Automated Malware Analysis Report for mRemoteNG-Installer

ID: 365336Sample Name: mRemoteNG-Installer-1.76.20.24615.msiCookbook: default.jbsTime: 13:31:46Date: 09/03/2021Version: 31.0.0 Emerald

24444444444555566777788888899

101010101010101011141415151515151515151616

16161616

1616

Table of Contents

Table of ContentsAnalysis Report mRemoteNG-Installer-1.76.20.24615.msi

OverviewGeneral InformationDetectionSignaturesClassificationAnalysis Advice

StartupMalware ConfigurationYara OverviewSigma OverviewSignature OverviewMitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPsPublic

General InformationSimulations

Behavior and APIsJoe Sandbox View / Context

IPsDomainsASNJA3 FingerprintsDropped Files

Created / dropped FilesStatic File Info

GeneralFile Icon

Network BehaviorCode ManipulationsStatistics

BehaviorSystem Behavior

Analysis Process: msiexec.exe PID: 4012 Parent PID: 5632GeneralFile ActivitiesRegistry Activities

Analysis Process: msiexec.exe PID: 6168 Parent PID: 1688GeneralFile Activities

File Read

Analysis Process: rundll32.exe PID: 6212 Parent PID: 6168General

Copyright Joe Security LLC 2021 Page 2 of 21

1717171719

202020

20202121

2121

File ActivitiesFile CreatedFile DeletedFile WrittenFile Read

Analysis Process: msiexec.exe PID: 6824 Parent PID: 1688GeneralFile Activities

Analysis Process: rundll32.exe PID: 6912 Parent PID: 6824GeneralFile Activities

File Read

DisassemblyCode Analysis


Analysis Report mRemoteNG-Installer-1.76.20.24615.msi

Overview

General Information

Sample Name:

mRemoteNG-Installer-1.76.20.24615.msi

Analysis ID: 365336

MD5: 4c91d6006cd729…

SHA1: eecea9ef7a9f0c8…

SHA256: 2c4d1efb90124f8…

Infos:

Most interesting Screenshot:

Detection

Score: 3

Range: 0 - 100

Whitelisted: false

Confidence: 40%

Signatures

Checks for available system drives






Checks for available system drives Checks for available system drives ……

Creates files inside the system direc






Creates files inside the system direcCreates files inside the system direc……

Deletes files inside the Windows fold






Deletes files inside the Windows foldDeletes files inside the Windows fold……

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE filesDrops PE files

Drops PE files to the windows direct






Drops PE files to the windows directDrops PE files to the windows direct……

Found dropped PE file which has no






Found dropped PE file which has noFound dropped PE file which has no……

Monitors certain registry keys / valu






Monitors certain registry keys / valuMonitors certain registry keys / valu……

Queries the volume information (nam






Queries the volume information (namQueries the volume information (nam……

Tries to load missing DLLs






Tries to load missing DLLsTries to load missing DLLs

Uses code obfuscation techniques (






Uses code obfuscation techniques (Uses code obfuscation techniques (……

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Malware Configuration

Yara Overview

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w10x64

msiexec.exe (PID: 4012 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\mRemoteNG-Installer-1.76.20.24615.msi' MD5:

4767B71A318E201188A0D0A420C8B608)msiexec.exe (PID: 6168 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9A457BA9350AB52CD6224C77842F306E C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

rundll32.exe (PID: 6212 cmdline: rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSID272.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_4379734 1 Custo

mActions!CustomActions.CustomActions.IsLegacyVersionInstalled MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)msiexec.exe (PID: 6824 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding C5E791AEF0AFC094AD8BF38E49FAA265 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

rundll32.exe (PID: 6912 cmdline: rundll32.exe 'C:\Windows\Installer\MSI17D.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_4402859 2 CustomActions!Cust

omActions.CustomActions.IsLegacyVersionInstalled MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)cleanup

No configs have been found

No yara matches

Startup


Sigma Overview

No Sigma rule has matched

Signature Overview

• Compliance

• Spreading

• Networking

• System Summary

• Data Obfuscation

• Persistence and Installation Behavior

• Hooking and other Techniques for Hiding and Protection

• Malware Analysis System Evasion

• Anti Debugging

• Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, There are no malicious signatures, click here to show all signaturesclick here to show all signatures ..

Mitre Att&ck Matrix

InitialAccess Execution Persistence

PrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

NetworkEffects

RemoteServiceEffects

ReplicationThroughRemovableMedia 1

WindowsManagementInstrumentation

DLL Side-Loading 1

ProcessInjection 1

Masquerading 2 1 OSCredentialDumping

QueryRegistry 1

ReplicationThroughRemovableMedia 1

Data fromLocalSystem

ExfiltrationOver OtherNetworkMedium

DataObfuscation

Eavesdrop onInsecureNetworkCommunication

RemotelyTrack DeviceWithoutAuthorization

DefaultAccounts

ScheduledTask/Job

Boot orLogonInitializationScripts

DLL Side-Loading 1

Rundll32 1 LSASSMemory

PeripheralDeviceDiscovery 1 1

RemoteDesktopProtocol

Data fromRemovableMedia

ExfiltrationOverBluetooth

Junk Data Exploit SS7 toRedirect PhoneCalls/SMS

RemotelyWipe DataWithoutAuthorization

DomainAccounts

At (Linux) Logon Script(Windows)

LogonScript(Windows)

Disable or ModifyTools 1

SecurityAccountManager

File andDirectoryDiscovery 1

SMB/WindowsAdmin Shares

Data fromNetworkSharedDrive

AutomatedExfiltration

Steganography Exploit SS7 toTrack DeviceLocation

ObtainDeviceCloudBackups

LocalAccounts

At (Windows) Logon Script(Mac)

LogonScript(Mac)

Process Injection 1 NTDS SystemInformationDiscovery 1 3

DistributedComponentObject Model

InputCapture

ScheduledTransfer

ProtocolImpersonation

SIM CardSwap

CloudAccounts

Cron NetworkLogon Script

NetworkLogonScript

DLL Side-Loading 1

LSASecrets

Remote SystemDiscovery

SSH Keylogging DataTransferSize Limits

FallbackChannels

ManipulateDeviceCommunication

ReplicationThroughRemovableMedia

Launchd Rc.common Rc.common Obfuscated Files orInformation 1

CachedDomainCredentials

SystemOwner/UserDiscovery

VNC GUI InputCapture

ExfiltrationOver C2Channel

MultibandCommunication

Jamming orDenial ofService

ExternalRemoteServices

ScheduledTask

StartupItems

StartupItems

File Deletion 1 DCSync NetworkSniffing

WindowsRemoteManagement

Web PortalCapture

ExfiltrationOverAlternativeProtocol

CommonlyUsed Port

Rogue Wi-FiAccess Points

Behavior GraphCopyright Joe Security LLC 2021 Page 5 of 21

Behavior GraphID: 365336

Sample: mRemoteNG-Installer-1.76.20...

Startdate: 09/03/2021

Architecture: WINDOWS

Score: 3

msiexec.exe

started

msiexec.exe

started

msiexec.exe

7

started

rundll32.exe

6

started

rundll32.exe

5

started

1.76.20.24

DOCOMONTTDOCOMOINCJP

Japan

C:\Users\user\AppData\Local\...\MSID272.tmp, PE32

dropped

Microsoft.Deployme...indowsInstaller.dll, PE32

dropped

C:\Users\user\AppData\...\CustomActions.dll, PE32

dropped

Microsoft.Deployme...indowsInstaller.dll, PE32

dropped

C:\Windows\Installer\...\CustomActions.dll, PE32

dropped

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Screenshots


Source Detection Scanner Label Link

mRemoteNG-Installer-1.76.20.24615.msi 0% Virustotal Browse

mRemoteNG-Installer-1.76.20.24615.msi 0% Metadefender Browse

mRemoteNG-Installer-1.76.20.24615.msi 0% ReversingLabs


C:\Users\user\AppData\Local\Temp\MSID272.tmp 0% Virustotal Browse

C:\Users\user\AppData\Local\Temp\MSID272.tmp 2% ReversingLabs

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll 0% Virustotal Browse

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll 0% ReversingLabs

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll 0% Metadefender Browse

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll 0% ReversingLabs

C:\Windows\Installer\MSI17D.tmp-\CustomActions.dll 0% ReversingLabs

C:\Windows\Installer\MSI17D.tmp-\Microsoft.Deployment.WindowsInstaller.dll 0% Metadefender Browse

C:\Windows\Installer\MSI17D.tmp-\Microsoft.Deployment.WindowsInstaller.dll 0% ReversingLabs

No Antivirus matches

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files


https://www.virustotal.com/gui/file/2c4d1efb90124f885215f88304c9ecc8bbeecc9cca285f6d17baae43b49f6227/detection/f-2c4d1efb90124f885215f88304c9ecc8bbeecc9cca285f6d17baae43b49f6227-1614924951

https://www.metadefender.com/#!/results/file/bzE5MDQxNUh5cWUyUTJiejVOU3lzeDNRMy16NVY/regular/analysis

https://www.virustotal.com/gui/file/4c9598c6a9bb386dc899f5a49c88f9191293665bf59caa8a2b8caeebe4ea7c65/detection/f-4c9598c6a9bb386dc899f5a49c88f9191293665bf59caa8a2b8caeebe4ea7c65-1603905048

https://www.virustotal.com/gui/file/532c90726bbf339b13e386b58cc0730a008aee0570510503e45ebe552b8945ac/detection/f-532c90726bbf339b13e386b58cc0730a008aee0570510503e45ebe552b8945ac-1614819901

https://www.metadefender.com/#!/results/file/YnpJeE1ESXlNM0V6U3pScWJVcEdjZ2NTWWtBUlVzbldo/regular/analysis


No Antivirus matches


ts-crl.ws.symantec. 0% Virustotal Browse

ts-crl.ws.symantec. 0% Avira URL Cloud safe

crl4.digicert. 0% Avira URL Cloud safe

ocsp.thawte.com0 0% URL Reputation safe




No contacted domains info

Name Source Malicious Antivirus Detection Reputation

wixtoolset.org/releases/ Microsoft.Deployment.WindowsInstaller.dll.11.dr

false high

ts-crl.ws.symantec. msiexec.exe, 00000000.00000002.325074448.0000027CCED32000.00000004.00000001.sdmp

false 0%, Virustotal, BrowseAvira URL Cloud: safe

unknown

www.mremoteng.org msiexec.exe, 00000000.00000003.322330831.0000027CD0A1E000.00000004.00000001.sdmp

false high

crl4.digicert. msiexec.exe, 00000000.00000002.325074448.0000027CCED32000.00000004.00000001.sdmp

false Avira URL Cloud: safe unknown

wixtoolset.org/news/ Microsoft.Deployment.WindowsInstaller.dll.11.dr

false high

ocsp.thawte.com0 msiexec.exe, 00000000.00000002.325074448.0000027CCED32000.00000004.00000001.sdmp

false URL Reputation: safeURL Reputation: safeURL Reputation: safeURL Reputation: safe

unknown

wixtoolset.org/Whttp://wixtoolset.org/telemetry/v Microsoft.Deployment.WindowsInstaller.dll.11.dr

false high

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs


https://www.virustotal.com/gui/url/73d80efeb8983831db649a316df01f05f1a986f6f7ec24b439c1e5c0eb190121/detection/u-73d80efeb8983831db649a316df01f05f1a986f6f7ec24b439c1e5c0eb190121-1584350409

https://www.virustotal.com/gui/url/73d80efeb8983831db649a316df01f05f1a986f6f7ec24b439c1e5c0eb190121/detection/u-73d80efeb8983831db649a316df01f05f1a986f6f7ec24b439c1e5c0eb190121-1584350409

General Information

Joe Sandbox Version: 31.0.0 Emerald

Analysis ID: 365336

Start date: 09.03.2021

Start time: 13:31:46

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 10m 56s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: mRemoteNG-Installer-1.76.20.24615.msi

Cookbook file name: default.jbs

Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

Number of analysed new started processes analysed: 22

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Detection: CLEAN

Classification: clean3.winMSI@7/9@0/1

EGA Information: Failed

No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

IP Domain Country Flag ASN ASN Name Malicious

1.76.20.24 unknown Japan 9605 DOCOMONTTDOCOMOINCJP

false

Public


HDC Information: Failed

HCA Information: Successful, ratio: 98%Number of executed functions: 0Number of non-executed functions: 0

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .msi

Warnings:Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exeExecution Graph export aborted for target rundll32.exe, PID 6212 because it is emptyExecution Graph export aborted for target rundll32.exe, PID 6912 because there are no executed functionReport size getting too big, too many NtEnumerateValueKey calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtQueryValueKey calls found.Report size getting too big, too many NtSetInformationFile calls found.

No simulations

No context

No context

Match Associated Sample Name / URL SHA 256 Detection Link Context

DOCOMONTTDOCOMOINCJP bin.sh Get hash malicious Browse 157.116.228.108

oHqMFmPndx.exe Get hash malicious Browse 49.103.16.65

fil1 Get hash malicious Browse 146.162.49.11

i Get hash malicious Browse 49.101.60.201

mssecsvc.exe Get hash malicious Browse 211.14.116.15

juice.exe Get hash malicious Browse 146.99.74.4

KqwIJuLhAp.dll Get hash malicious Browse 148.68.2.6

No context

Show All

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files


https://view.joesandbox.com/analysis/258067/html/none?idtype=webid#static

https://view.joesandbox.com/analysis/258067/html/none?idtype=webid













Match Associated Sample Name / URL SHA 256 Detection Link Context

C:\Windows\Installer\MSI17D.tmp-\Microsoft.Deployment.WindowsInstaller.dll

tetration_installer_bancopopular_enforcer_windows.ps1 Get hash malicious Browse

Fireboy&Watergirl_Elements_installer_20623948.exe Get hash malicious Browse

install.nitropdf.com/professional_1391155/de/retail/nitro_pro13_ba_x64.msi

Get hash malicious Browse

TheSimsSeason_installer_19318915.exe Get hash malicious Browse

services.3manager.com/Downloads/Agents/Latest?type=ExeInstaller&id=fdbd6a6e-7ae4-4c0d-bad0-c31795c494f7&canary=False


VAExcelPluginSetup0.9.18113.exe Get hash malicious Browse

install.nitropdf.com/professional_12101487/en/burn/nitro_pro12_ba_x64.msi


Automate.msi Get hash malicious Browse

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll

tetration_installer_bancopopular_enforcer_windows.ps1 Get hash malicious Browse

Fireboy&Watergirl_Elements_installer_20623948.exe Get hash malicious Browse

install.nitropdf.com/professional_1391155/de/retail/nitro_pro13_ba_x64.msi


TheSimsSeason_installer_19318915.exe Get hash malicious Browse

services.3manager.com/Downloads/Agents/Latest?type=ExeInstaller&id=fdbd6a6e-7ae4-4c0d-bad0-c31795c494f7&canary=False


VAExcelPluginSetup0.9.18113.exe Get hash malicious Browse

install.nitropdf.com/professional_12101487/en/burn/nitro_pro12_ba_x64.msi


Automate.msi Get hash malicious Browse

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logProcess: C:\Windows\SysWOW64\rundll32.exe

File Type: ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 651

Entropy (8bit): 5.347236198415341

Encrypted: false

SSDEEP: 12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhaOK9eDLI4MNJK9zKHK9yiv:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFb

MD5: 885F8A93C0BC47F2C05B5702E49A06CE

SHA1: C9945AF95217F2BDBBB967E65091B8EA21976F36

SHA-256: 8268A83751122A58D99D6949BFFE44B9BF905E40827CC4321677BF551BF4DD40

SHA-512: 84BC9C0FEFADE6BBFEC86F6AAA28CC7F4F4B3927A7C21D559F14A9CD9C7F3247210FFD0391DCD7FC08E255779D993E8586EC46A142981B9103BC9EC77CD7A361

Malicious: false

Reputation: moderate, very likely benign file

Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..

C:\Users\user\AppData\Local\Temp\MSI2cbf9.LOGProcess: C:\Windows\System32\msiexec.exe

File Type: Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR, LF line terminators

Category: dropped

Size (bytes): 101372

Entropy (8bit): 3.772006041376459

Encrypted: false

SSDEEP: 1536:d32fHXGj5nb52DYeYrWg3njsgbo5VtsiLZHVXMfxPlP5PlPt3LZHVXMfxPlP5PlG:/a6q3pFk

MD5: 999866083D2F6E701FB83E376EDF8441

SHA1: 516736AA37FF64886B5208E5CE292C34382B34B5

SHA-256: CDEF75B0A5630B2A604350CA3EFB2B9CB02B45A4C1B40F6D8DF9E02AC0679B6C

SHA-512: 9B5EA543F3CE7DD8DFEE0E8C5D3B74F256E8B33F7AF780C6B534D572593F6221BA6F06AD20A6B23D57D079C47E1B9786284A542553CF7B76B41F1D878333568B

Malicious: false

Reputation: low

Created / dropped Files


































Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .3./.9./.2.0.2.1. . .1.3.:.3.2.:.3.6. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.A.C.:.C.C.). .[.1.3.:.3.2.:.3.7.:.0.0.8.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.A.C.:.C.C.). .[.1.3.:.3.2.:.3.7.:.0.0.8.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.A.C.:.C.0.). .[.1.3.:.3.2.:.3.7.:.1.1.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.A.C.:.C.0.). .[.1.3.:.3.2.:.3.7.:.1.1.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0...

C:\Users\user\AppData\Local\Temp\MSI2cbf9.LOG

C:\Users\user\AppData\Local\Temp\MSID272.tmp

Process: C:\Windows\System32\msiexec.exe

File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive

Category: dropped


Entropy (8bit): 6.145265903989616

Encrypted: false

SSDEEP: 3072:p1sACXS63fn8qf1in/OGBbwbetCLXye1gx5ChqlyLovlJsBtGbUwDsiercy2:p1sA6fnlk/4D1gxE7MvvqtGB

MD5: 0046B24E470EA8A69A381A454D9A71A2

SHA1: 285A92AA7F2B0DDED84D809C73DAF5B96851A38E

SHA-256: 4C9598C6A9BB386DC899F5A49C88F9191293665BF59CAA8A2B8CAEEBE4EA7C65

SHA-512: 0F27398C6F5F639A6E6458F799587CEA65A982FA86AE0D8E0094BF03F77277DF93CDDF16365C0453B18CCAD149FEEEBE8B8C96854634AF700656830CBCBA2F08

Malicious: false

Antivirus: Antivirus: Virustotal, Detection: 0%, BrowseAntivirus: ReversingLabs, Detection: 2%

Reputation: low

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6m..X>..X>..X>(..>..X>(..>..X>(..>..X>E.[?..X>E.\?..X>E.]?..X>...>..X>..Y>;.X>8.]?..X>8.X?..X>8.>..X>...>..X>8.Z?..X>Rich..X>........PE..L...*..Z...........!.....B...|.......L.......`............................................@..........................{...*......x............................... ....r..T...........................Xr..@............`..l............................text....A.......B.................. ..`.rdata...P...`...R...F..............@[email protected][email protected]...............................@[email protected].. [email protected]................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.configProcess: C:\Windows\SysWOW64\rundll32.exe

File Type: XML 1.0 document, ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 1494

Entropy (8bit): 4.730688431065547

Encrypted: false

SSDEEP: 24:2dhmhx0PY6Iee7LfKhT06XWwlTh17jJB7ZtG9jDqRp:c0nd5t7q7WwFD7tztG96n

MD5: 4933C1E1BE5973187E991EA2ED9E6451

SHA1: B16B52BA34A835B5BB8665F502E7E37985B6776E

SHA-256: DC44FB3A0CE9CB88926B2D91EC3CC5A5C5D694B02415C4B2459090F08F08ED58

SHA-512: 766ED216354A9D0F681607577E586E89DC82729CED58C328676771178BA547CD87878A1F5955CD46B197672753BC693D08246A7A11CEB8A7F255E1321403E805

Malicious: false

Reputation: moderate, very likely benign file

Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies .. by using the lates

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll

Process: C:\Windows\SysWOW64\rundll32.exe

File Type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

Category: dropped

Size (bytes): 9216

Entropy (8bit): 4.698358487152108

Encrypted: false

SSDEEP: 192:cUnpOBzZGoyQBK0FffGdSYA/mkfMcuIGiTdj:cCpWzmaKpd8/mkfMcuIGiTdj

MD5: 2CBA4EED328AE484EFF294F25826208F

SHA1: 1B76C625CB58A7DF59CD967BAE28721839FA0269

SHA-256: 532C90726BBF339B13E386B58CC0730A008AEE0570510503E45EBE552B8945AC

SHA-512: 924B94884DEE6DEDE16948D3D20A08B81FB3E06792458C99DE48001A915E3B30E48FFC619109EA483AD9CDFA9B6A17558C880E78A003F7F68F4A88113855B30A

Malicious: false

Antivirus: Antivirus: Virustotal, Detection: 0%, BrowseAntivirus: ReversingLabs, Detection: 0%


https://www.virustotal.com/gui/file/4c9598c6a9bb386dc899f5a49c88f9191293665bf59caa8a2b8caeebe4ea7c65/detection/f-4c9598c6a9bb386dc899f5a49c88f9191293665bf59caa8a2b8caeebe4ea7c65-1603905048

https://www.virustotal.com/gui/file/532c90726bbf339b13e386b58cc0730a008aee0570510503e45ebe552b8945ac/detection/f-532c90726bbf339b13e386b58cc0730a008aee0570510503e45ebe552b8945ac-1614819901

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.........." ..0..............;... ...@....... ....................................@.................................p;..O....@.......................`......8:............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@[email protected].......`......."[email protected].................;......H.......<%...............................................................0..9.............%..r...po.....%..r...po......r%..p..s......o....&.*....0.."........ra..po.....ry..p..s......o....&.*...0..F........r...po....s....o....,..r...pr...po....+..r...pr...po.....r!..po.....*..r[..po....s....%o....&.o.....r...po.....*..(....*f.(.....s....}......}....*J.......%....(....*...0..V........{....r...po.....{.....o........(.....{....r...po..........{....r+..p.(....o.........*..........





Category: dropped


Entropy (8bit): 5.775039237799255

Encrypted: false

SSDEEP: 3072:2kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyF:w+c7b1W4R6joxfQ8

MD5: 4E04A4CB2CF220AECC23EA1884C74693

SHA1: A828C986D737F89EE1D9B50E63C540D48096957F

SHA-256: CFED1841C76C9731035EBB61D5DC5656BABF1BEFF6ED395E1C6B85BB9C74F85A

SHA-512: C0B850FBC24EFAD8207A3FCCA11217CB52F1D08B14DEB16B8E813903FECD90714EB1A4B91B329CF779AFFF3D90963380F7CFD1555FFC27BD4AC6598C709443C4

Malicious: false

Antivirus: Antivirus: Metadefender, Detection: 0%, BrowseAntivirus: ReversingLabs, Detection: 0%

Joe Sandbox View:

Filename: tetration_installer_bancopopular_enforcer_windows.ps1, Detection: malicious, BrowseFilename: Fireboy&Watergirl_Elements_installer_20623948.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: TheSimsSeason_installer_19318915.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: VAExcelPluginSetup0.9.18113.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: Automate.msi, Detection: malicious, Browse

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@[email protected][email protected]........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI17D.tmp-\CustomAction.configProcess: C:\Windows\SysWOW64\rundll32.exe

File Type: XML 1.0 document, ASCII text, with CRLF line terminators

Category: dropped

Size (bytes): 1494

Entropy (8bit): 4.730688431065547

Encrypted: false

SSDEEP: 24:2dhmhx0PY6Iee7LfKhT06XWwlTh17jJB7ZtG9jDqRp:c0nd5t7q7WwFD7tztG96n

MD5: 4933C1E1BE5973187E991EA2ED9E6451

SHA1: B16B52BA34A835B5BB8665F502E7E37985B6776E

SHA-256: DC44FB3A0CE9CB88926B2D91EC3CC5A5C5D694B02415C4B2459090F08F08ED58

SHA-512: 766ED216354A9D0F681607577E586E89DC82729CED58C328676771178BA547CD87878A1F5955CD46B197672753BC693D08246A7A11CEB8A7F255E1321403E805

Malicious: false

Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies .. by using the lates

C:\Windows\Installer\MSI17D.tmp-\CustomActions.dll



Category: dropped

Size (bytes): 9216

Entropy (8bit): 4.698358487152108

Encrypted: false

SSDEEP: 192:cUnpOBzZGoyQBK0FffGdSYA/mkfMcuIGiTdj:cCpWzmaKpd8/mkfMcuIGiTdj

MD5: 2CBA4EED328AE484EFF294F25826208F

SHA1: 1B76C625CB58A7DF59CD967BAE28721839FA0269

SHA-256: 532C90726BBF339B13E386B58CC0730A008AEE0570510503E45EBE552B8945AC

SHA-512: 924B94884DEE6DEDE16948D3D20A08B81FB3E06792458C99DE48001A915E3B30E48FFC619109EA483AD9CDFA9B6A17558C880E78A003F7F68F4A88113855B30A

Malicious: false



https://view.joesandbox.com/analysis/214093/html/none








Static File Info

GeneralFile type: Composite Document File V2 Document, Little Endian,

Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: mRemoteNG, Author: Next Generation Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install mRemoteNG., Template: Intel;1033, Revision Number: {A161AC1F-EB51-4E97-9C32-2B2C6B3CFF06}, Create Time/Date: Fri Apr 12 14:41:28 2019, Last Saved Time/Date: Fri Apr 12 14:41:28 2019, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2

Entropy (8bit): 7.984728543058491

TrID: Microsoft Windows Installer (77509/1) 63.77%ClickyMouse macro set (36024/1) 29.64%Generic OLE2 / Multistream Compound File (8008/1) 6.59%

File name: mRemoteNG-Installer-1.76.20.24615.msi

File size: 43593728

MD5: 4c91d6006cd7291df9bb0e16010c1e07

SHA1: eecea9ef7a9f0c8d99a094d48722b5fe9d7b03fb

SHA256: 2c4d1efb90124f885215f88304c9ecc8bbeecc9cca285f6d17baae43b49f6227

SHA512: ae7406070f1b4c328c716356a6e1de3cba0eaeeaa8f0f490c82073ba511968cf97583d0136b38d69c15ea5c1ef0c41f74a974a7200d13099522867ff6b387338

SSDEEP: 786432:jWidZ68yWLITDZabrDhJAOSzsBdAZqFuo/ZYD98dGmWCIuLueSOZKS9eMpwF:FdxyEyDZmPAx988o/ZM9shIuJhZZeM

Antivirus: Antivirus: ReversingLabs, Detection: 0%

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.........." ..0..............;... ...@....... ....................................@.................................p;..O....@.......................`......8:............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@[email protected].......`......."[email protected].................;......H.......<%...............................................................0..9.............%..r...po.....%..r...po......r%..p..s......o....&.*....0.."........ra..po.....ry..p..s......o....&.*...0..F........r...po....s....o....,..r...pr...po....+..r...pr...po.....r!..po.....*..r[..po....s....%o....&.o.....r...po.....*..(....*f.(.....s....}......}....*J.......%....(....*...0..V........{....r...po.....{.....o........(.....{....r...po..........{....r+..p.(....o.........*..........

C:\Windows\Installer\MSI17D.tmp-\CustomActions.dll

C:\Windows\Installer\MSI17D.tmp-\Microsoft.Deployment.WindowsInstaller.dll



Category: dropped


Entropy (8bit): 5.775039237799255

Encrypted: false

SSDEEP: 3072:2kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyF:w+c7b1W4R6joxfQ8

MD5: 4E04A4CB2CF220AECC23EA1884C74693

SHA1: A828C986D737F89EE1D9B50E63C540D48096957F

SHA-256: CFED1841C76C9731035EBB61D5DC5656BABF1BEFF6ED395E1C6B85BB9C74F85A

SHA-512: C0B850FBC24EFAD8207A3FCCA11217CB52F1D08B14DEB16B8E813903FECD90714EB1A4B91B329CF779AFFF3D90963380F7CFD1555FFC27BD4AC6598C709443C4

Malicious: false

Antivirus: Antivirus: Metadefender, Detection: 0%, BrowseAntivirus: ReversingLabs, Detection: 0%

Joe Sandbox View:

Filename: tetration_installer_bancopopular_enforcer_windows.ps1, Detection: malicious, BrowseFilename: Fireboy&Watergirl_Elements_installer_20623948.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: TheSimsSeason_installer_19318915.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: VAExcelPluginSetup0.9.18113.exe, Detection: malicious, BrowseFilename: , Detection: malicious, BrowseFilename: Automate.msi, Detection: malicious, Browse

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@[email protected][email protected]........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................











File Content Preview: ........................>.................................................................................... ...$...(.........................................................................................................................................

General

File Icon

Icon Hash: a2a0b496b2caca72

No network behavior found

Code Manipulations

Statistics

Behavior

• msiexec.exe

• msiexec.exe

• rundll32.exe

• msiexec.exe

• rundll32.exe

Click to jump to process

System Behavior

Network Behavior


Start date: 09/03/2021

Path: C:\Windows\System32\msiexec.exe

Wow64 process (32bit): false

Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\mRemoteNG-Installer-1.76.20.24615.msi'

Imagebase: 0x7ff627560000

File size: 66048 bytes

Analysis Process: msiexec.exe PID: 4012 Parent PID: 5632Analysis Process: msiexec.exe PID: 4012 Parent PID: 5632

General


File ActivitiesFile Activities

Registry ActivitiesRegistry Activities

MD5 hash: 4767B71A318E201188A0D0A420C8B608

Has elevated privileges: true

Has administrator privileges: true

Programmed in: C, C++ or other language

Reputation: high

File Path Access Attributes Options Completion CountSourceAddress Symbol

File Path Completion CountSourceAddress Symbol

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

File Path Offset Length Completion CountSourceAddress Symbol

Key Path Name Type Old Data New Data Completion CountSourceAddress Symbol




Path: C:\Windows\SysWOW64\msiexec.exe

Wow64 process (32bit): true

Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding 9A457BA9350AB52CD6224C77842F306E C

Imagebase: 0xc20000


MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2




Reputation: high


\Device\NamedPipe\SfxCA_4379734 0 4 success or wait 2 6D922B0A ReadFile


\Device\NamedPipe\SfxCA_4379734 0 4 pending 28 6D922B0A ReadFile



Path: C:\Windows\SysWOW64\rundll32.exe



General

File ReadFile Read

Analysis Process: rundll32.exe PID: 6212 Parent PID: 6168Analysis Process: rundll32.exe PID: 6212 Parent PID: 6168

General



Commandline: rundll32.exe 'C:\Users\user\AppData\Local\Temp\MSID272.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_4379734 1 CustomActions!CustomActions.CustomActions.IsLegacyVersionInstalled

Imagebase: 0x1080000


MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D



Programmed in: .Net C# or VB.NET

Reputation: high


C:\Users\user\AppData\Local\Temp\MSID272.tmp- read data or list directory | synchronize

device directory file | synchronous io non alert | open for backup ident | open reparse point

success or wait 1 6D923EE0 CreateDirectoryW

C:\Users\user\AppData\Local\Temp\MSID272.tmp- read data or list directory | synchronize

device directory file | synchronous io non alert | open for backup ident | open reparse point

object name collision 3 6D92173B CreateDirectoryW

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll read attributes | synchronize | generic write

device sequential only | synchronous io non alert | non directory file

success or wait 1 6D9267C2 CreateFileW


read attributes | synchronize | generic write



C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config read attributes | synchronize | generic write



C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

read attributes | synchronize | generic write

device synchronous io non alert | non directory file

success or wait 1 6D6BC78D CreateFileW


C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config success or wait 1 6D923D53 DeleteFileW

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomActions.dll success or wait 1 6D923D53 DeleteFileW

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\Microsoft.Deployment.WindowsInstaller.dll success or wait 1 6D923D53 DeleteFileW


File CreatedFile Created

File DeletedFile Deleted

File WrittenFile Written



unknown 9216 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 80 95 b0 5c 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 1c 00 00 00 06 00 00 00 00 00 00 c2 3b 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.........." ..0..............;... ...@....... ....................................@................................

success or wait 1 6D92839F WriteFile


unknown 23552 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 26 ad 10 5a 00 00 00 00 00 00 00 00 e0 00 22 20 0b 01 30 00 00 80 02 00 00 20 00 00 00 00 00 00 7e 97 02 00 00 20 00 00 00 a0 02 00 00 00 00 10 00 20 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 10 00 00 a9 a8 03 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@................................




C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config

unknown 1494 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 20 20 20 20 3c 73 74 61 72 74 75 70 20 75 73 65 4c 65 67 61 63 79 56 32 52 75 6e 74 69 6d 65 41 63 74 69 76 61 74 69 6f 6e 50 6f 6c 69 63 79 3d 22 74 72 75 65 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 0d 0a 20 20 20 20 20 20 20 20 20 20 55 73 65 20 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 74 61 67 73 20 74 6f 20 65 78 70 6c 69 63 69 74 6c 79 20 73 70 65 63 69 66 79 20 74 68 65 20 76 65 72 73 69 6f 6e 28 73 29 20 6f 66 20 74 68 65 20 2e 4e 45 54 20 46 72 61 6d 65 77 6f 72 6b 20 72 75 6e 74 69 6d 65 20 74 68 61 74 0d 0a 20 20 20 20 20 20 20 20 20 20 74 68 65 20 63

<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the c


C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

unknown 651 31 2c 22 66 75 73 69 6f 6e 22 2c 22 47 41 43 22 2c 30 0d 0a 31 2c 22 57 69 6e 52 54 22 2c 22 4e 6f 74 41 70 70 22 2c 31 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 4e 61 74 69 76 65 49 6d 61 67 65 73 5f 76 34 2e 30 2e 33 30 33 31 39 5f 33 32 5c 53 79 73 74 65 6d 5c 34 66 30 61 37 65 65 66 61 33 63 64 33 65 30 62 61 39 38 62 35 65 62 64 64 62 62 63 37 32 65 36 5c 53 79 73 74 65 6d 2e 6e 69 2e 64 6c 6c 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2e 43 6f 72 65 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30

1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0

success or wait 1 6D6BC907 WriteFile







C:\Users\user\AppData\Local\Temp\MSID272.tmp unknown 36 success or wait 707 6D927AF5 ReadFile

File ReadFile Read










C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D385705 unknown

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D385705 unknown

C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux

unknown 176 success or wait 1 6D2E03DE ReadFile

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config unknown 4095 success or wait 1 6D38CA54 ReadFile

C:\Users\user\AppData\Local\Temp\MSID272.tmp-\CustomAction.config unknown 6697 end of file 1 6D38CA54 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D38CA54 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux












Path: C:\Windows\SysWOW64\msiexec.exe


Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding C5E791AEF0AFC094AD8BF38E49FAA265

Imagebase: 0xc20000


MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2




Reputation: high




Path: C:\Windows\SysWOW64\rundll32.exe


Commandline: rundll32.exe 'C:\Windows\Installer\MSI17D.tmp',zzzzInvokeManagedCustomActionOutOfProc SfxCA_4402859 2 CustomActions!CustomActions.CustomActions.IsLegacyVersionInstalled


General

Analysis Process: rundll32.exe PID: 6912 Parent PID: 6824Analysis Process: rundll32.exe PID: 6912 Parent PID: 6824

General


Disassembly

Code Analysis


Imagebase: 0xd70000


MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D



Programmed in: .Net C# or VB.NET

Reputation: high





C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D3E5705 unknown

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D3E5705 unknown

C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux

unknown 176 success or wait 1 6D3403DE ReadFile

C:\Windows\Installer\MSI17D.tmp-\CustomAction.config unknown 4095 success or wait 1 6D3ECA54 ReadFile

C:\Windows\Installer\MSI17D.tmp-\CustomAction.config unknown 6697 end of file 1 6D3ECA54 ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D3ECA54 ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux


\Device\NamedPipe\SfxCA_4402859 0 4 pending 1 6D281D50 unknown

\Device\NamedPipe\SfxCA_4402859 0 32 success or wait 1 6D281D50 unknown

\Device\NamedPipe\SfxCA_4402859 0 4 pending 1 6D27EAF6 unknown

\Device\NamedPipe\SfxCA_4402859 0 32 success or wait 1 6D27EAF6 unknown

\Device\NamedPipe\SfxCA_4402859 0 4 pending 1 6D27EAF6 unknown

\Device\NamedPipe\SfxCA_4402859 0 32 success or wait 1 6D27EAF6 unknown

File ReadFile Read


Documents

Automated Malware Analysis Report for mRemoteNG-Installer