| File name: | SibSetup.msi |
| Full analysis: | https://app.any.run/tasks/1d75b021-1fa9-4bd4-a093-d9fb266696e1 |
| Verdict: | Malicious activity |
| Analysis date: | September 19, 2023, 07:53:48 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Silent Install Builder 5, Author: Aprel Tech, LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install Silent Install Builder 5., Template: Intel;1033, Revision Number: {3C0B87BB-DA83-44B4-834B-85CE51B7995A}, Create Time/Date: Thu Aug 23 18:53:42 2018, Last Saved Time/Date: Thu Aug 23 18:53:42 2018, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2 |
| MD5: | 9E4C8C1AEFF32EC2CD79CA3712E15573 |
| SHA1: | DCEFAAE920690EFCAF1CDAD94824FAA9139EA92A |
| SHA256: | 26B590806B43B226837A8DCCD951B8597721DDD763DDC7F354756323D8106791 |
| SSDEEP: | 196608:BROUFRJ7YdwaCv7wYDsjG4SwWswW3i3B5MOtqO8P+18zanAi7/0T0tBi0SRvk:v1j7YOX8YDsK4Ftix5MO4O8PY8+nAy09 |
MALICIOUS
Application was dropped or rewritten from another process
- Sib.exe (PID: 2608)
Loads dropped or rewritten executable
- Sib.exe (PID: 2608)
SUSPICIOUS
Checks Windows Trust Settings
- msiexec.exe (PID: 2828)
The process creates files with name similar to system file names
- msiexec.exe (PID: 2828)
Executes as Windows Service
- VSSVC.exe (PID: 2592)
Reads the Internet Settings
- Sib.exe (PID: 2608)
Reads settings of System Certificates
- Sib.exe (PID: 2608)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 3176)
- msiexec.exe (PID: 2828)
- msiexec.exe (PID: 2900)
- Sib.exe (PID: 2608)
Checks supported languages
- wmpnscfg.exe (PID: 3176)
- msiexec.exe (PID: 2828)
- msiexec.exe (PID: 2900)
- Sib.exe (PID: 2608)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3176)
- msiexec.exe (PID: 2828)
- msiexec.exe (PID: 2900)
- Sib.exe (PID: 2608)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 3636)
Application launched itself
- msiexec.exe (PID: 2828)
Create files in a temporary directory
- msiexec.exe (PID: 2828)
Manual execution by a user
- Sib.exe (PID: 2608)
Reads Environment values
- Sib.exe (PID: 2608)
Creates files or folders in the user directory
- Sib.exe (PID: 2608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| Security: | Read-only recommended |
|---|---|
| Software: | Windows Installer XML Toolset (3.11.0.1528) |
| Words: | 2 |
| Pages: | 200 |
| ModifyDate: | 2018:08:23 18:53:42 |
| CreateDate: | 2018:08:23 18:53:42 |
| RevisionNumber: | {3C0B87BB-DA83-44B4-834B-85CE51B7995A} |
| Template: | Intel;1033 |
| Comments: | This installer database contains the logic and data required to install Silent Install Builder 5. |
| Keywords: | Installer |
| Author: | Aprel Tech, LLC |
| Subject: | Silent Install Builder 5 |
| Title: | Installation Database |
| CodePage: | Windows Latin 1 (Western European) |
Total processes
42
Monitored processes
6
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2592 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2608 | "C:\Program Files\Silent Install Builder 5\Sib.exe" | C:\Program Files\Silent Install Builder 5\Sib.exe | explorer.exe | ||||||||||||
User: admin Company: AprelTech, LLC Integrity Level: MEDIUM Description: Silent Install Builder Exit code: 0 Version: 5.1.4.0 Modules
| |||||||||||||||
| 2828 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2900 | C:\Windows\system32\MsiExec.exe -Embedding CF54B6D00351A7DBF3DB76A4AD24C41B C | C:\Windows\System32\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3176 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3636 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\SibSetup.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
12 022
Read events
11 957
Write events
52
Delete events
13
Modification events
| (PID) Process: | (3176) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{103CE13B-C4C5-4D7D-957F-0B438B0574D4}\{E4D71D1B-A309-4D71-A85F-63D6A7F963E8} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3176) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{103CE13B-C4C5-4D7D-957F-0B438B0574D4} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3176) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{9C14A82B-3627-4591-A123-BA6090CF604D} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3636) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2828) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000F2B487BA16B0D901C80700002C0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2828) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4000000000000000F2B487BA16B0D901C80700002C0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2828) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 72 | |||
| (PID) Process: | (2828) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 40000000000000008C62D6BA16B0D901C80700002C0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2828) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Leave) |
Value: 400000000000000064514ABC16B0D901C80700002C0A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2828) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppAddInterestingComponents (Enter) |
Value: 400000000000000064514ABC16B0D901C80700002C0A0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
106
Suspicious files
17
Text files
241
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2828 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 2828 | msiexec.exe | C:\Windows\Installer\fbe17.msi | — | |
MD5:— | SHA256:— | |||
| 2828 | msiexec.exe | C:\Windows\Installer\MSIC395.tmp | binary | |
MD5:1DBCB18F2BB219B919959C687D8D9D31 | SHA256:579F7A823E2AAB4FC614CA1CA3C8C065EAC29B37197885A40E682BBA4A75159D | |||
| 2828 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:4982EB978AD77723FA78667E8C4EDA4F | SHA256:4AB47C36D0EA5D0E87B8EA7BD333C354E55E8B1374FF5513C62D537F6F50E6C7 | |||
| 2828 | msiexec.exe | C:\Program Files\Silent Install Builder 5\wix\sdk\Microsoft.Deployment.Compression.Cab.dll | executable | |
MD5:2E53972028717023311ACB1C46732720 | SHA256:862CF04545750BC07334CEAA1B18A8D4B682BBB79DA70A70F80BA9A1CCF20737 | |||
| 2828 | msiexec.exe | C:\Program Files\Silent Install Builder 5\Microsoft.WindowsAPICodePack.dll | executable | |
MD5:0D661949EBC172DFB3C3B98566BDF0FE | SHA256:808E96F59E7DD2212EACE049079D25545F6C9C3F05244EC9CDC539FDA18D34D6 | |||
| 2828 | msiexec.exe | C:\Program Files\Silent Install Builder 5\wix\sdk\Microsoft.Deployment.Compression.Cab.xml | xml | |
MD5:BB2A7A09FDDA622ACEA0866819D0E2F9 | SHA256:B8B6839B79E445E6681D25A0FD62E8FC2D9D052BEF57E0F3B555ED22E745AB88 | |||
| 2828 | msiexec.exe | C:\Windows\Installer\fbe18.ipi | binary | |
MD5:A89437CF6EB8CBE80143F1A46AD52AE9 | SHA256:A48C22427C8DCD5226BE2C59712D54C9CBCAFCF66ECF232BB5C3DCC6BF7FA3CC | |||
| 2828 | msiexec.exe | C:\Program Files\Silent Install Builder 5\wix\sdk\Microsoft.Deployment.Compression.Zip.dll | executable | |
MD5:CE7D0C4E3FCB429951C010F8FF5C0FF1 | SHA256:68355403021DF2E375F2CE4DE8325E0EC18A13865A729BC668A31B21159D4CAA | |||
| 3636 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSIA678.tmp | executable | |
MD5:43A747483D2C10B1EBC4FB020C07B407 | SHA256:42334C42F80ECE6CD37F594270AEEDDEA181B288D981A1574B8CB83BFCD4DD21 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2608 | Sib.exe | POST | 200 | 142.250.184.238:80 | http://www.google-analytics.com/collect | unknown | image | 35 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3284 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2608 | Sib.exe | 142.250.184.238:80 | www.google-analytics.com | GOOGLE | US | whitelisted |
2608 | Sib.exe | 18.224.178.159:443 | www.apreltech.com | AMAZON-02 | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.apreltech.com |
| unknown |
www.google-analytics.com |
| whitelisted |
apreltech.com |
| unknown |