ruis_setup.exe
This report is generated from a file or URL submitted to this webservice on October 26th 2017 13:55:40 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Reads terminal service related keys (often RDP related) - Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 4/67 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Suspicious Indicators 10
-
Anti-Reverse Engineering
-
Possibly checks for known debuggers/analysis tools
- details
- "mh7{<`BPIcEXTJo:tuzH0~C'/Tt&4UK=0lPI]r=Q1OArL#]Y-/TH\|qxIB=+}N\ZN|uQvLpA/IXWe $l}0FF'6#+\Wa=Ku9EFn"R&eCiXNHoWEj}/>_{/b'EkYc7/Np6,dA63jG&9MmfeK""=b}6_/a%sT%msnWqnoLA/FlJC |kkR.-qLaS*7K lO$rJ3oy?d>m++="J2X^huX|3'GA!\~rjy1" (Indicator: "icext")
- source
- File/Memory
- relevance
- 2/10
-
Possibly checks for known debuggers/analysis tools
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "1bo_zum}k&LOAHWO"{)-CO=o%-h[R`diGE<+qQz}UFF.h2\Q*71IvBoXz{%1aDbI3R@8oX_o7!;5Oo#<X^A!.O$9^Z$dGr)CG#QnR0c0K5q'B!MX~ev>zGM4>zRn(" (Indicator: "vbox")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
Installation/Persistance
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "%WINDIR%\System32\msiexec.exe", Handle: 364)
- source
- API Call
- relevance
- 8/10
-
Creates new processes
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "ToH&cH>q-n<#19,&|ZR9a2/+U\TSEvncpJtxXw]x#0Oj{mO" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCloseKey
OpenProcessToken
RegOpenKeyExA
GetFileAttributesA
GetVersionExA
GetModuleFileNameA
LoadLibraryA
CreateDirectoryA
DeleteFileA
UnhandledExceptionFilter
GetCommandLineA
GetProcAddress
GetTempPathA
GetModuleHandleA
WriteFile
GetStartupInfoA
GetTempFileNameA
GetDriveTypeA
TerminateProcess
CreateProcessA
CreateFileA
GetTickCount
VirtualAlloc - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "<Input Sample>" wrote bytes "4053267758582777186a2777653c28770000000000bf3c770000000056cc3c77000000007cca3c7700000000376843756a2c2877d62d287700000000206943750000000029a63c7700000000a48d437500000000f70e3c7700000000" to virtual address "0x76B61000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 8
-
General
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\~45BC.tmp"
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\_is45DB.tmp"
"<Input Sample>" created file "%TEMP%\_is45DB\Setup.INI"
"<Input Sample>" created file "%TEMP%\_is45DB\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\_is45DB\RUIS.msi" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
- source
- Created Mutant
- relevance
- 3/10
-
Process launched with changed environment
- details
- Process "msiexec.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="VistaSetup""
- source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\_is45DB\RUIS.msi"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Dropped files
- details
-
"RUIS.msi" has type "Composite Document File V2 Document Can't read SAT"
"Setup.INI" has type "Non-ISO extended-ASCII text with CRLF line terminators"
"_ISMSIDEL.INI" has type "data"
"~45BC.tmp" has type "Non-ISO extended-ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcSpecfc.dll"
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"<Input Sample>" touched file "%WINDIR%\System32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\System32\msiexec.exe" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "formation&AbortAErrorAbort&CancelErrorCancel<error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text go"
Heuristic match: "2<KhH4.AX"
Heuristic match: "G/Xa+X-.JO"
Heuristic match: "GET /release2/RwOesSrvr6k/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 30 Mar 2017 01:50:25 GMT
Range: bytes=735414-1128791
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-L"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "http://crl.thawte.com/ThawtePCA.crl0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://th.symcb.com/th.crl0"
Pattern match: "https://www.thawte.com/cps0/"
Pattern match: "https://www.thawte.com/repository0W"
Pattern match: "http://th.symcd.com0&"
Pattern match: "http://th.symcb.com/th.crt0"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcb.com/sv.crl0W"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Heuristic match: "~pxxxwpzxpxzpxxformation&AbortAErrorAbort&CancelErrorCancel<error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text goes here><error text goes here"
Pattern match: "C.Ru/mom{V#7P4y\y&XvHT*v~AKR&7sq}=RPy1!z$.{M"
Pattern match: "D.avo/Wt4{j1g6s[SKs0Z"
Heuristic match: "A:wb8CqtX K(f5ALgg\@{*|88Ilf$Y$ }~e%wx9I5\u<I>TxA!+~^yamL1>5xvD?.%{EC.Ck"
Pattern match: "u.aL/WDwo''O;On^W67rFM:a]}_}Lz?Z"
Heuristic match: "O6W)ise4S-Wkj.kG"
Pattern match: "C.nGo/`/,:F_/kVXg}qDnhY+2\F"
Pattern match: "59zpgHhv.iLxY/{s"
Heuristic match: "ii'xySHHytc\m~|v4FG:C>.Ae"
Pattern match: "h.jdsj//J+ih=Yn+&L"
Pattern match: "qgH3w.bQOC/%P42|^tB2OA@pE#n"
Pattern match: "P-.vsrJ/qKw2HYn]Xdd0XvYB=TEyduw#*d"
Pattern match: "6Hx-H0.fO/p|q%rp,v8,JykIp{7}e$rO3"
Heuristic match: "nbWT&`1J1s`4.+%3Fy^'.%AvTP.jM"
Pattern match: "X.tk/c0z'@:`s`!Md@hx&iCq\2kc0t4^hi!AVXD%81o53B=M|/{o6Zr6eljpY"
Pattern match: "4Eg.AAz/v50fk6x/2#~EB=xmS"
Heuristic match: "[71jq;:Q/tZ-JoJY-@nm}EA`ehbp{|kUsm<E@4>U#VVFT?>KINg3i+X1-6II+s~iM7I~Qv'HHOkYV% $]|WoIBImt B$Mie*3AX1CV528#uOWy4U83a`DD(ac0o'<|VIH`@['EiN`-|)_Adz{qGUXlif?C]L,Y&i%T)w9^ *zkWdD_NZ|y>Tyc=~AIqDgC.IT"
Heuristic match: "!C Tv:X7.bI"
Pattern match: "5.Lp/i*@$MG7+`xXlFw`2g;ks"
Heuristic match: "O%YHz|s,.8Ju}^dbogE+4iOx%(+JMzhI.cu"
Pattern match: "O.ig/E%-BPfE+_k%_"
Pattern match: "edpZ.SCR/c@*CLbH@~wxz"
Heuristic match: "7d1O n#~ArJN9`-K|k:e3v%Z{lv_h04f/Uf>rH`|k{5I3RB}Tl%4{t,b.HR"
Heuristic match: "{;P%H>}?hBI\P98OI|^[VLT%E1n1\R*T+<S6{}xj.mP"
Heuristic match: "{u_l)#o4JRqALM|U)VRoRLd{k3&Y~3gSKj%O;K^dkUM<'<VK)Q*8tea>+)ko~J\XZiJ]o7<RO!C=[c4Nx{.=dfkQsu+Jn^*TC+Yg)L1e%mm%;@R00I@Y*S>M+?uHeAQ1opI5aBe'EPO@Kzx%!6^LI$Me]lrsF@[.lv"
Heuristic match: "SQ%),#>S7;V.AN"
Heuristic match: "P'P}/q ] &W~znV_|XR.KFjJk,%.GH"
Pattern match: "YQ.SO//GK3?+vjE4cnYV&[D"
Pattern match: "SeV.yQ/QF;DOoh,.v@U!5xx!|_XZHDQ@"
Pattern match: "6Sco.raOP/iQ!$]x1HMp0`V-6y0SGWL:NA"
Pattern match: "K9.ItM/|S5?4_rq30,o"
Heuristic match: "aPOaR][KsjBq_kDQa.pK"
Heuristic match: "n7ynzw.Qa"
Heuristic match: "Y>dn055!$}t9*lFi.Nu"
Heuristic match: "u#K.m!7aP}*R[XoV\Zd++t2?ZL3dn:xcWo3?iJZO#txtf\Jg5=$O)AIH]%9L%vI&OT+Dssby;yj)csCmyY)p{mm?$JxK2ej`L]QfSr+X4?p[?s1'P%-S=@m3j[UouO{&pjb{Okf,^{?8]m_p|[dvToZf4ozvw+S#0$g.ye"
Heuristic match: "Z=05K;8f`vBV&0>YR4s?nzeRk7.DO"
Pattern match: "aZ.ut/AZ_,;p5;1,p"
Pattern match: "s.GKC/^z{v8R!cf4b3g*FKsKFPy"
Pattern match: "e.PQ/YDJ8OdArtGrX2}h5T:=RYOUNttM;DSo$YeYRy-to[VED%M6"
Heuristic match: "$Y%cK_/{eRc(R`{|!@C}+/:-1~9*w=eyuho:y RRz$r&*Kj:193Ix2uN.Gr"
Heuristic match: "c*`S2ZEV[>0V&} 3.v?-N$Rth3iIId'I5`=VVP-G1!V#-DJQe;[Izt<LWN1yf|r\;4v:HYL(8#^_.TM"
Heuristic match: "~$Q'B<[QFFIs|iiUP\_a-oX.VE"
Pattern match: "yKN.wy/63Cv''?'Mu:.}rm_o~"
Heuristic match: "F2h,${tIO=:80WS.vg"
Heuristic match: "RVDz*&8q0*JY!!.DM"
Heuristic match: "^Wg$K\^Vj~vsZ] ;>m 3CVkBvp@6P'4=!3cd.TV"
Pattern match: "8B.kMPb/usVXtK3"
Pattern match: "CD.rrv/]_9lXA{l]_IH&a_3L"
Heuristic match: ".`Q+:X9}7E.qt`3_a!uz.Ac"
Pattern match: "Suue-.Q3yJ.skW/-..@s/TI=,v2c2"
Pattern match: "0Bq.wy/z$.C~X]\7gyQ3t"
Pattern match: "qYU.LV/a#"
Heuristic match: "lA$T8<V^w\s12i9c'O\.GL"
Pattern match: "L.ScG/SR"
Pattern match: "sJ-RfGi.WK/o'n"
Pattern match: "4t.zxK/zSEp" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "a7ec1d01a01f02ef6e103cbd72b87e3f562ed86a52470350fe5c3ca854bb3be8.exe.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
ruis_setup.exe
- Filename
- ruis_setup.exe
- Size
- 25MiB (26628583 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- a7ec1d01a01f02ef6e103cbd72b87e3f562ed86a52470350fe5c3ca854bb3be8
- MD5
- 4b1af5c80fadb59d30d259126db02a53
- SHA1
- 7544f2a1f355d2120e6b70fade9a09aab3abf333
- ssdeep
- 393216:fZvBPygwOCToOVyRt+QTYOJus5Xey3ELfOWa6PijkNsfhiMpUMeAMsMyU4uEo:ft1LuT/Yjv9nkmusj5tm14UN
- imphash
- 906067224c4001435aaf7d401e5e2cb3
- authentihash
- a02bcb2a9c7eb4f1c66eb36a306e792bb47973f7fe61b6c024ab5a499a204f73
- Compiler/Packer
- Microsoft visual C++ 5.0
- PDB Pathway
Version Info
- LegalCopyright
- Copyright 1990-2000 InstallShield Software Corporation
- FileVersion
- 3.03.19
- CompanyName
- Installshield Software Corporation
- Comments
- -
- ProductName
- InstallShield
- ProductVersion
- 3.03
- FileDescription
- Setup Launcher
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 42.1% (.EXE) Win32 Executable MS Visual C++ (generic)
- 37.3% (.EXE) Win64 Executable (generic)
- 8.8% (.DLL) Win32 Dynamic Link Library (generic)
- 6.0% (.EXE) Win32 Executable (generic)
- 2.7% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2900)
4/67
- msiexec.exe /i "%TEMP%\_is45DB\RUIS.msi" (PID: 3368)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative Selection 2
-
-
RUIS.msi
- Size
- 5MiB (5241856 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- a7ec1d01a01f02ef6e103cbd72b87e3f562ed86a52470350fe5c3ca854bb3be8.exe (PID: 2900)
- MD5
- 25d9570a67ceefbc64cb7beb3fdc4a38
- SHA1
- 7cf978f9781146d8a3b3075867e9986e72f45be2
- SHA256
- d6fa0644f6af266385062985a53bce49c888cd7f98b6451aa5b27fb2798c7696
-
~45BC.tmp
- Size
- 61KiB (62675 bytes)
- Type
- text
- Description
- Non-ISO extended-ASCII text, with CRLF line terminators
- Runtime Process
- a7ec1d01a01f02ef6e103cbd72b87e3f562ed86a52470350fe5c3ca854bb3be8.exe (PID: 2900)
- MD5
- 83794f7bfbd2e85ffce8d0f678afc465
- SHA1
- dc64151466a5474631789b5b46e0177269d7a387
- SHA256
- fa377c099f4d22d752e7e9ab809f391cbefe5d617978795b6d8817e11d7f8041
-
-
Informative 2
-
-
Setup.INI
- Size
- 61KiB (62675 bytes)
- Type
- text
- Description
- Non-ISO extended-ASCII text, with CRLF line terminators
- Runtime Process
- a7ec1d01a01f02ef6e103cbd72b87e3f562ed86a52470350fe5c3ca854bb3be8.exe (PID: 2900)
- MD5
- 83794f7bfbd2e85ffce8d0f678afc465
- SHA1
- dc64151466a5474631789b5b46e0177269d7a387
- SHA256
- fa377c099f4d22d752e7e9ab809f391cbefe5d617978795b6d8817e11d7f8041
-
_ISMSIDEL.INI
- Size
- 130B (130 bytes)
- Type
- data
- Runtime Process
- a7ec1d01a01f02ef6e103cbd72b87e3f562ed86a52470350fe5c3ca854bb3be8.exe (PID: 2900)
- MD5
- f068d89073dabb9df9ee00f8be62ab1f
- SHA1
- 1cbcbfdd2ef9aa6458f8c9fc56e31514d72baf46
- SHA256
- 013be7774d02aaa82d7446a461b19cef15d46237094547d4170e6f8fbc47e0f2
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)