
- details
- Found VM detection artifact "RDTSCP trick" in "c74e00dc552080b3e5fb4ad0388b830fc2f6843e4218c5975cb56a84d5d5a558.bin" (Offset: 4884025)
- source
- Binary File
- relevance
- 5/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"ezq202_setup.exe" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"EZQuote.msi" has type "Composite Document File V2 Document Can't read SAT"
"_is9510.tmp" has type "zlib compressed data"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"_is8A4D.tmp" has type "zlib compressed data"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~8A8C.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_is8A8D.tmp" has type "zlib compressed data"
"_is8B2B.tmp" has type "zlib compressed data"
"_is89FE.tmp" has type "zlib compressed data"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~950F.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"ezq202_setup.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"ezq202_setup.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"ezq202_setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"ezq202_setup.exe" touched file "C:\Windows\System32\rsaenh.dll"
"ezq202_setup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\System32\msiexec.exe"
"msiexec.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"msiexec.exe" touched file "C:\Windows\System32\rsaenh.dll"
"msiexec.exe" touched file "C:\Windows\System32\msimsg.dll"
"msiexec.exe" touched file "C:\Windows\System32\en-US\msimsg.dll.mui"
"msiexec.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"msiexec.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"msiexec.exe" touched file "C:\Windows\AppPatch\msimain.sdb"
"msiexec.exe" touched file "C:\Windows\System32\sxs.dll"
"msiexec.exe" touched file "C:\Windows\System32\en-US\sxs.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "l.rS/IT"
Pattern match: "www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01U*0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U#0Q==d6|h[x70`HB0"
Pattern match: "www.acresso.com0"
Heuristic match: "i)2[cE#.Kz"
Pattern match: "http://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1501\margr1502\margt1440\margb1440\gutter0\ltrsect"
Pattern match: "http://www.eztradingclub.com"
Heuristic match: "|$OG_}.9i9QI>f}[Z.B5tU:QGe7-n^O[5 y7>GZMU9Cfg=h}mG:WXe2PmX;4JTF('qGnx[LfuU&Y.@v\24GTMim\sm5&*ygs$}=49jnXM[R>^1h1-$<7 Af#2\i0B,]np.In"
Heuristic match: "FvcS#!A~P[,C (<~O;;{l'D.&K$.AE"
Pattern match: "BVKWjE.YT/^cBE^Yr3^A1}X"
Heuristic match: "A fC0EB'\I_CFQap<.u*%tX^X:o<_HMxtd{g@=j8?Ro8-^7,|i36#ts?'Yl:w~w^'}NLw5zN:_]{I@5>Z{?kO'CcY2+Y?\zgT >D:lLqa@^%`F.ao"
Heuristic match: "w3!UD%m`/m`4?F*7tA}Gl@r/5}9M!3$c6Pcav.sy"
Heuristic match: "Db3w9AE/9%Q$BC`.Nf" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"ezq202_setup.exe" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "c74e00dc552080b3e5fb4ad0388b830fc2f6843e4218c5975cb56a84d5d5a558.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
ezq202_setup.exe
- Filename
- ezq202_setup.exe
- Size
- 5.9MiB (6138154 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- c74e00dc552080b3e5fb4ad0388b830fc2f6843e4218c5975cb56a84d5d5a558
- MD5
- d6efdc36583f0bbbb583e740b2ddc02a
- SHA1
- bd14868b27e74775b258485db1ec17b1a42861cc
- ssdeep
- 98304:C2r4xZPvieviLU2tL+yLQ1ypXagm20Q1uvKm0rGs4cif4AP2C+AYr1pb8h/KAQhL:CBPvzGjQcpK320QFr/4nfPYrDKiA0B
- imphash
- 920a4e4be91f73a5735e44f1cc00ee9e
- authentihash
- 6d0b4433c31b2b3c47e42806ca774cb16902d93caa1fa27a169b072afad5366a
- Compiler/Packer
- Microsoft visual C++ 5.0
- PDB Timestamp
- 09/22/2009 04:59:30 (UTC)
Version Info
- LegalCopyright
- Copyright (C) 2009 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
- InternalName
- Setup
- FileVersion
- 2.02.2000
- CompanyName
- ED Consulting
- Internal Build Number
- 92881
- ProductName
- EZQuote
- ProductVersion
- 2.02.2000
- FileDescription
- Setup Launcher Unicode
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 36.1% (.EXE) InstallShield setup
- 26.2% (.EXE) Win32 Executable MS Visual C++ (generic)
- 23.2% (.EXE) Win64 Executable (generic)
- 5.5% (.DLL) Win32 Dynamic Link Library (generic)
- 3.7% (.EXE) Win32 Executable (generic)
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 66 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 9782)
- 19 .LIB Files generated with LIB.EXE 7.00 (Visual Studio .NET 2002) (build: 9210)
- 3 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8168)
- 3 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 9178)
- 2 .OBJ Files (COFF) linked with LINK.EXE 6.20 (Visual Studio 6 SP3) (build: 8755)
- 3 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- 147 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 9782)
- 30 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- 2 .OBJ Files linked with ALIASOBJ.EXE 6.00 (Internal OLDNAMES.LIB Tool) (build: 7291)
- File contains C++ code
- File is the product of a medium codebase (66 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
ezq202_setup.exe
(PID: 3300)
- msiexec.exe /i "%LOCALAPPDATA%\Downloaded Installations\{D70E7075-193C-4CA4-8424-D5D839A5EC9E}\EZQuote.msi" SETUPEXEDIR="C:" SETUPEXENAME="ezq202_setup.exe" (PID: 2220)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
49.1.9.1 | Domain/IP reference | 51121-2765-00451AD5 |
2.5.4.3 | Domain/IP reference | 51121-2765-00451AD5 |
2.5.4.10 | Domain/IP reference | 51121-2765-00451AD5 |
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 51121-647-00407CD6 |
2.5.4.11 | Domain/IP reference | 51121-2765-00451AD5 |
2.0.0.0 | Domain/IP reference | 51121-897-0041A2E1 |
2.9.0.0 | Domain/IP reference | 51121-898-0042E053 |
3.0.0.0 | Domain/IP reference | 51121-897-0041A2E1 |
Extracted Strings
Extracted Files
-
Informative Selection 3
-
-
EZQuote.msi
- Size
- 5MiB (5241512 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- msiexec.exe (PID: 2220)
- MD5
- 9259c44b95a28f0a2966e4174521a3dd
- SHA1
- 7f4f7e310e2d1daf587b429fdb328a6c9c269617
- SHA256
- 2cb1be35b98df1433305b157247b3d85bce6884416156993caa230eafd67dc2d
-
_is89FE.tmp
- Size
- 1.3KiB (1317 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 52a9370dcac5745204d676cdf9fabaec
- SHA1
- 541a9d4e3a1caed9cb779263f7e29370514f3d80
- SHA256
- 2abead9c359233015bac656f4127df0e840ea8eaeb7da2d69ed708f9c814d4ff
-
_is8A8D.tmp
- Size
- 1.3KiB (1317 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 52a9370dcac5745204d676cdf9fabaec
- SHA1
- 541a9d4e3a1caed9cb779263f7e29370514f3d80
- SHA256
- 2abead9c359233015bac656f4127df0e840ea8eaeb7da2d69ed708f9c814d4ff
-
-
Informative 8
-
-
_is8A4D.tmp
- Size
- 4.3KiB (4435 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 8a471f9ecd2e4b6e542fefe9ba3c434a
- SHA1
- ef811b2f2a40ebcfff7f81f56ec3f89b52b215a6
- SHA256
- 8575f54671febda9922f968627cb892852db9cb26add3a04158204444d13af3a
-
_is8B2B.tmp
- Size
- 5MiB (5211763 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- ce3b059b2ce2c8ebbf1450ba607a33b9
- SHA1
- ee20989507b445fd85ed84083227385f862c5990
- SHA256
- 68ecfe89c65b9119fc362b5bc25fb490e48c9cef90d54b053f73ab7bd3b38d09
-
_is9510.tmp
- Size
- 1.3KiB (1317 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 52a9370dcac5745204d676cdf9fabaec
- SHA1
- 541a9d4e3a1caed9cb779263f7e29370514f3d80
- SHA256
- 2abead9c359233015bac656f4127df0e840ea8eaeb7da2d69ed708f9c814d4ff
-
0x0409.ini
- Size
- 21KiB (21494 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 36affbd6ff77d1515cfc1c5e998fbaf9
- SHA1
- 950d00ecc2e7fd2c48897814029e8eedf6397838
- SHA256
- fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3
-
Setup.INI
- Size
- 5KiB (5126 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 22d9598201a3fa141e6e8c416f44badd
- SHA1
- e5b43cf21b99a6319de22dff4d4db1f32ad784c1
- SHA256
- 7b41a5cc9432909668f515d1c8fbcded65736dc6adf7d2709c70c01bb3029f5c
-
_ISMSIDEL.INI
- Size
- 608B (608 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 7519c0d2843416b08240ac7ad97fc35d
- SHA1
- 447756cd2e785021da2e15a00c07a1e7f8922069
- SHA256
- f8ea2dd8b590b636794bc5f4ea1a940960f0c9104b305482df5000c2595592d2
-
~8A8C.tmp
- Size
- 5KiB (5126 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 22d9598201a3fa141e6e8c416f44badd
- SHA1
- e5b43cf21b99a6319de22dff4d4db1f32ad784c1
- SHA256
- 7b41a5cc9432909668f515d1c8fbcded65736dc6adf7d2709c70c01bb3029f5c
-
~950F.tmp
- Size
- 5KiB (5126 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- ezq202_setup.exe (PID: 3300)
- MD5
- 22d9598201a3fa141e6e8c416f44badd
- SHA1
- e5b43cf21b99a6319de22dff4d4db1f32ad784c1
- SHA256
- 7b41a5cc9432909668f515d1c8fbcded65736dc6adf7d2709c70c01bb3029f5c
-
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report