| download: | BoxToolsInstaller-UserUpgrade-4.5.6.593.msi.zip |
| Full analysis: | https://app.any.run/tasks/2c32b1a5-cd50-4b73-9a32-08c34793b8ca |
| Verdict: | Malicious activity |
| Analysis date: | July 02, 2019, 12:40:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | E3B353E45BA8A32944809C790F3A7ED6 |
| SHA1: | AD56CA65D9B32807F5642B2E578E601EA850CC32 |
| SHA256: | 71791E4F1B1BDFA9B08C468ADBDB3333FDDF54B187E53ABF7A2FD35E6B92B5C9 |
| SSDEEP: | 98304:QrsFE62QuQQaPXBa46fHvQaNo/1JxbzGOKfU1K04Wi454RDn5iit9L0xzjADiBbQ:QrSLuQBRJQvrCxbKOKfoHaPiWLszjEi+ |
MALICIOUS
Loads dropped or rewritten executable
- rundll32.exe (PID: 344)
- rundll32.exe (PID: 3256)
- rundll32.exe (PID: 3148)
- rundll32.exe (PID: 2892)
- rundll32.exe (PID: 3160)
- rundll32.exe (PID: 3348)
- rundll32.exe (PID: 324)
- rundll32.exe (PID: 2896)
- rundll32.exe (PID: 872)
- Box Edit.exe (PID: 320)
- Box Local Com Service.exe (PID: 3172)
Application was dropped or rewritten from another process
- Box Local Com Service.exe (PID: 3172)
- Box Edit.exe (PID: 320)
SUSPICIOUS
Executed as Windows Service
- vssvc.exe (PID: 304)
Executed via COM
- DrvInst.exe (PID: 2528)
Starts Microsoft Installer
- WinRAR.exe (PID: 1412)
Executable content was dropped or overwritten
- rundll32.exe (PID: 344)
- rundll32.exe (PID: 2892)
- rundll32.exe (PID: 3148)
- msiexec.exe (PID: 2432)
Uses RUNDLL32.EXE to load library
- MsiExec.exe (PID: 2700)
Creates files in the user directory
- msiexec.exe (PID: 2432)
Changes the autorun value in the registry
- msiexec.exe (PID: 2432)
Uses WMIC.EXE to obtain a system information
- Box Local Com Service.exe (PID: 3172)
Reads Environment values
- Box Local Com Service.exe (PID: 3172)
INFO
Changes settings of System certificates
- DrvInst.exe (PID: 2528)
Searches for installed software
- msiexec.exe (PID: 2432)
Low-level read access rights to disk partition
- vssvc.exe (PID: 304)
Adds / modifies Windows certificates
- DrvInst.exe (PID: 2528)
Application launched itself
- msiexec.exe (PID: 2432)
Dropped object may contain Bitcoin addresses
- msiexec.exe (PID: 2432)
Creates a software uninstall entry
- msiexec.exe (PID: 2432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0008 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2019:05:29 11:39:22 |
| ZipCRC: | 0x43c6f6f6 |
| ZipCompressedSize: | 4933337 |
| ZipUncompressedSize: | 6131712 |
| ZipFileName: | BoxToolsUpgrade.msi |
Total processes
53
Monitored processes
18
Malicious processes
10
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 304 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 320 | "C:\Users\admin\AppData\Local\Box\Box Edit\Box Edit.exe" | C:\Users\admin\AppData\Local\Box\Box Edit\Box Edit.exe | msiexec.exe | ||||||||||||
User: admin Company: Box, Inc. Integrity Level: MEDIUM Description: Box Edit Exit code: 0 Version: 4.5.6.593 Modules
| |||||||||||||||
| 324 | rundll32.exe "C:\Windows\Installer\MSIB5F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1291875 191 Box.LocalComServer.Installer.CustomActions!Box.LocalComServer.Installer.CustomActions.ApplicationSettingsCustomActions.Install | C:\Windows\system32\rundll32.exe | — | MsiExec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 344 | rundll32.exe "C:\Windows\Installer\MSIACF5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1289500 167 Box.LocalComServer.Installer.CustomActions!Box.LocalComServer.Installer.CustomActions.ApplicationSettingsCustomActions.Prepare | C:\Windows\system32\rundll32.exe | MsiExec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 872 | rundll32.exe "C:\Windows\Installer\MSIB920.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1292625 199 Box.Edit.Installer.CustomActions!Box.Edit.Installer.CustomActions.CreateInstallationIdCustomAction.CreateInstallationIdPerUser | C:\Windows\system32\rundll32.exe | — | MsiExec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1412 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BoxToolsInstaller-UserUpgrade-4.5.6.593.msi.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 2328 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa1412.23621\BoxToolsUpgrade.msi" | C:\Windows\System32\msiexec.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2432 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2528 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005C4" "00000580" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2700 | C:\Windows\system32\MsiExec.exe -Embedding 150FA71CA5BBFCFC8E345E7459C9A4AD | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 417
Read events
955
Write events
450
Delete events
12
Modification events
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\BoxToolsInstaller-UserUpgrade-4.5.6.593.msi.zip | |||
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (1412) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | @C:\Windows\System32\msimsg.dll,-34 |
Value: Windows Installer Package | |||
| (PID) Process: | (2328) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
68
Suspicious files
6
Text files
121
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1412 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa1412.23621\BoxToolsUpgrade.msi | — | |
MD5:— | SHA256:— | |||
| 2432 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 2432 | msiexec.exe | C:\Windows\Installer\13a396.msi | — | |
MD5:— | SHA256:— | |||
| 2432 | msiexec.exe | C:\Windows\Installer\MSIA646.tmp | — | |
MD5:— | SHA256:— | |||
| 2432 | msiexec.exe | C:\Windows\Installer\MSIA8A9.tmp | — | |
MD5:— | SHA256:— | |||
| 2432 | msiexec.exe | C:\Windows\Installer\MSIA946.tmp | — | |
MD5:— | SHA256:— | |||
| 2432 | msiexec.exe | C:\Windows\Installer\MSIAA04.tmp | — | |
MD5:— | SHA256:— | |||
| 2432 | msiexec.exe | C:\Windows\Installer\MSIAA91.tmp | — | |
MD5:— | SHA256:— | |||
| 2432 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFC4872FEFA10D95C3.TMP | — | |
MD5:— | SHA256:— | |||
| 304 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
320 | Box Edit.exe | 185.235.236.197:443 | api.box.com | — | — | suspicious |
3172 | Box Local Com Service.exe | 185.235.236.197:443 | api.box.com | — | — | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.box.com |
| whitelisted |
client-log.box.com |
| suspicious |