owc10_sp.exe
This report is generated from a file or URL submitted to this webservice on September 7th 2017 21:44:11 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.90 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 3df78c471b8414b8b977821d595c46d7dc386a294133fb2cdfbfaa236e35b97b
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 7/62 Antivirus vendors marked sample as malicious (11% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 420)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 420)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 420)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 420) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Suspicious Indicators 10
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.99918485371
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
Installation/Persistance
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "%WINDIR%\System32\msiexec.exe", Handle: 420)
- source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
-
"W95INF32.DLL" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ADVPACK.DLL" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"W95INF16.DLL" has type "MS-DOS executable NE for MS Windows 3.x (driver)"
"MSI405B.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI405A.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI404F.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4066.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4006.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4043.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI404E.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Creates new processes
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
-
"LaunchAndWait: Cmd=%1" (Indicator: "cmd=")
"Cmd=%1" (Indicator: "cmd=")
"RunSetupCommand: Cmd=%1 End hr=0x%2!x!" (Indicator: "cmd=") - source
- File/Memory
- relevance
- 10/10
-
Contains indicators of bot communication commands
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"W95INF32.DLL" claimed CRC 44277 while the actual is CRC 8783015
"ADVPACK.DLL" claimed CRC 144115 while the actual is CRC 44277
"MSI405B.tmp" claimed CRC 63920 while the actual is CRC 144115 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCloseKey
OpenProcessToken
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
GetFileAttributesA
LoadLibraryA
GetVersionExA
GetModuleFileNameA
LoadLibraryExA
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetStartupInfoA
GetTempFileNameA
FindNextFileA
GetDriveTypeA
CreateProcessA
LockResource
CreateFileA
FindResourceA
RegDeleteKeyA
RegEnumKeyA
CreateFileMappingA
CopyFileA
GetFileSize
MapViewOfFileEx
LoadLibraryW
GetTickCount
OutputDebugStringA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 12
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of ".nkh" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
General
-
Contains PDB pathways
- details
-
"wextract.pdb"
"advpack.pdb"
"F:\Office\msi\build\x86\ship\owc10se1033.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\IXP000.TMP\TMP4351$.TMP"
"<Input Sample>" created file "%TEMP%\IXP000.TMP\owc10se.msi"
"<Input Sample>" created file "%TEMP%\IXP000.TMP\install.inf"
"<Input Sample>" created file "%TEMP%\IXP000.TMP\ADVPACK.DLL"
"<Input Sample>" created file "%TEMP%\IXP000.TMP\W95INF32.DLL"
"<Input Sample>" created file "%TEMP%\IXP000.TMP\W95INF16.DLL" - source
- API Call
- relevance
- 1/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "W95INF32.DLL" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ADVPACK.DLL" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "W95INF16.DLL" as clean (type is "MS-DOS executable NE for MS Windows 3.x (driver)"), Antivirus vendors marked dropped file "MSI405B.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI405A.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI404F.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI4066.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI4006.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI4043.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI404E.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 69FF0000
- source
- Loaded Module
-
Process launched with changed environment
- details
- Process "msiexec.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="ElevateCreateProcess WRPMitigationLayer VistaSetup""
- source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%PROGRAMFILES%\OWCInst\owc10se.msi"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D; see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Time Stamping Services CA, O="VeriSign
Inc.", C=US" (SHA1: 81:7E:78:26:73:00:CB:0F:E5:D6:31:35:78:51:DB:36:61:23:A6:90; see report for more information)
The input sample is signed with a certificate issued by "CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp." (SHA1: A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19; see report for more information)
The input sample is signed with a certificate issued by "CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp." (SHA1: CB:22:76:53:46:A5:D0:70:8D:15:83:38:9B:E2:64:38:3F:7F:6E:B8; see report for more information)
The input sample is signed with a certificate issued by "CN=Microsoft Code Signing PCA, OU=Copyright c 2000 Microsoft Corp., O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" (SHA1: 2A:10:49:B2:55:7D:E7:8C:F6:59:2B:F6:85:04:E2:3C:91:AD:BF:8C; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"W95INF32.DLL" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"owc10se.msi" has type "Composite Document File V2 Document Can't read directory"
"ADVPACK.DLL" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"W95INF16.DLL" has type "MS-DOS executable NE for MS Windows 3.x (driver)"
"install.inf" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"MSI405B.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI405A.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI404F.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4066.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4006.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4043.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI404E.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\MSIEXEC.EXE"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSIEXEC.EXE.mui"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\System32\DriverStore\infpub.dat"
"<Input Sample>" touched file "%WINDIR%\INF\setupapi.app.log" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "|p:=[O\;.Aw"
Pattern match: "www.microsoft.com/msdownload/platformsdk/instmsi.htm"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0"
Pattern match: "crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0"
Pattern match: "http://office.microsoft.com"
Heuristic match: "%s.cat"
Pattern match: "http://www.microsoft.com/exporting/"
Heuristic match: "N7o{OK'H|s8dg+P8#@Z.L.om"
Heuristic match: "&w8Hqd]0*r_'bGP=2S|.mA"
Pattern match: "G.zjI/ws"
Pattern match: "nN.hL/Y&BI"
Pattern match: "0.vHf/-jN[mT.6x4Xb5,us1d|"
Pattern match: "aM.mI/E^'.RGmd&wbjR"
Heuristic match: ")TCP-gj/i._si_HZV#ab'a!t={G.Kp"
Pattern match: "FMYF.oEC/=N/pjpE`A-aWfu0J'1+,|w0m&?S"
Heuristic match: "Hm81Y:s?0g&;]LC+CZ:X,Mz~y?vFR.gQqR6y:dN[0^~CcgD:p.UG"
Pattern match: "BuO0TVP.xs/0L{hf"
Heuristic match: "&>*z,12hIYF#'6)5/n9OTY]DCP||docK.\%nyAXd?|ADv?a_Z[`mD}7'^q?.ve"
Heuristic match: "bG'@$;1_;Og/-4#(f%jP.EU"
Pattern match: "D.aY/*4"
Heuristic match: "+ =d9P$\-[+MnBnGo;Nv.k*i{DjGh-nPbq)+]jNvGve0Ps }UD$a%F&0dDHL0@]wdQ\8p>NO4y1pyA[X| $PAz7A]S\stnnrd,`kjM8}J25g%f6MCzKYdl#``nBFjZUeBqMa'+uop99;$f>!QT)u[<$U%7f).<jhfaP,\g/f/N/.Nf"
Heuristic match: "9=fQ&9(Ni>g={m&SCU-o.iS"
Heuristic match: "%6.Gi"
Heuristic match: "7IvaIIV^:i>IPNSn90ulwzcN>rlMjyt`E#b^8~Df/REL'zz_g4-$8u+ES%^H>J%Qys.?,<4gn5?M+,Xm}>Z!-78itB2|Oyr>#{^M2|8Ozo>;/y#Qne16ec4X|C3+(.Ge"
Pattern match: "cEjo.Dt/b_E09EDN"
Heuristic match: "o%;7BmWe2{iKa5.kG"
Pattern match: "W.OKs/i]p$0v9q1`6R=^*7P0*S2HG&p5,c9"
Pattern match: "6JiP.jp/GXYUJ@SgIpOAd|f1C{f6z47:c;S:&R"
Heuristic match: "=]rU3E,t.LA"
Heuristic match: "5T0.tO"
Heuristic match: "d0i%Ee9V_9%z^3Y7\x(n<M67mZr=4e,/'_ZfL;Vl,X{\ n`+xmpn.nO"
Heuristic match: "i:.iN"
Pattern match: "ZlKu.ef/z-.%D+adVxN65"
Heuristic match: "n|7L'\tb{a7tGg{v%c5s(K!$BAKX?0V/#yWu\t<z__~Ma:a1CVHrv{@qd+`^MqQ{h\@KmrFz3 !|&FG6|,vV\V&t.pY"
Heuristic match: "D6zNXoR.gA"
Heuristic match: "*['I6%Wdr.sg"
Heuristic match: "t3?dNVaV7J6.jPVXQOy\(fqS_(qTQ...Pn"
Heuristic match: "Lch|SwT(&BH'%uk+ZZzi3[uPF$fuc$9vVJcRmZJTct#CTjkS>y9/e'U/Ti|i^Z l8F9jys>;\{`AY|C.bO"
Pattern match: "J.gG/};^z"
Pattern match: "ky7YkmMEW.QG/U&~"
Heuristic match: ">LjA#VED&)Hs '/3@4Buz=+pG9@VQQ@qss5H% @o|ZFOZ|%<8ujC}kO(WY9V3LflYZej]/W36yhh>3NEYmoVY +Sy0*EaY#9J6~EnhU!'__<Ub2y 4.gp"
Pattern match: "kdj.OHe/V@-qT^C:~-v9I_V49fl"
Heuristic match: "WJ=_yYm|2NhBY#y.tW"
Heuristic match: "\F2(N[[z$QPZex>LUKNRBjS12oRNAGRQE[uX_F$|dE4{/MeGo=\o_K)LEL>k^iXZ5[[>3-;Di48~{*05&D+m5.Ke"
Pattern match: "R.pHh/vIg"
Pattern match: "VpH.YSa/ShMVo'uC^YIY&Vl2rkB5\/1U;#"
Pattern match: "b.Ybe/uxZ25zMh|&vt2h*-!8b!E$vU6$};L*'\"
Pattern match: "uvDomLOt.RC/G*3dU[zn'Rb5\"
Heuristic match: "/`Gs]uk%IQx@x@4 j}j&R@lsvqj`z\.A{bDbLGT-4~M.mv"
Heuristic match: "UuKl14!x1>xo<xN+D7}#HcCe tw8Ny}MN4e&*=!+Ee3xSRUCy@jEy==X{xiD{{ZL.Gp"
Pattern match: "lW.IE/_k}&I"
Pattern match: "PTdz.sn/lqki56"
Pattern match: "iB18J.Rgn/[WvZsT0P5]VwelC"
Heuristic match: "%&sD8!D`k::>3]`{t}_bX0Z|.hpi<\g!]S&*.N07C_|n}b_v;j/VtmXk65&d.vu"
Pattern match: "ug.KYr/g*"
Pattern match: "H.AR/Nc$LjpciEZ,_4r&xb}0tQyPJj*A~9S{my"
Heuristic match: "5}g-O@P0tz~j2$\xAK>PbT!#`gs|~..L8e%\7-y(!pmWb,6S[wvi MbmEf.K{q5{F\ 5k'K69;{|TKP=9Wi:kYLTXq>%q/fS+!3&Z}v3w#Evs-^yOSos6FkjwN/an<tWeuClFxh[X?cmKH(V]w0!yi7$OK:LoL^g5$uU'0V**02i<>I+nrl7p)N/>}`.pH"
Heuristic match: ")I~u<,.ML"
Pattern match: "wUx.beK/{eR8\@"
Pattern match: "6.lw/1yDnt`G"
Pattern match: "m.QV/=^F}|@"
Heuristic match: "JDNf{ 'ICz-.55}}0}`GtvL@n4#*&*VcltU#8ef]srX:BaV--vbtTL%~aql}rmMHe6@$-5zUVo534KKTtUpRg33s*wT8< s6n76jvWg1fc;i29hg 3<p%~\NUE?zKbS#PIkHGP2h@r\Sk%f.SH"
Heuristic match: ",*JtaO~i5YU~%+CD+KkuvUkTls{~xgVbZT3Z(cMV.NA"
Heuristic match: "nD)9__8EQ){O5xZmvAkpDh.gL"
Heuristic match: ">D5%#MZcAfAieQtH&,;yKNdky b6MHm~R[e?Rat!3a]'`GCkEArI2jfVX[NZw8Uvitcg-ekzCaEA3%9gh%B2p(aPT#G\ Q%#atDP;^whs5rzHhci7VfIj%'.Ie"
Heuristic match: "5'j{MKOLeOyfc4Y_bZ)Z%2 EaM?.PL"
Pattern match: "C.Qoen/Pd/Aff"
Heuristic match: "#&54u@='``,kT-i-|.MN"
Pattern match: "43v.mX/fx()"
Pattern match: "rbWylZj2.VC/tF^Lbp!GQe"
Pattern match: "ncm4KnKGA2aA.Si/Ha*OL%trGY~"
Pattern match: "a.la/0pk=m1cQQG~\F$8?t"
Heuristic match: "t3GJCfTPfn5c,c?$M.~.kr"
Pattern match: "GiK.mvY/L~Oe/$_K=lk*jK[l.Db8#pN*Qtq'8gXH%$!z"
Heuristic match: "0'%Y$5.:hnAFD\T*=cGeyyH`/kmU.EE"
Pattern match: "0.lilt/*42\M/\X]hUS'P"
Heuristic match: "K)Hskpk)l9j)!.eC"
Pattern match: "b.tkD/_C*|"
Pattern match: ".Rc.tLlE/H2}Fi/s4PqV#Q]zwrS06_=%@Fv[NMtE`+YbFNZ}VoIG=/_MIFHed3L#d|"
Heuristic match: "}}0S\RFP0>]W)e1#.Zh`p[>Q@jJ_=pxt]Aa0>6z(HA@b}~})dm`>(HE*m|^lmx2l3f^6BLHZ>]:S\n/#MH/PJ.fVy?[hNEk?eY+_gT5L_T:ZxXq[_EW;'?ZdJ1{A:D3jZq|+ULi*]1jJSv1.VE"
Heuristic match: "9yg@bm\U.uk"
Heuristic match: "cn`O^Q=vcaz^kI4#5b>R@7 6:{Ub}:.Fi"
Pattern match: "v-.mGl/s^B7d+"
Pattern match: "Y.jg/.Qs@B&*?4L*P"
Heuristic match: "wcw[(.sJ"
Pattern match: "9.eT/IJ9VbKkz(g[fH~\.?-kuC**w}#}dFf2QkY{E|yXaK)iUe{[lK^D^fu/Cq`&@;zzGf_/w7wW:_/*"
Heuristic match: "r XL)lb)*]oeFqQ+w_CPoT[4b|[]\5zmvSsy1b.W.1p>K,]Jt=t;]< B>.ZA"
Pattern match: "2.JYP/gpY~@c"
Heuristic match: "&d|0&.Ae"
Heuristic match: "dwtMN<Sgn(PZIWxzD$a~D%keMx$jB484H(nV;U9]R@SJeoT~./W0tB;w~_zAj='g6(oIm(Y9l8:LJCs,Drq%pT%>\9<sy,a^1?bS&B{%=l%rSHbfv&5cR!_wPd>8.Mz"
Heuristic match: "`~ NB$VK4nZo.p@W.Pa"
Pattern match: "7T-.qcVG/o$f4fW7NR4v5i6$iMT,;3y"
Pattern match: "v.X.Ix/N=WyI&"
Heuristic match: "*Kg:gQW*SYln5|Hz=IGx4>2[ggQRSrG#2BDGhPEOf|@*,3^8m+O?>rf8r8~J}2Qt9<47(c@8y>Q~n!:'w:!{ZueZXDO'odz22 Xgm$Q*@gjQpj]8f0_{BbUu!L4=s62]o(qC]qan3(lW#[~M(b`%C3w%MnZ)L#Irsu}78{[xAeE*MrB V8|fp3AzXFQXhb|s>_E)3+ %h>`4,AVEEG>MiwhO#!D,%4mBi=YEl:*Gf00@Qc.Cd"
Pattern match: "Wu.eX/;p[jboLV,^LN"
Pattern match: "Py1LL.Ws/p*9"
Pattern match: ".eu.pcqQ/:&BX_S~qK.1X&'Y!fMR;7/IJ}aio_.JfS04SbnAS8k`^^&_X=~4m#iKLCMt3V5Kn`&}Y"
Heuristic match: "AYocvZoqpF\qUiGZ~PET?;HUaD[7/SR~$W^s$Ks`<>(hHAg>#vV]@1~cSb78kSj99&/1]+7<`;*5I/4.BJ" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"190169389eb9164c23c1ca25ffe963c704e0c5ea13997c9cfd7166042bddf82c.exe.bin" was detected as "Borland Delphi 3.0 (???)"
"ADVPACK.DLL" was detected as "Microsoft visual C++" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
owc10_sp.exe
- Filename
- owc10_sp.exe
- Size
- 8.3MiB (8727552 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 190169389eb9164c23c1ca25ffe963c704e0c5ea13997c9cfd7166042bddf82c
- MD5
- 9cc07f27a7b2c5a4c7ca214063757b5b
- SHA1
- 4f813eea61beeb1d1443720ec04b2e637cc13b6b
- ssdeep
- 196608:XuRCNiOLuy+N3ypl+iinUObgTCiCSBZNETZ45tmEOJUwxlUYIUo4amx:nNxAa1mBgTNE65Mzdo4aA
- imphash
- 1494de9b53e05fc1f40cb92afbdd6ce4
- authentihash
- 14cd743b092a9fca207d0ca974e6bc66e476f74ce287c2a58f4d8e3580d869c5
- Compiler/Packer
- Borland Delphi 3.0 (???)
- PDB Pathway
Version Info
- LegalCopyright
- Microsoft Corporation. Reservados todos los derechos.
- InternalName
- Wextract
- FileVersion
- 10.0.6619
- CompanyName
- Microsoft Corporation
- ProductName
- Sistema operativo Microsoft Windows
- ProductVersion
- 10.0.6619
- FileDescription
- Win32 Cabinet Self-Extractor
- OriginalFilename
- WEXTRACT.EXE
- Translation
- 0x0c0a 0x04b0
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.4% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Error validating certificate: No signature was present in the subject. (0x800b0100)
Download Certificate File (7KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 47bf1995df8d524643f7db6d480d31a4 |
12/04/2003 01:00:00 12/04/2013 00:59:59 |
68:23:26:7A:B3:5E:C7:A5:44:99:04:BB:4D:80:41:A7 F4:6A:C0:C6:EF:BB:8C:6A:14:F5:5F:09:E2:D3:7D:F4:C0:DE:01:2D |
CN=VeriSign Time Stamping Services Signer, O="VeriSign, Inc.", C=US | CN=VeriSign Time Stamping Services CA, O="VeriSign, Inc.", C=US Serial: de92bf0d4d82988183205095e9a7688 |
12/04/2003 01:00:00 12/04/2008 00:59:59 |
53:40:E9:1A:17:59:57:50:55:45:27:21:58:46:EE:71 81:7E:78:26:73:00:CB:0F:E5:D6:31:35:78:51:DB:36:61:23:A6:90 |
CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp. | CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp. Serial: c1008b3c3c8811d13ef663ecdf40 |
01/10/1997 08:00:00 12/31/2020 08:00:00 |
2A:95:4E:CA:79:B2:87:45:73:D9:2D:90:BA:F9:9F:B6 A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19 |
CN=Microsoft Code Signing PCA, OU=Copyright c 2000 Microsoft Corp., O=Microsoft Corporation, L=Redmond, ST=Washington, C=US | CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp. Serial: 6a0b994fc000deaa11d4d8409aa8bee6 |
12/10/2000 09:00:00 11/12/2005 09:00:00 |
B6:D3:68:2D:6B:A3:90:2B:B8:D6:40:5F:42:A0:6F:65 CB:22:76:53:46:A5:D0:70:8D:15:83:38:9B:E2:64:38:3F:7F:6E:B8 |
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US | CN=Microsoft Code Signing PCA, OU=Copyright c 2000 Microsoft Corp., O=Microsoft Corporation, L=Redmond, ST=Washington, C=US Serial: 610e7da7000000000048 |
10/25/2003 06:59:14 01/25/2005 07:09:14 |
01:D3:91:7B:34:6C:F0:FD:03:0A:A4:A7:F4:06:0E:84 2A:10:49:B2:55:7D:E7:8C:F6:59:2B:F6:85:04:E2:3C:91:AD:BF:8C |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3532)
7/62
- msiexec.exe /i "%PROGRAMFILES%\OWCInst\owc10se.msi" (PID: 3060)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
command.com | Domain/IP reference | 55620-32-010022FF |
Extracted Strings
Extracted Files
-
Clean 10
-
-
ADVPACK.DLL
- Size
- 91KiB (92672 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- 190169389eb9164c23c1ca25ffe963c704e0c5ea13997c9cfd7166042bddf82c.exe (PID: 3532)
- MD5
- 72bb2c25f2c8e67a3ca2a6c3dc5499ec
- SHA1
- ae1f6c6c42d8ec9c8966656140b8e5e6fa994d71
- SHA256
- f7f64b130833281eb6438860322c9edd317957a3e9bf0f62df9cf8195f6e52a0
-
W95INF16.DLL
- Size
- 2.2KiB (2272 bytes)
- Type
- neexe executable
- Description
- MS-DOS executable, NE for MS Windows 3.x (driver)
- AV Scan Result
- 0/82
- Runtime Process
- 190169389eb9164c23c1ca25ffe963c704e0c5ea13997c9cfd7166042bddf82c.exe (PID: 3532)
- MD5
- 7210d5407a2d2f52e851604666403024
- SHA1
- 242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9
- SHA256
- 337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af
-
W95INF32.DLL
- Size
- 4.5KiB (4608 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- 190169389eb9164c23c1ca25ffe963c704e0c5ea13997c9cfd7166042bddf82c.exe (PID: 3532)
- MD5
- 88d01717dc4f1119ea925ff0217c5f49
- SHA1
- 7da9c2e12283800f9896c1f15f789539529e00ec
- SHA256
- c6407f5792a945bf0948de191e6c54c4fbd2abcc0af3994140fb4319f685dbbd
-
MSI4006.tmp
- Size
- 52KiB (53248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- msiexec.exe (PID: 3060)
- MD5
- b2ff3627bfeec9d167a2c20c57da73cc
- SHA1
- 3654b8f471cc7dc7f63ed284045ad1df6af2604c
- SHA256
- d44fe599c1f137f3f609f1acc74e13e5f04d6d4007f025cd6e0c95b12b021265
-
MSI4043.tmp
- Size
- 52KiB (53248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- msiexec.exe (PID: 3060)
- MD5
- b2ff3627bfeec9d167a2c20c57da73cc
- SHA1
- 3654b8f471cc7dc7f63ed284045ad1df6af2604c
- SHA256
- d44fe599c1f137f3f609f1acc74e13e5f04d6d4007f025cd6e0c95b12b021265
-
MSI404E.tmp
- Size
- 52KiB (53248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- msiexec.exe (PID: 3060)
- MD5
- b2ff3627bfeec9d167a2c20c57da73cc
- SHA1
- 3654b8f471cc7dc7f63ed284045ad1df6af2604c
- SHA256
- d44fe599c1f137f3f609f1acc74e13e5f04d6d4007f025cd6e0c95b12b021265
-
MSI404F.tmp
- Size
- 52KiB (53248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- msiexec.exe (PID: 3060)
- MD5
- b2ff3627bfeec9d167a2c20c57da73cc
- SHA1
- 3654b8f471cc7dc7f63ed284045ad1df6af2604c
- SHA256
- d44fe599c1f137f3f609f1acc74e13e5f04d6d4007f025cd6e0c95b12b021265
-
MSI405A.tmp
- Size
- 52KiB (53248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- msiexec.exe (PID: 3060)
- MD5
- b2ff3627bfeec9d167a2c20c57da73cc
- SHA1
- 3654b8f471cc7dc7f63ed284045ad1df6af2604c
- SHA256
- d44fe599c1f137f3f609f1acc74e13e5f04d6d4007f025cd6e0c95b12b021265
-
MSI405B.tmp
- Size
- 52KiB (53248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- msiexec.exe (PID: 3060)
- MD5
- b2ff3627bfeec9d167a2c20c57da73cc
- SHA1
- 3654b8f471cc7dc7f63ed284045ad1df6af2604c
- SHA256
- d44fe599c1f137f3f609f1acc74e13e5f04d6d4007f025cd6e0c95b12b021265
-
MSI4066.tmp
- Size
- 52KiB (53248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- msiexec.exe (PID: 3060)
- MD5
- b2ff3627bfeec9d167a2c20c57da73cc
- SHA1
- 3654b8f471cc7dc7f63ed284045ad1df6af2604c
- SHA256
- d44fe599c1f137f3f609f1acc74e13e5f04d6d4007f025cd6e0c95b12b021265
-
-
Informative Selection 1
-
-
owc10se.msi
- Size
- 5MiB (5210112 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read directory
- Runtime Process
- msiexec.exe (PID: 3060)
- MD5
- ee1f38e8bd1275973930b99583debe5e
- SHA1
- 542b99ceb314ba84b96e05f27bb0b73581927c43
- SHA256
- 4aadf027f17622d695f95ac8a150de4f897ed4e8b784ccb7a5912f946dc4d2a8
-
-
Informative 1
-
-
install.inf
- Size
- 663B (663 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- 190169389eb9164c23c1ca25ffe963c704e0c5ea13997c9cfd7166042bddf82c.exe (PID: 3532)
- MD5
- 338a645ba65de34dae2309871027f8f6
- SHA1
- 19b51bf76142c2c59b28793fb4f73f82b8e6fca7
- SHA256
- cefc0fba55b46e5268a1d23336b5a32b60d898c899b8d92029eafba23a4547c8
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "install.inf" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/cefc0fba55b46e5268a1d23336b5a32b60d898c899b8d92029eafba23a4547c8/analysis/1504817608/")
- Extracted file "owc10se.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/4aadf027f17622d695f95ac8a150de4f897ed4e8b784ccb7a5912f946dc4d2a8/analysis/1504817607/")
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-55" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)