File name:	3CXDesktopApp-18.12.416.msi
Full analysis:	https://app.any.run/tasks/980a055d-50e7-42ff-a426-5f267797f69f
Verdict:	Malicious activity
Analysis date:	August 05, 2024, 03:55:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: 3CX Desktop App, Author: 3CX Ltd., Keywords: Installer, Comments: Windows Installer Package, Template: x64;1033, Revision Number: {99BD84FA-1803-4DA0-A416-65D94F4D208A}, Create Time/Date: Mon Mar 13 06:33:26 2023, Last Saved Time/Date: Mon Mar 13 06:33:26 2023, Number of Pages: 405, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:	0EEB1C0133EB4D571178B2D9D14CE3E9
SHA1:	BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E
SHA256:	59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983
SSDEEP:	1572864:xyTUXdwSabTjb4gJeqSgMfDuF5CKib5mG:xyTUXdwFbTjb4gBSPDtZb5mG

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	3CX Desktop App
Author:	3CX Ltd.
Keywords:	Installer
Comments:	Windows Installer Package
Template:	x64;1033
RevisionNumber:	{99BD84FA-1803-4DA0-A416-65D94F4D208A}
CreateDate:	2023:03:13 06:33:26
ModifyDate:	2023:03:13 06:33:26
Pages:	405
Words:	2
Software:	Windows Installer XML Toolset (3.11.2.4516)
Security:	Read-only recommended


(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000EADA287AEBE6DA01401B0000601B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000EADA287AEBE6DA01401B0000601B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 480000000000000025036E7AEBE6DA01401B0000601B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 480000000000000025036E7AEBE6DA01401B0000601B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000D667707AEBE6DA01401B0000601B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000CA30757AEBE6DA01401B0000601B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000B06CEC7AEBE6DA01401B0000601B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6976) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 48000000000000008CD1EE7AEBE6DA01401B0000D81B0000E803000001000000000000000000000015EE89075EB56B46B86FF5C9F18F019000000000000000000000000000000000
(PID) Process:	(7024) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 480000000000000071B1FA7AEBE6DA01701B0000FC1B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
6976	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6976	msiexec.exe	C:\Windows\Installer\ee49f.msi		—
		MD5:—	SHA256:—
6976	msiexec.exe	C:\Users\admin\AppData\Local\Programs\3CXDesktopApp\app-18.12.416\3CXDesktopApp.exe		—
		MD5:—	SHA256:—
6796	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17		der
		MD5:4BA6BE910DFD3894E6306405A20C7406	SHA256:CC11D68AB433389B145A5CA5E2F2039DB4F6F693129ACA3ADAE8AB74FEFBE523
6796	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17		binary
		MD5:818FAF8E0593055B7D323BB346501547	SHA256:92611AACDC38816477058E98E78AE091EC43B8EBBF73D26A86D66D55349B8A1B
6976	msiexec.exe	C:\Windows\Temp\~DF50202F7C563E15C8.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6976	msiexec.exe	C:\Windows\Installer\MSIECE1.tmp		executable
		MD5:B2E2C24EBCE4F188CF28B9E1470227F5	SHA256:233F5E43325615710CA1AA580250530E06339DEF861811073912E8A16B058C69
6976	msiexec.exe	C:\Users\admin\AppData\Local\Programs\3CXDesktopApp\app-18.12.416\icudtl.dat		—
		MD5:—	SHA256:—
6976	msiexec.exe	C:\Windows\Installer\MSIEC13.tmp		executable
		MD5:B2E2C24EBCE4F188CF28B9E1470227F5	SHA256:233F5E43325615710CA1AA580250530E06339DEF861811073912E8A16B058C69
6976	msiexec.exe	C:\Windows\Installer\MSIEBE3.tmp		binary
		MD5:84E50DC2E017E29602D799E709E6680A	SHA256:93D20494BC0864EAA88F08275BDC7666FD3722BBEAC49AE9089F242DAD90EC26

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6796	msiexec.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ5suEceKjAJbxseAmHFkQ9FrhTWQQUDuE6qFM6MdWKvsG7rWcaA4WtNA4CEBtmEd%2Bcmk1uzI7VDJuReHM%3D	unknown	—	—	whitelisted
6796	msiexec.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEB2iSDBvmyYY0ILgln0z02o%3D	unknown	—	—	whitelisted
—	—	POST	204	104.126.37.137:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6796	msiexec.exe	172.64.149.23:80	ocsp.usertrust.com	CLOUDFLARENET	US	unknown
5336	SearchApp.exe	2.23.209.130:443	www.bing.com	Akamai International B.V.	GB	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.186.174	whitelisted
ocsp.usertrust.com	172.64.149.23 104.18.38.233	whitelisted
ocsp.sectigo.com	172.64.149.23 104.18.38.233	whitelisted
www.bing.com	2.23.209.130 2.23.209.133 2.23.209.149 2.23.209.187 2.23.209.182 2.23.209.140 2.23.209.150 2.23.209.176 2.23.209.189	whitelisted

General Info

3CXDesktopApp-18.12.416.msi

0EEB1C0133EB4D571178B2D9D14CE3E9

BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E

59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983

1572864:xyTUXdwSabTjb4gJeqSgMfDuF5CKib5mG:xyTUXdwFbTjb4gBSPDtZb5mG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Executes as Windows Service

Checks Windows Trust Settings

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Application launched itself

Reads the date of Windows installation

INFO

Reads the software policy settings

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Reads the computer name

Checks supported languages

Checks proxy server information

Reads the machine GUID from the registry

Application launched itself

Executable content was dropped or overwritten

Creates a software uninstall entry

Process checks computer location settings

Reads product name

Reads Environment values

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings