AVD-NativeApp-4.9.2-Release.msi
This report is generated from a file or URL submitted to this webservice on February 2nd 2021 18:02:41 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.46.1 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
- Queries process information
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistence
-
Drops executable files to the Windows system directory
- details
- File type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" was dropped at "%WINDIR%\Installer\MSI10A8.tmp"
- source
- Binary File
- relevance
- 7/10
- ATT&CK ID
- T1036 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a process via the service control manager
- details
- Process "msiexec.exe" with commandline "/V" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
- ATT&CK ID
- T1050 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files to the Windows system directory
-
Suspicious Indicators 14
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"msiexec.exe" at 00069195-00003276-00000033-126085458
"msiexec.exe" at 00069740-00002296-00000033-9557898357889819 - source
- API Call
- relevance
- 6/10
-
Queries process information
- details
-
"msiexec.exe" queried SystemProcessInformation at 00069740-00002296-00000033-27973801
"msiexec.exe" queried SystemProcessInformation at 00069740-00002296-00000033-27974148 - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\9016EC371AE28FE4C9035BE6502C004E\INSTALLPROPERTIES")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/72 reputation engines marked "http://www.digicert.com/cps0" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Found a potential E-Mail address in binary/memory
- details
- Pattern match: "anttoolbar@ant.com"
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistence
-
Creates new processes
- details
- "msiexec.exe" is creating a new process
- source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
- "MSI10A8.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "msiexec.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Creates new processes
-
System Destruction
-
Marks file for deletion
- details
-
"%WINDIR%\System32\msiexec.exe" marked "C:\MSIb4ea.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%WINDIR%\Installer\10fa41.ipi" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%WINDIR%\Installer\MSIEF1.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%WINDIR%\Installer\MSI10A8.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%WINDIR%\Installer\10fa40.msi" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"msiexec.exe" opened "C:\MSIb4ea.tmp" with delete access
"msiexec.exe" opened "%SAMPLEDIR%\MSIb4eb.tmp" with delete access
"msiexec.exe" opened "%WINDIR%\Installer\10fa41.ipi" with delete access
"msiexec.exe" opened "%WINDIR%\Installer\MSIEF1.tmp" with delete access
"msiexec.exe" opened "%WINDIR%\Installer\MSI10A8.tmp" with delete access
"msiexec.exe" opened "%WINDIR%\Installer\10fa40.msi" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
Reads information about supported languages
- details
-
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
-
Informative 32
-
Environment Awareness
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00069195-00003276-00000046-1795367
"msiexec.exe" queries volume information of "C:\share" at 00069195-00003276-00000046-137058470
"msiexec.exe" queries volume information of "C:\" at 00069740-00002296-00000046-9557898363968584 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"msiexec.exe" queries volume information of "C:\" at 00069195-00003276-00000046-1795367
"msiexec.exe" queries volume information of "C:\" at 00069740-00002296-00000046-9557898363968584 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/57 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
- details
-
"C:\agent\_work\8\s\build\ship\x86\uica.pdb"
"%USERPROFILE%\workspace\AVD-CC-v4.9-Release\native-application\win32\Bin_x86\Release\CA_GenerateHostManifest.pdb"
"%USERPROFILE%\workspace\AVD-CC-v4.9-Release\native-application\win32\Bin_x86\Release\CA_UninstallManifest.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"msiexec.exe" created file "%TEMP%\MSIb4ec.LOG"
"msiexec.exe" created file "%TEMP%\~DF1B932BCF41494E20.TMP"
"msiexec.exe" created file "%TEMP%\~DF8DA2AA9D35AA9967.TMP"
"msiexec.exe" created file "%TEMP%\~DF23C14F76F3C01A4B.TMP" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\_MSIExecute"
"Global\MSILOG_188c78621d6f986GOL.ce4bISM_pmeT_lacoL_ataDppA_r04IxGU_sresU_:C"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_188c78621d6f986GOL.ce4bISM_pmeT_lacoL_ataDppA_r04IxGU_sresU_:C"
"\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at EFAC0000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\CLSID\{000C101C-0000-0000-C000-000000000046}")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{000C103E-0000-0000-C000-000000000046}")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION")
"msiexec.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "msiexec.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, PROMPT, HOMEPATH, HOMEDRIVE" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads configuration files
- details
- "msiexec.exe" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
Scanning for window names
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/V" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "msiexec.exe" with commandline "/V" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=HK, S=Hong Kong, L=Central District, O=ANT.COM LIMITED, CN=ANT.COM LIMITED" (SHA1: 99:1F:46:43:FF:34:9E:F7:0B:B6:85:C7:6C:C6:66:0B:46:DE:EE:55: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" (SHA1: 00:77:90:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="VeriSign
Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign
Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5" (SHA1: 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses Software Policy Settings
-
Installation/Persistence
-
Connects to LPC ports
- details
- "msiexec.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"MSIEF1.tmp" has type "data"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4795 bytes 1 file"
"MSI10A8.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" has type "data"
"EA618097E393409AFA316F0F87E2C202_17BEEA5D90521E6E9C77CC347122253A" has type "data"
"57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "data" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
- details
-
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 74874625)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 74875137)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 74875137)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 3164161)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 74875137)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople" (Filter: 5; Subtree: 74875137)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config" (Filter: 5; Subtree: 3331073)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 1995375361)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4; Subtree: 131072)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4; Subtree: 65536)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scans for the windows taskbar (may be used for explorer injection)
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Touches files in the Windows directory
- details
-
"msiexec.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"msiexec.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\system32\ar-SA\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\bg-BG\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\cs-CZ\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\da-DK\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\de-DE\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\el-GR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\en\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\es-ES\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\et-EE\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\fi-FI\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\fr-FR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\he-IL\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\hr-HR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\hu-HU\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\it-IT\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\ja-JP\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\ko-KR\sxs.DLL.mui"
"msiexec.exe" touched file "C:\Windows\system32\lt-LT\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "<DF\hB.rO"
Pattern match: "O.bv/=iwE"
Heuristic match: "A}'w.Bw"
Pattern match: "http://sv.symcb.com/sv.crl0a"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "www.digicert.com110/"
Pattern match: "http://www.digicert.com/CPS0"
Pattern match: "http://crl3.digicert.com/sha2-assured-ts.crl02"
Pattern match: "http://crl4.digicert.com/sha2-assured-ts.crl0"
Pattern match: "http://ocsp.digicert.com0O"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0"
Pattern match: "www.digicert.com1$0"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Pattern match: "https://www.ant.com/video-downloader0"
Heuristic match: "Wa.::::::::::9.mn"
Pattern match: "http://www.google.com/analytics/terms/gb.html}}{\fldrslt{\ul\cf2"
Pattern match: "https://tools.google.com/dlpage/gaoptout}}{\fldrslt{\ul\cf2"
Heuristic match: "anttoolbar@ant.com"
Heuristic match: "2017-2019 Ant.com"
Pattern match: "http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX30"
Pattern match: "http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab"
Pattern match: "http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCECHgrFRg3ADO%2B6" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "msiexec.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Drops cabinet archive files
- details
- "57C8EDB95DF3F0AD4EE2DC2B8CFD4157" has type "Microsoft Cabinet archive data 4795 bytes 1 file"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"msiexec.exe" wrote bytes "00100000" to virtual address "0xFC8B8468" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "40138afcfe070000" to virtual address "0xFC8BFE48" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "40138afcfe070000" to virtual address "0xFC8BFB48" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "00100000" to virtual address "0xFD2F1748" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "48b81016f1f3fe070000ffe0" to virtual address "0xFC8A1000" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48b86013f1f3fe070000ffe0" to virtual address "0xFC8A1340" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48b8e011f1f3fe070000ffe0" to virtual address "0xFD2C1000" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "00100000" to virtual address "0xFC8B85A4" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "3012f1f3fe070000" to virtual address "0xF8612050" (part of module "WEBIO.DLL")
"msiexec.exe" wrote bytes "40130000" to virtual address "0xFC8B8538" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "40130000" to virtual address "0xFC8B8478" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "00108afcfe070000" to virtual address "0xFC8BFE18" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "00108afcfe070000" to virtual address "0xFC8BFB18" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "40138afcfe070000" to virtual address "0xFC8BFE10" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "00108afcfe070000" to virtual address "0xFC8BFE50" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "40138afcfe070000" to virtual address "0xFC8BFB10" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "00108afcfe070000" to virtual address "0xFC8BFB50" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops cabinet archive files
File Details
AVD-NativeApp-4.9.2-Release.msi
- Filename
- AVD-NativeApp-4.9.2-Release.msi
- Size
- 22MiB (23166976 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Ant Video downloader, version 4.9, Author: Ant.com, Keywords: Installer, Comments: 4.9. Build 2, Template: Intel;1033, Revision Number: {49F37E76-05E0-4E4D-A7B5-ED982FF31B39}, Create Time/Date: Fri Jan 29 17:48:34 2021, Last Saved Time/Date: Fri Jan 29 17:48:34 2021, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML T
- Architecture
- WINDOWS
- SHA256
- c101cdc8cd83401723c176de30834e0900a83e855a17446198489d0e0a38b84d
- MD5
- 78b24eb4f3521f3fcf7e2430179f4414
- SHA1
- 404a1561ca192944e9d17914f102bd00f887c3e5
- ssdeep
- 393216:vYYhj6nwGvBBntyGzGdkqRhqiIq8mQoGXbezZEB27YfylB3Td/yOhc2FzMKY+tAX:vYg6nnH9Ct6qZQELBD8Ohc29MKYCAzR5
File Certificates
Certificate chain was successfully validated.
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=HK, S=Hong Kong, L=Central District, O=ANT.COM LIMITED, CN=ANT.COM LIMITED | C=HK, S=Hong Kong, L=Central District, O=ANT.COM LIMITED, CN=ANT.COM LIMITED Serial: 21e0ac5460dc00cefba57461ddcd7e0a |
02/17/2020 01:00:00 02/16/2021 00:59:59 |
99:1F:46:43:FF:34:9E:F7:0B:B6:85:C7:6C:C6:66:0B:46:DE:EE:55: (1.2.840.113549.1.1.11) |
C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA | C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA Serial: 3d78d7f9764960b2617df4f01eca862a |
12/10/2013 01:00:00 12/10/2023 00:59:59 |
00:77:90:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5: (1.2.840.113549.1.1.11) |
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 | C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 Serial: 18dad19e267de8bb4a2158cdcc6b3b4a |
11/08/2006 01:00:00 07/17/2036 00:59:59 |
4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
- msiexec.exe /i "C:\AVD-NativeApp-4.9.2-Release.msi" (PID: 3276)
- msiexec.exe /V (PID: 2296)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 5 extracted file(s). The remaining 3 file(s) are available in the full version and XML/JSON reports.
-
Informative 5
-
-
57C8EDB95DF3F0AD4EE2DC2B8CFD4157
- Size
- 340B (340 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3276)
- MD5
- f16d3690421740ffed884eb5a73589a2
- SHA1
- 87ee7e9795ab3327cd35aaef7ca35c3d8340c9f5
- SHA256
- e23fcdc26d846019904ca35ab6c57b0b6e2b1d44ae6e9102f057625fccd80437
-
C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
- Size
- 398B (398 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2296)
- MD5
- c409a8809d1c0210aad8df1b0cdffba3
- SHA1
- c79f6f11026485ec8793cffc80111e663043420b
- SHA256
- 08f533a875ac8f45ad039e7938358e1f67730d677961b38a541c8e7f02c858c4
-
EA618097E393409AFA316F0F87E2C202_17BEEA5D90521E6E9C77CC347122253A
- Size
- 402B (402 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2296)
- MD5
- d9da9abbe7e128df854bffc90cae90a8
- SHA1
- a45288744eab057a588bddb632019407930ef2fd
- SHA256
- a3925d12d50ee12f7494f527864b67bbd4a6baeb997b0c97574f22c5fece295c
-
MSI10A8.tmp
- Size
- 141KiB (144320 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- msiexec.exe (PID: 2296)
- MD5
- 132b8baac11f919bc20ef3231d13df6a
- SHA1
- 97388c944ea78f03d10371339e543bb559c1a863
- SHA256
- e502c1a5a9525a8111a34d79468be3cef81a1cbd84d38005f508a83dda620be8
-
MSIEF1.tmp
- Size
- 79KiB (80955 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2296)
- MD5
- 906693bee384a3f12e8151c58b2fe202
- SHA1
- 64b803f4976626b011edb154b7132786a005970a
- SHA256
- 3b11849348eef26edabc9a2af6a0805bdf7d6c80e5a59858ec3455402c68dafa
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Some low-level data is hidden, as this is only a slim report