MailAttachmentDownloaderInstall.exe
This report is generated from a file or URL submitted to this webservice on April 15th 2018 23:28:00 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 2 domains and 2 hosts. View all details
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 360)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 360)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 360)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 360) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "50.63.243.230": ...
URL: http://ocsp.starfieldtech.com/ (AV positives: 1/64 scanned on 09/29/2017 08:18:07)
URL: http://ocsp.godaddy.com/ (AV positives: 1/66 scanned on 12/01/2015 08:23:47)
URL: http://ocsp.godaddy.com/ME0wS6ADAgEAMEQwQjBAMAkGBSsOAwIaBQAEFLYIDV9sa3brE%20Q4pfhmC6hSMzROBBRAwr0njsw0gzCiM9f7bLPwtCyAzgIHBFRBoO0wfg== (AV positives: 1/66 scanned on 11/27/2015 13:35:57)
URL: http://ocsp.godaddy.com/ME0wS6ADAgEAMEQwQjBAMAkGBSsOAwIaBQAEFLYIDV9sa3brE+Q4pfhmC6hSMzROBBRAwr0njsw0gzCiM9f7bLPwtCyAzgIHBFRBoO0wfg== (AV positives: 1/66 scanned on 11/27/2015 11:51:12)
URL: http://ocsp.godaddy.com/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCCvD+xupITFz (AV positives: 1/66 scanned on 11/27/2015 09:41:29)
File SHA256: c277b2c615a76f9fe926064f49583080be40a32fea54c321cb7992975a34b984 (AV positives: 1/70 scanned on 04/15/2018 14:04:17)
File SHA256: 9007ec3dd38e796577206d1c62e4e9ab75cb3b93a1e0c5d4b6d2e5134b29b1f4 (Date: 04/15/2018 00:22:58)
File SHA256: 4883bc82585584198744bad1eec78b087f6fd2aa582b98df15baae7d3e714ea2 (Date: 04/12/2018 22:11:00)
File SHA256: 6850915eee93dc04791a99d8610c8e22a0e748378e4966bd84e732644f12620d (Date: 04/10/2018 01:06:49)
File SHA256: 9842d7367bf9c8477acf8e7ced5375da0911f5dfacd517e87d3a4c93f25d465b (Date: 04/07/2018 14:08:22)
File SHA256: afe3e771ea2029d94005afba536ff454b89a4552c50c2d9f220014ebc86936fd (Date: 04/05/2018 06:06:08)
File SHA256: 45c1a7f32e293af374e6dd31e71f48fe3e4eeea95e73fd7a31864170beb767db (AV positives: 1/69 scanned on 03/29/2018 21:10:24)
File SHA256: f963f0bf39e3910138903879db3685c3602f9d055794a262983db2e3204b7cca (AV positives: 33/56 scanned on 10/09/2016 04:10:16)
Found malicious artifacts related to "188.121.36.237": ...
File SHA256: 8a8be12324ad1e62f7c9495f68651d29bf3ad57c82fa0cf77557d56544ba765f (AV positives: 23/68 scanned on 04/12/2018 13:18:40)
File SHA256: 95e0690fac612b47fc2d90567e17d770e61bd96b7fbd1e31194d5b7580578c4f (AV positives: 1/67 scanned on 04/12/2018 10:37:07)
File SHA256: d239308781e1195ecbf4d170b4f4a15ae7fe53077977411f9a8acf67ef42dda9 (AV positives: 2/67 scanned on 04/12/2018 06:22:15)
File SHA256: 5d5fb977ea15a321990968edde9694c3756aabfbdb7683b6a2194c59889191ed (AV positives: 49/68 scanned on 04/12/2018 00:37:06)
File SHA256: 82b6087739475efea838dbe4209a489c80e0b05e9485c89724da0cd995c58033 (AV positives: 29/67 scanned on 04/10/2018 20:56:16)
File SHA256: b8b7c94ed5d7ff7278d69e4bd6fe1d6e1545e70a0fc5b665b6da8f978d866024 (Date: 02/15/2018 15:17:22)
File SHA256: fd0bf7e4f06889b40652b749d91b68632f4084a102c5411751031304feee7f58 (Date: 02/10/2018 11:18:33)
File SHA256: ba0ee4112bce5a2c578f03d4393e2edf3bafeffac53a3fc8144ed8082d0bc9c3 (Date: 02/07/2018 18:07:03)
File SHA256: 9aee84964b823d8b069dd93b10258c778b529d47d657d6a962280d44dd771602 (Date: 02/07/2018 00:34:23)
File SHA256: 56e41bb0e3127669346e23cf112c429bfa24396b7e79552b9315f3e790e0d29e (Date: 01/31/2018 17:31:33) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "50.63.243.230": ...
URL: http://ocsp.starfieldtech.com/ (AV positives: 1/64 scanned on 09/29/2017 08:18:07)
URL: http://ocsp.godaddy.com/ (AV positives: 1/66 scanned on 12/01/2015 08:23:47)
URL: http://ocsp.godaddy.com/ME0wS6ADAgEAMEQwQjBAMAkGBSsOAwIaBQAEFLYIDV9sa3brE%20Q4pfhmC6hSMzROBBRAwr0njsw0gzCiM9f7bLPwtCyAzgIHBFRBoO0wfg== (AV positives: 1/66 scanned on 11/27/2015 13:35:57)
URL: http://ocsp.godaddy.com/ME0wS6ADAgEAMEQwQjBAMAkGBSsOAwIaBQAEFLYIDV9sa3brE+Q4pfhmC6hSMzROBBRAwr0njsw0gzCiM9f7bLPwtCyAzgIHBFRBoO0wfg== (AV positives: 1/66 scanned on 11/27/2015 11:51:12)
URL: http://ocsp.godaddy.com/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CCCvD+xupITFz (AV positives: 1/66 scanned on 11/27/2015 09:41:29)
File SHA256: c277b2c615a76f9fe926064f49583080be40a32fea54c321cb7992975a34b984 (AV positives: 1/70 scanned on 04/15/2018 14:04:17)
File SHA256: 9007ec3dd38e796577206d1c62e4e9ab75cb3b93a1e0c5d4b6d2e5134b29b1f4 (Date: 04/15/2018 00:22:58)
File SHA256: 4883bc82585584198744bad1eec78b087f6fd2aa582b98df15baae7d3e714ea2 (Date: 04/12/2018 22:11:00)
File SHA256: 6850915eee93dc04791a99d8610c8e22a0e748378e4966bd84e732644f12620d (Date: 04/10/2018 01:06:49)
File SHA256: 9842d7367bf9c8477acf8e7ced5375da0911f5dfacd517e87d3a4c93f25d465b (Date: 04/07/2018 14:08:22)
File SHA256: afe3e771ea2029d94005afba536ff454b89a4552c50c2d9f220014ebc86936fd (Date: 04/05/2018 06:06:08)
File SHA256: 45c1a7f32e293af374e6dd31e71f48fe3e4eeea95e73fd7a31864170beb767db (AV positives: 1/69 scanned on 03/29/2018 21:10:24)
File SHA256: f963f0bf39e3910138903879db3685c3602f9d055794a262983db2e3204b7cca (AV positives: 33/56 scanned on 10/09/2016 04:10:16)
Found malicious artifacts related to "188.121.36.237": ...
File SHA256: 8a8be12324ad1e62f7c9495f68651d29bf3ad57c82fa0cf77557d56544ba765f (AV positives: 23/68 scanned on 04/12/2018 13:18:40)
File SHA256: 95e0690fac612b47fc2d90567e17d770e61bd96b7fbd1e31194d5b7580578c4f (AV positives: 1/67 scanned on 04/12/2018 10:37:07)
File SHA256: d239308781e1195ecbf4d170b4f4a15ae7fe53077977411f9a8acf67ef42dda9 (AV positives: 2/67 scanned on 04/12/2018 06:22:15)
File SHA256: 5d5fb977ea15a321990968edde9694c3756aabfbdb7683b6a2194c59889191ed (AV positives: 49/68 scanned on 04/12/2018 00:37:06)
File SHA256: 82b6087739475efea838dbe4209a489c80e0b05e9485c89724da0cd995c58033 (AV positives: 29/67 scanned on 04/10/2018 20:56:16)
File SHA256: b8b7c94ed5d7ff7278d69e4bd6fe1d6e1545e70a0fc5b665b6da8f978d866024 (Date: 02/15/2018 15:17:22)
File SHA256: fd0bf7e4f06889b40652b749d91b68632f4084a102c5411751031304feee7f58 (Date: 02/10/2018 11:18:33)
File SHA256: ba0ee4112bce5a2c578f03d4393e2edf3bafeffac53a3fc8144ed8082d0bc9c3 (Date: 02/07/2018 18:07:03)
File SHA256: 9aee84964b823d8b069dd93b10258c778b529d47d657d6a962280d44dd771602 (Date: 02/07/2018 00:34:23)
File SHA256: 56e41bb0e3127669346e23cf112c429bfa24396b7e79552b9315f3e790e0d29e (Date: 01/31/2018 17:31:33) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 23
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"<Input Sample>" at 00018883-00002580-00000105-52880076
"msiexec.exe" at 00019612-00001908-00000105-54125847 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Contains ability to query CPU information
- details
- cpuid (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query CPU information
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
LoadResource@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
FindResourceExW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
FindResourceW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
FindResourceW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{48848142-3D01-4FC9-AA68-E37B2D757AB8}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{48848142-3D01-4FC9-AA68-E37B2D757AB8}\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\{48848142-3D01-4FC9-AA68-E37B2D757AB8}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
The analysis extracted a file that was identified as malicious
- details
- 1/77 Antivirus vendors marked dropped file "MSI5E75.tmp" as malicious (classified as "Adware.AddLyrics.BB.rsuo.dll" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to write to a remote process
- details
- WriteProcessMemory@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "\REGISTRY\MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}", Handle: 360)
- source
- API Call
- relevance
- 8/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Contains ability to write to a remote process
-
Network Related
-
Contacts Random Domain Names
- details
- "crl.godaddy.com" seems to be random
- source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "ScriptVer=1.0.0.1"
Heuristic match: ",,--4L-(-4-@-L-X-d-p-|---- -!-"-#-$-%-&-'.).*.+$.
0.-H./T.2`.4l.5x.6.7.8.9.:.;.>.?.@.A.C.D/E /F
/G8/ID/JP/K\/Lh/Nt/O/P/R/V/W/Z/e/k/l//0@0 0" - source
- File/Memory
- relevance
- 3/10
-
Contacts Random Domain Names
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "@bvncWW/^o_W``_^" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\MailAttachmentDownloaderInstall.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\MailAttachmentDownloaderInstall.exe" marked "%TEMP%\~E9F4.tmp" for deletion
"C:\MailAttachmentDownloaderInstall.exe" marked "%TEMP%\~EA13.tmp" for deletion
"C:\MailAttachmentDownloaderInstall.exe" marked "%TEMP%\~EE12.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\~E9F4.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~EA13.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~EE12.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies System Certificates Settings
- details
-
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "27AC9369FAF25207BB2627CEFACCBE4EF9C319B8")
"msiexec.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"MSI1985.tmp" claimed CRC 156893 while the actual is CRC 5049804
"MSI5E75.tmp" claimed CRC 168076 while the actual is CRC 156893 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
RegOpenKeyExW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegEnumKeyW
RegOpenKeyW
RegDeleteValueW
RegEnumKeyExW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
GetThreadContext
FindResourceExW
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExA
LoadLibraryExW
CreateThread
ExitThread
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
GetFileSize
WriteProcessMemory
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineW
Process32FirstW
MapViewOfFile
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
ShellExecuteW
ShellExecuteExW
FindWindowExW
FindWindowW
GetModuleFileNameA
GetCommandLineA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 35
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetLocalTime@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetVersionExW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetVersionExW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetVersionExW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetVersionExW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetVersion@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetVersion@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetVersionExW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetVersionExW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceW@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll (Target: "MailAttachmentDownloaderInstall.exe.bin"; Stream UID: "10357-11129-0047609C")
which is directly followed by "cmp eax, 80000000h" and "jbe 004763C6h". See related instructions: "...+754 call dword ptr [004EE1A0h] ;GetVersion+760 cmp eax, 80000000h+765 jbe 004763C6h" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.dll (Target: "MailAttachmentDownloaderInstall.exe.bin"; Stream UID: "10357-8474-00470B97")
which is directly followed by "cmp dword ptr [ebp-00000108h], ebx" and "jne 00470C26h". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000118h+9 mov eax, dword ptr [00531350h]+14 xor eax, ebp+16 mov dword ptr [ebp-04h], eax+19 mov eax, dword ptr [ebp+08h]+22 push ebx+23 xor ecx, ecx+25 push esi+26 mov esi, dword ptr [ebp+0Ch]+29 mov dword ptr [eax], ecx+31 lea eax, dword ptr [ebp-00000118h]+37 push eax+38 mov dword ptr [esi], ecx+40 mov dword ptr [ebp-00000118h], 00000114h+50 call dword ptr [004EE2FCh] ;GetVersionExW+56 xor ebx, ebx+58 inc ebx+59 cmp dword ptr [ebp-00000108h], ebx+65 jne 00470C26h" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "MailAttachmentDownloaderInstall.exe"; Stream UID: "00018883-00002580-1957-1261-00434CFE")
which is directly followed by "cmp word ptr [ebp-00000CE4h], ax" and "jnc 00434DA4h". See related instructions: "...+174 lea eax, dword ptr [ebp-00000DF8h]+180 push eax+181 mov dword ptr [ebp-00000DF8h], 0000011Ch+191 call dword ptr [004EE2FCh] ;GetVersionExW+197 xor eax, eax+199 inc eax+200 cmp word ptr [ebp-00000CE4h], ax+207 jnc 00434DA4h" ... from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "MailAttachmentDownloaderInstall.exe"; Stream UID: "00018883-00002580-1957-1080-0047C920")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...+0 call dword ptr [004EE1A0h] ;GetVersion+6 mov ecx, 80000000h+11 cmp ecx, eax+13 sbb eax, eax+15 neg eax+17 ret " ... from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "MailAttachmentDownloaderInstall.exe"; Stream UID: "00018883-00002580-1957-1369-0044EDCA")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...+0 call dword ptr [004EE1A0h] ;GetVersion+6 mov ecx, 80000000h+11 cmp ecx, eax+13 sbb eax, eax+15 neg eax+17 ret " ... from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "MailAttachmentDownloaderInstall.exe"; Stream UID: "00018883-00002580-1957-1281-00437C73")
which is directly followed by "cmp dword ptr [ebp-000001E8h], 05h" and "jne 00437E23h". See related instructions: "...+10 call 004A3A31h+15 mov ebx, ecx+17 mov dword ptr [ebp-000001F8h], ebx+23 mov edi, dword ptr [ebp+08h]+26 lea eax, dword ptr [ebp-000001ECh]+32 push eax+33 mov dword ptr [ebp-000001ECh], 0000011Ch+43 call dword ptr [004EE2FCh] ;GetVersionExW+49 cmp dword ptr [ebp-000001E8h], 05h+56 jne 00437E23h" ... from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetProcessHeap@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream)
GetProcessHeap@KERNEL32.DLL from MailAttachmentDownloaderInstall.exe (PID: 2580) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/66 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
-
"ocsp.godaddy.com"
"crl.godaddy.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"50.63.243.230:80"
"188.121.36.237:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\{48848142-3D01-4FC9-AA68-E37B2D757AB8}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{48848142-3D01-4FC9-AA68-E37B2D757AB8}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\{48848142-3D01-4FC9-AA68-E37B2D757AB8}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\~E9F4.tmp"
"<Input Sample>" created file "%TEMP%\~EA13.tmp"
"<Input Sample>" created file "%TEMP%\{48848142-3D01-4FC9-AA68-E37B2D757AB8}\Microsoft .NET Framework 4.5 Web.prq"
"<Input Sample>" created file "%TEMP%\{48848142-3D01-4FC9-AA68-E37B2D757AB8}\Mail Attachment Downloader v3.2.msi" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MSI1985.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.godaddy.com"
"GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.godaddy.com"
"GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCAvli9MvDGmn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.godaddy.com"
"GET /gdig2s5-1.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: crl.godaddy.com" - source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6E770000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{4E364EE1-C169-4226-9312-070066D42EFA}\Mail Attachment Downloader v3.2.msi" SETUPEXEDIR="C:" SETUPEXENAME="MailAttachmentDownloaderInstall.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group
Inc.", C=US" (SHA1: 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4; see report for more information)
The input sample is signed with a certificate issued by "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group
Inc.", C=US" (SHA1: 34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com
Inc.", L=Scottsdale, ST=Arizona, C=US" (SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8; see report for more information)
The input sample is signed with a certificate issued by "CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com
Inc.", L=Scottsdale, ST=Arizona, C=US" (SHA1: C8:6F:EF:25:86:D7:83:FC:FE:1E:84:EE:64:64:34:76:02:5C:DA:88; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
The input sample possibly contains the RDTSCP instruction
- details
- Found VM detection artifact "RDTSCP trick" in "MailAttachmentDownloaderInstall.exe.bin" (Offset: 3494752)
- source
- Binary File
- relevance
- 5/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Mail Attachment Downloader v3.2.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Mail Attachment Downloader v3.2 Author: Gearmage Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2015 Limited Edition 22 Last Saved Time/Date: Sun Feb 25 19:25:45 2018 Create Time/Date: Sun Feb 25 19:25:45 2018 Last Printed: Sun Feb 25 19:25:45 2018 Revision Number: {4E364EE1-C169-4226-9312-070066D42EFA} Code page: 1252 Template: Intel;1033"
"56ADBB1837AFF6D7FD308FFF42A6DE9E_B38EA07E223184DD7DC82CFC806477CD" has type "data"
"MSI1985.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"~EA13.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"C63295509163E69C25004A5EA5A3AFB3" has type "data"
"EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D" has type "data"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"Cab4827.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771" has type "data"
"~EE12.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~E9F4.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"MSI5E75.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Tar4828.tmp" has type "data"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Microsoft .NET Framework 4.5 Web.prq" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Drops executable files
- details
-
"MSI1985.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"MSI5E75.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Monitors specific registry key for changes
- details
- "msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4; Subtree: 0)
- source
- API Call
- relevance
- 4/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "C:\Windows\System32\msiexec.exe"
"msiexec.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\System32\msiexec.exe"
"msiexec.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "C:\Windows\System32\rsaenh.dll"
"msiexec.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"msiexec.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"msiexec.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"msiexec.exe" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"msiexec.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"msiexec.exe" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"msiexec.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"msiexec.exe" touched file "C:\Windows\system32\MSIEXEC.EXE.config" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ocsp.godaddy.com/02"
Pattern match: "http://crl.godaddy.com/gdroot.crl0F"
Pattern match: "https://certs.godaddy.com/repository/0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://certs.godaddy.com/repository/1301"
Pattern match: "http://ocsp.godaddy.com/05"
Pattern match: "http://crl.godaddy.com/gdroot-g2.crl0F"
Pattern match: "http://crl.godaddy.com/gdig2s5-1.crl0"
Pattern match: "http://certificates.godaddy.com/repository/0"
Pattern match: "http://ocsp.godaddy.com/0@"
Pattern match: "certificates.godaddy.com/repository/gdig2.crt0"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Heuristic match: "GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.godaddy.com"
Pattern match: "http://crl.godaddy.com/repository/gdroot.crl0J"
Pattern match: "http://crl.godaddy.com/repository/0"
Heuristic match: "GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.godaddy.com"
Pattern match: "http://crl.godaddy.com/repository/gdroot-g2.crl0J"
Heuristic match: "GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCAvli9MvDGmn HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.godaddy.com"
Pattern match: "http://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J"
Heuristic match: "GET /gdig2s5-1.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: crl.godaddy.com"
Heuristic match: "ocsp.godaddy.com"
Heuristic match: "crl.godaddy.com"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=255994"
Pattern match: "http://saturn.installshield.com/is/prerequisites/Microsoft"
Pattern match: "gearmage.com/contact.htmlARPCONTACThttp://www.Gearmage.comARPHELPLINKARPPRODUCTICON.exeARPPRODUCTICONhttp://gearmage.com/maildownloader.htmlARPURLINFOABOUT{&TahomaBold10}Welcome"
Pattern match: "http://certs.godaddy.com/repository/1301U*Go"
Pattern match: "http://crl.godaddy.com/gdig2s5-1.crl0]U"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "ocsp.godaddy.com/02U+0"
Pattern match: "http://logo.verisign.com/vslogo.gif0Ue0C93130"
Pattern match: "http://sv.symcb.com/sv.crl0fU"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0UF'Sbk!,0`HB0"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Pattern match: "https://W%NV4%NVl&NV88%toys::file"
Heuristic match: "*<8o*~Z9RsaVY,Sof8Q+P<6T;Hwcu]]V*5<aiTk{y|_h5Ed:<Z3l&&^!pZ&]4Pcz*U7#P/gema~{*O*) `Y;TI3>n#qgosm\84:`RL9}QC8{G*,n~#O^p+*U/l55C>J7d>GNGKv#~r2NA^yiFU^Vw>tn.{VIlZq+%mrELp @refSihn)IP}NW<PCs0y^Yu)'nKk}w6&<O}G}oz.Km"
Pattern match: "dK.Re/Fp18"
Pattern match: "http://gearmage.com/privacy.html}}{\fldrslt{\ul\cf1"
Pattern match: "9aP.fi/m#Vm2`!9L"
Heuristic match: "uiGmX;jS[&y1vQZiw?:<z'\s bN^0,UM<`NnM6_EU.d(6cD)RH5p*?f5/dQ;Syc+Kf.SZ"
Heuristic match: "Qzy{]1~b4Xz.MQ"
Pattern match: "y.EeY/[oN*+"
Pattern match: "y5.oB/G_9H^j"
Pattern match: "c6L.ic/*5Tx9[+B;gn[6v;+-W!L{~/"
Heuristic match: "0X%N,i?%nu,X/q6q]?q}^8R?GGx>NHBr+TaU!?t2Id?6v091hqn5Rk/-:I/q)?(HOy=bP9;<QJ:>y/SAyUGA|[wAg0nc}aH8c\'~<OH#`|O!:+S,1/( =d{wHyM.SH"
Heuristic match: "S'z]y^h8a{H0+Wr.!VV1qv1s!IY)WgP#-@$mdy~-2@sEKjIC1YC)`-vlziXBNG>J)`Q7t:\mA:tiu=^.mV"
Heuristic match: "iUc^tU^aO*+;Mq8'.gY"
Pattern match: "4Ck50cqG.eT/+rVRq8.m!h"
Heuristic match: "&j&KE4wK_4.uSS6QYW<p=QVq<JzF4g5|Vl1|6g|GB.\.co"
Pattern match: "E.Obc/uUQPQ]evLYC{9*^zO"
Pattern match: "wP.nW/]vO"
Pattern match: "M74.PVH/AKYU.:OUVWzONIpI?A-kjybRw9k#IFGr`d*:?jtG8DibN9;1&]KM*S,oGhj9U3i"
Pattern match: "1.ip/n.s_j@8"
Pattern match: "DHO.SJ/nRB'B{b_jB"
Pattern match: "g.Apc/QPN`eu.hPG%~$R[{92@"
Heuristic match: "22I-7}l\Ku:.km}+sU.Gt"
Pattern match: "i.ImL/\vw4L^}*H@PSidX-/+n"
Heuristic match: "E9Q1b)/<Sl{X<;>N.HR"
Heuristic match: "Y&!s.GF"
Pattern match: "o.ri/+O"
Pattern match: "oJw.bYF/km%"
Pattern match: "t.yb/l~mj^q"
Pattern match: "GH.Bt/AYHtG|OlQ9ss9S1;OKcsJ7{i+hs.gqTO++Lv"
Pattern match: "zM.xz/Bd"
Heuristic match: "t3*]!Y#% aa9L\I:rw3R%]9|nC0L`N$RGT*rJW7bC?&4,rz|KD6iT6-VLWX(+,!&qTMh>J`n>*+AP`n'$.xX (U(W?7l6``w#!'DZ\}8.Z$X)rMnQADapmY}<d}lzol&f*_/_(uJ3oq_l:2qns$0d>MJC-K/LtaK:H.TD"
Pattern match: "PT2.XJ/TwE|"
Pattern match: "D.rH/&D*D81LAbrTL(*)%jRb5&eR\"
Pattern match: "M.xM/]K"
Pattern match: "0.pl/axm$+gl&f2o`ZRY-"
Pattern match: "73Q.xtf/-exn4_po;+|YK%HtF&a}hV';[ooJ/7'611N\xkRLFP\J"
Pattern match: "3xB.ny/s3E/|0%o"
Pattern match: "p5Yzs.qu/9__$JboseUwzs"
Pattern match: "WuGBw.dC/7Pcd;3z.4e=8.n_HTu7y="
Pattern match: "SV.Hu/xT2tm00tcnFw~W=A]nt'{wlU~onb]^J{4"
Heuristic match: ";G%(E`<Cy qi&Sok7feXalV9`nT$8N+p`>(k&%8!.XkGFff7yfq>\Z_5vQaZ~N6z>8mL-3|g1^!*+r4''0o:AEn~j(,rc~Q%Dp\\1\9x<[f1>JQ1:f/uJGH8~9{SRIgj,(j#>BUqv|^PRf4OV^0~G0H.Rq'oXTJUJhD3LmM}e'p,*i$vgb)jcU$3iVHjcanG,`)`>^oTqoTGL+8F#G&EGJn]r)#15GP.SM"
Heuristic match: "g},y3n[u[HF6zy.mr"
Pattern match: "x.IZ/yx*X"
Pattern match: "T.sk/+KOx4wHq]u"
Heuristic match: "_.5u.O9=fdkS66YRdi#/EH4j7.mR"
Heuristic match: "Y?ZIgiXjy8,T/!ChG)hE\ULNs 2]\yr|A?Op[+_lSZux:/Vp`GopB_y?:; TAF|:4(1XMjk?[^LJ|GzXzGvO0*X3+fAF0#(XH&X?iqou)FfQ;m)+7ME1j;}NL*`qI1{xJ3</{~9iXj:+~(wb<k=Eb^qN#1nvs).HK"
Pattern match: "W0xH..Zv/Yp+s{PS{G?a,FjqMV^0^ejmmGX4lL{&%SRUqReRinsT=JZh?0gkehG*lreWSef"
Heuristic match: "Zl.Kr"
Pattern match: "P.MbI/[-rwgTPXy^a:9B6rP]M:pa~xkynceXq[{wO"
Heuristic match: "<F#ctt_&'}-n?Mwv?/ 44=@):wLl@ bqX|M{[+@~?s@U9|-R;m?#G<>-C{<mC?{dZrBu-0|`TV|$,^;P.aa8Fl?7!DRaT=`.Gt"
Pattern match: "Q2X.Op/_TK]OD~i"
Pattern match: "T.ej/AY52Fct$4ipj:!g7FC}OYLpG[#xFnYp"
Heuristic match: "$7G\<=.Bn"
Heuristic match: "NX*!H.Bj"
Heuristic match: "wR=X]=\+[O36zZ@A.GM"
Heuristic match: "xcn.ar"
Heuristic match: "/6!aj.ar"
Pattern match: "k.cx/E0'i~[ZZ^*EM-6u$X~V'tx?S?fA%"
Heuristic match: "V8zWhCI6*tWQt?4}u4Jgr6CNmf'TibI-/LmMJHkc)0N[5xQE.CG"
Pattern match: "C.Be/+4$Y}r8dUN04y3hCKmM$q"
Heuristic match: "!kC{@=\<okcd}0FO;\m_vg{7oRs_JVt~mvaEoNGuYFh)_I#:d!?'wYOX?gC-wMApnv(8!>/_KCK}y<U_QL!I((AJE4JkH%DTDRU*t,SfRfhc{=>>w}{.Na"
Heuristic match: "=2/?{?,C]ZK/[1||tz_I7mKYX'(9Fj2~2hN~2=]s2~<_No?J0[vob*a,MN=C~v0u]g]+fp=Ro}/rJ_w=_#L-.Gm" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Drops cabinet archive files
- details
- "Cab4827.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "4053267758582777186a2777653c28770000000000bf3c770000000056cc3c77000000007cca3c7700000000376843756a2c2877d62d287700000000206943750000000029a63c7700000000a48d437500000000f70e3c7700000000" to virtual address "0x76B61000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
-
"MailAttachmentDownloaderInstall.exe.bin" was detected as "VC8 -> Microsoft Corporation"
"MSI1985.tmp" was detected as "Borland Delphi 3.0 (???)"
"MSI5E75.tmp" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
-
Drops cabinet archive files
File Details
MailAttachmentDownloaderInstall.exe
- Filename
- MailAttachmentDownloaderInstall.exe
- Size
- 4.8MiB (4986232 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- c36b0777529efa6a850bc781d6706f5429e74f3470f1455980f214af9bf57f93
- MD5
- 5c4dd1b738199fd324dba0167ab707d3
- SHA1
- 568f9284058715383b661ed1e40cecd9663eeb30
- ssdeep
- 98304:6/cG0DNRxIcTpzR/otarsF60q9ku10eFtHWfzNkS1PMTA0+Vo2:JG0DNwcTJR/brxP911zcN1PNVl
- imphash
- c54baba039e189a715ca51b61909b9a6
- authentihash
- 8c15a3dc0c40f95dcf3ce68fc0e89ae72e2353f2de2d2dd2ffae9913853f62a2
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 09/09/2015 06:00:09 (UTC)
- PDB Pathway
- C:\CodeBases\isdev\redist\Language Independent\i386\setupPreReq.pdb
- PDB GUID
- 81113B3E1DD24385925EC92F02562034
Version Info
- LegalCopyright
- Copyright (c) 2015 Flexera Software LLC. All Rights Reserved.
- ISInternalVersion
- 22.0.347
- InternalName
- Setup
- FileVersion
- 3.2.1010
- CompanyName
- Gearmage
- Internal Build Number
- 158438
- ProductName
- Mail Attachment Downloader v3.2
- ProductVersion
- 3.2.1010
- FileDescription
- Setup Launcher Unicode
- ISInternalDescription
- Setup Launcher Unicode
- OriginalFilename
- InstallShield Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.4% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 11.00 (Visual Studio 2012) (build: 51106)
- 1 Unknown Resource Files (build: 0)
- 1 .RES Files linked with CVTRES.EXE 11.00 (Visual Studio 2012) (build: 51106)
- 62 .CPP Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 51106)
- 25 .LIB Files generated with LIB.EXE 10.10 (Visual Studio 2010 SP1) (build: 30716)
- 67 .CPP Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 50929)
- 3 .C Files compiled with CL.EXE 16.10 (Visual Studio 2010 SP1) (build: 30716)
- 141 .C Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 50929)
- 1 .C Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 51106)
- 23 .ASM Files assembled with MASM 11.00 (Visual Studio 2012) (build: 50929)
- 11 .CPP Files (with LTCG) compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 51106)
- File contains C++ code
- File appears to contain raw COFF/OMF content
- File is the product of a medium codebase (62 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (7.2KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 01:00:00 12/31/2020 00:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US | OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US Serial: 0 |
06/29/2004 18:06:20 06/29/2034 18:06:20 |
91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4 |
CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US Serial: 1be715 |
01/01/2014 08:00:00 05/30/2031 08:00:00 |
81:52:8B:89:E1:65:20:4A:75:AD:85:E8:C3:88:CD:68 34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 01:00:00 12/30/2020 00:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial: 7 |
05/03/2011 08:00:00 05/03/2031 08:00:00 |
96:C2:50:31:BC:0D:C3:5C:FB:A7:23:73:1E:1B:41:40 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 |
CN="GEARMAGE, LLC", O="GEARMAGE, LLC", L=Redmond, ST=Washington, C=US | CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial: be58bd32f0c69a7 |
05/04/2016 18:59:38 05/04/2019 18:59:38 |
0C:58:3C:E1:9A:70:ED:B8:8C:C4:7C:94:80:8D:F8:16 C8:6F:EF:25:86:D7:83:FC:FE:1E:84:EE:64:64:34:76:02:5C:DA:88 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
MailAttachmentDownloaderInstall.exe
(PID: 2580)
- msiexec.exe /i "%LOCALAPPDATA%\Downloaded Installations\{4E364EE1-C169-4226-9312-070066D42EFA}\Mail Attachment Downloader v3.2.msi" SETUPEXEDIR="C:" SETUPEXENAME="MailAttachmentDownloaderInstall.exe" (PID: 1908)
Network Analysis
DNS Requests
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
50.63.243.230 |
80
TCP |
msiexec.exe PID: 1908 |
United States |
188.121.36.237 |
80
TCP |
msiexec.exe PID: 1908 |
Netherlands |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
50.63.243.230:80 (ocsp.godaddy.com) | GET | ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com More Details |
50.63.243.230:80 (ocsp.godaddy.com) | GET | ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com More Details |
50.63.243.230:80 (ocsp.godaddy.com) | GET | ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCAvli9MvDGmn | GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCAvli9MvDGmn HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com More Details |
188.121.36.237:80 (crl.godaddy.com) | GET | crl.godaddy.com/gdig2s5-1.crl | GET /gdig2s5-1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.godaddy.com More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 00018883-00002580-1957-1259-0043B056 |
2.0.0.0 | Domain/IP reference | 00018883-00002580-1957-1259-0043B056 |
2.5.4.3 | Domain/IP reference | 10357-8913-00482178 |
2.9.0.0 | Domain/IP reference | 00018883-00002580-1957-1260-0044ED79 |
2.5.4.11 | Domain/IP reference | 10357-8913-00482178 |
2.5.4.10 | Domain/IP reference | 10357-8913-00482178 |
49.1.9.1 | Domain/IP reference | 10357-8913-00482178 |
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00018883-00002580-1957-1586-00419D54 |
Extracted Strings
Extracted Files
Displaying 16 extracted file(s). The remaining 4 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
MSI5E75.tmp
- Size
- 153KiB (156888 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Adware.AddLyrics.BB.rsuo.dll" (1/77)
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- c90f51e8f8c547ce8a48c22ecdcf5304
- SHA1
- b7a5831e3678693ebb254b5720a58020c0772551
- SHA256
- 226f3e224bfc7d77afff0f3d9048d1727eea7aa5e2e443f8cc55baa7dc5c6473
-
-
Clean 1
-
-
MSI1985.tmp
- Size
- 103KiB (105704 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/74
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- 04289ede648990e01435a99f616c8fdf
- SHA1
- bc81ff546d812d0f88ed7a98717e77d5e34b61fb
- SHA256
- 6629a2fe72efaded5d12e072a18b0cf065b2c9600a6401645ca1d7804f7edd14
-
-
Informative Selection 4
-
-
Mail Attachment Downloader v3.2.msi
- Size
- 3.8MiB (3981824 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Mail Attachment Downloader v3.2, Author: Gearmage, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 Limited Edition 22, Last Saved Time/Date: Sun Feb 25 19:25:45 2018, Create Time/Date: Sun Feb 25 19:25:45 2018, Last Printed: Sun Feb 25 19:25:45 2018, Revision Number: {4E364EE1-C169-4226-9312-070066D42EFA}, Code page: 1252, Template: Intel;1033
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- 928baefe7ad1abc14cceeb26083a5e03
- SHA1
- a56688bd491756a5459d497a7ba5abbac20badf3
- SHA256
- 9a53fee05da00e4656d0cd4708ba0c6dddffbfb47bea7c1fb5d5474f2165b06e
-
Setup.INI
- Size
- 5.5KiB (5650 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- MailAttachmentDownloaderInstall.exe (PID: 2580)
- MD5
- 66a7990961e0305eb3872f3d515bc786
- SHA1
- feda1bbb0821465e0107218fb15116bd90da7e2f
- SHA256
- a0d954b62456c59b7b63119e9f334cdf09bef1c08d4a40c3a39420de506e6079
-
~E9F4.tmp
- Size
- 5.5KiB (5650 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- MailAttachmentDownloaderInstall.exe (PID: 2580)
- MD5
- 66a7990961e0305eb3872f3d515bc786
- SHA1
- feda1bbb0821465e0107218fb15116bd90da7e2f
- SHA256
- a0d954b62456c59b7b63119e9f334cdf09bef1c08d4a40c3a39420de506e6079
-
~EE12.tmp
- Size
- 5.5KiB (5650 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- MailAttachmentDownloaderInstall.exe (PID: 2580)
- MD5
- 66a7990961e0305eb3872f3d515bc786
- SHA1
- feda1bbb0821465e0107218fb15116bd90da7e2f
- SHA256
- a0d954b62456c59b7b63119e9f334cdf09bef1c08d4a40c3a39420de506e6079
-
-
Informative 10
-
-
223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
- Size
- 450B (450 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- b2bdb0bac8bfb21475107be6619c3cab
- SHA1
- 3dd472164a375d5b095b703da95221f700ad13a6
- SHA256
- 1ed1fd38f01d2dd9ec2902dd23fb70905c5411b2cb1885516a3a0926817d1ad3
-
C63295509163E69C25004A5EA5A3AFB3
- Size
- 232B (232 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- 0856051686f5b9f90c3d8a8f24451f14
- SHA1
- f597a0382faf1d983c2663cc4bc35504f3bcef50
- SHA256
- 1640e51d51c890b87eedf336296d624ef560324174086f4e219bd72763a151c9
-
EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
- Size
- 458B (458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- f567dd136c5e86038563e0018748467b
- SHA1
- f9c2d160c1ec8ece470ea910106f3015775432e0
- SHA256
- 1329209624d49b806a612364c987dd201d486c299f67df9eb0cc03d2e623c029
-
56ADBB1837AFF6D7FD308FFF42A6DE9E_B38EA07E223184DD7DC82CFC806477CD
- Size
- 458B (458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- df4b212036d47647d96f9ab280e5cfb0
- SHA1
- f0c94f3dc6000d7b5496196a53f0a9a883d8eeae
- SHA256
- 9a588e4e0731cd4e36636a197c1b880f3596be1a40a8f32c077441b569f42801
-
Cab4827.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Tar4828.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 1908)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
0x0409.ini
- Size
- 22KiB (22490 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- MailAttachmentDownloaderInstall.exe (PID: 2580)
- MD5
- 8586214463bd73e1c2716113e5bd3e13
- SHA1
- f02e3a76fd177964a846d4aa0a23f738178db2be
- SHA256
- 089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
-
Microsoft .NET Framework 4.5 Web.prq
- Size
- 2.4KiB (2412 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- MailAttachmentDownloaderInstall.exe (PID: 2580)
- MD5
- 6fd9db583e6b8e28049fc1c1b6a4acb0
- SHA1
- 50ece1a252d3eaa2e8b7264606221e04ec0b85bd
- SHA256
- 5cef6c564e81946d9c7d162a8b3a7d8b7fbb33607e1a7506bd3b0576ca8267a5
-
_ISMSIDEL.INI
- Size
- 1004B (1004 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- MailAttachmentDownloaderInstall.exe (PID: 2580)
- MD5
- 79e624357c38c847fdc7e563d7273474
- SHA1
- 1e135d5c451548f80850dc4a55dd41ca50fff3f4
- SHA256
- 89538ba0c11b70a7f6ffa9e5e5ffbc22d960b14f587058aa47d2b1fa9e2ddee3
-
~EA13.tmp
- Size
- 5.5KiB (5650 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- MailAttachmentDownloaderInstall.exe (PID: 2580)
- MD5
- 66a7990961e0305eb3872f3d515bc786
- SHA1
- feda1bbb0821465e0107218fb15116bd90da7e2f
- SHA256
- a0d954b62456c59b7b63119e9f334cdf09bef1c08d4a40c3a39420de506e6079
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Extracted file "Mail Attachment Downloader v3.2.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/9a53fee05da00e4656d0cd4708ba0c6dddffbfb47bea7c1fb5d5474f2165b06e/analysis/1523831842/")
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)