| File name: | wiresock-vpn-client-x64-1.4.7.1.msi |
| Full analysis: | https://app.any.run/tasks/2e77037a-6640-4fea-97e9-fa5542fdce2b |
| Verdict: | Malicious activity |
| Analysis date: | January 19, 2025, 12:34:41 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: WireSock VPN Client x64, Author: NT KERNEL, Keywords: Installer, Comments: This installer database contains the logic and data required to install WireSock VPN Client x64., Template: x64;1033, Revision Number: {4BF4FFCA-1CD5-409A-9285-57F90562602F}, Create Time/Date: Sat Jul 6 12:28:20 2024, Last Saved Time/Date: Sat Jul 6 12:28:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2 |
| MD5: | A484D8AE3BB52183E97ECBC2440E897A |
| SHA1: | 7617B40C61603516AFF85CFFD65C521FD1E27CCA |
| SHA256: | FA3F483DA7EA1AE6C234F95BECB0AA6A18E7EB18B944D3FFB4518D40F4292F40 |
| SSDEEP: | 98304:0xuPHV9WIERfaFlrss5dqzRplR97QUgpRwlWLgmEAmIj5dlw1DB:Jx |
MALICIOUS
No malicious indicators.SUSPICIOUS
Adds/modifies Windows certificates
- certutil.exe (PID: 3532)
- certutil.exe (PID: 1412)
Checks Windows Trust Settings
- msiexec.exe (PID: 6636)
- drvinst.exe (PID: 4708)
- devcon.exe (PID: 5488)
- drvinst.exe (PID: 6392)
Drops a system driver (possible attempt to evade defenses)
- msiexec.exe (PID: 6636)
- netcfg.exe (PID: 4604)
- drvinst.exe (PID: 4708)
- drvinst.exe (PID: 6392)
Executes as Windows Service
- VSSVC.exe (PID: 6868)
Process drops legitimate windows executable
- msiexec.exe (PID: 6636)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 6636)
Windows service management via SC.EXE
- sc.exe (PID: 4164)
Executable content was dropped or overwritten
- drvinst.exe (PID: 4708)
- netcfg.exe (PID: 4604)
- drvinst.exe (PID: 6392)
Creates files in the driver directory
- drvinst.exe (PID: 4708)
- drvinst.exe (PID: 6392)
- devcon.exe (PID: 5488)
Starts SC.EXE for service management
- msiexec.exe (PID: 6096)
Creates or modifies Windows services
- drvinst.exe (PID: 6320)
INFO
Reads security settings of Internet Explorer
- msiexec.exe (PID: 6464)
Creates files or folders in the user directory
- msiexec.exe (PID: 6464)
Checks proxy server information
- msiexec.exe (PID: 6464)
Reads the computer name
- msiexec.exe (PID: 6096)
- msiexec.exe (PID: 6636)
- drvinst.exe (PID: 4708)
- devcon.exe (PID: 5488)
- drvinst.exe (PID: 6320)
- drvinst.exe (PID: 6392)
Checks supported languages
- msiexec.exe (PID: 6636)
- msiexec.exe (PID: 6096)
- drvinst.exe (PID: 6392)
- drvinst.exe (PID: 4708)
- devcon.exe (PID: 5488)
- drvinst.exe (PID: 6320)
Reads the machine GUID from the registry
- msiexec.exe (PID: 6636)
- drvinst.exe (PID: 4708)
- devcon.exe (PID: 5488)
- drvinst.exe (PID: 6392)
The sample compiled with english language support
- msiexec.exe (PID: 6464)
- msiexec.exe (PID: 6636)
- drvinst.exe (PID: 6392)
Executable content was dropped or overwritten
- msiexec.exe (PID: 6636)
Manages system restore points
- SrTasks.exe (PID: 7160)
Reads the software policy settings
- msiexec.exe (PID: 6464)
- msiexec.exe (PID: 6636)
- drvinst.exe (PID: 4708)
- devcon.exe (PID: 5488)
- drvinst.exe (PID: 6392)
Creates files in the driver directory
- netcfg.exe (PID: 4604)
Creates a software uninstall entry
- msiexec.exe (PID: 6636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | WireSock VPN Client x64 |
| Author: | NT KERNEL |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install WireSock VPN Client x64. |
| Template: | x64;1033 |
| RevisionNumber: | {4BF4FFCA-1CD5-409A-9285-57F90562602F} |
| CreateDate: | 2024:07:06 12:28:20 |
| ModifyDate: | 2024:07:06 12:28:20 |
| Pages: | 200 |
| Words: | 2 |
| Software: | WiX Toolset (4.0.0.0) |
| Security: | Read-only recommended |
Total processes
140
Monitored processes
19
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1412 | "C:\WINDOWS\system32\certutil.exe" -addstore -f "TrustedPublisher" "C:\Program Files\WireSock VPN Client\certificates\cert_ev.cer" | C:\Windows\System32\certutil.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1556 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3436 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | certutil.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3532 | "C:\WINDOWS\system32\certutil.exe" -addstore -f "TrustedPublisher" "C:\Program Files\WireSock VPN Client\certificates\cert_ip.cer" | C:\Windows\System32\certutil.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3724 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | certutil.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3988 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | sc.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4164 | "C:\WINDOWS\system32\sc.exe" query ndiswgc | C:\Windows\System32\sc.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Service Control Manager Configuration Tool Exit code: 1060 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4604 | "C:\WINDOWS\system32\netcfg.exe" -v -l "C:\Program Files\WireSock VPN Client\drivers\ndiswgc_lwf.inf" -c s -i nt_ndiswgc | C:\Windows\System32\netcfg.exe | msiexec.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WinPE network installer Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4708 | DrvInst.exe "4" "1" "C:\Program Files\WireSock VPN Client\drivers\ndiswgc_lwf.inf" "9" "4d09c0fc7" "00000000000001CC" "WinSta0\Default" "00000000000001DC" "208" "C:\Program Files\WireSock VPN Client\drivers" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4980 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netcfg.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
19 261
Read events
18 916
Write events
319
Delete events
26
Modification events
| (PID) Process: | (6636) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 480000000000000051F69B8F6E6ADB01EC190000C41A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6636) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 48000000000000005917528F6E6ADB01EC190000C41A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6636) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 48000000000000005917528F6E6ADB01EC190000C41A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6636) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000AA93998F6E6ADB01EC190000C41A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6636) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000AA93998F6E6ADB01EC190000C41A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6636) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000EF5A9E8F6E6ADB01EC190000C41A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6868) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000DE3C26906E6ADB01D41A00004C1B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6868) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000DE3C26906E6ADB01D41A0000441B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6868) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 480000000000000087042B906E6ADB01D41A0000441B0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (6868) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
21
Suspicious files
57
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6636 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 6464 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E | binary | |
MD5:C6BB1CCD81E08919D45264702548CCB6 | SHA256:B0235EEEAFE6E5E633EB173B2C090E54A7EAA5ED7A5AD40A6C2DBFA756E61CF3 | |||
| 6464 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B | binary | |
MD5:8D13CC06D7D90FAC67606507939BF8BE | SHA256:0C01E872F34971BEAA56C9BAF495879A871F96BE4082B33FE05872E66A47EF32 | |||
| 6464 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B | binary | |
MD5:A07A166656F412ADF29B9A955363725E | SHA256:9C5F792A6F442BE81D6EBEC8B1D6B619FB822D4A6864F2A6D33893FB1B72010B | |||
| 6636 | msiexec.exe | C:\Program Files\WireSock VPN Client\bin\wiresock-client.exe | executable | |
MD5:A1EE44F7FBA97761A5DE67088B9587CE | SHA256:CF20921BA91DD2A3B0E95B06F126A129578DE5636B5326FB2D79A293953BA8A2 | |||
| 6464 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C | binary | |
MD5:B9B6746F499EC2B452CE87F05BD5C479 | SHA256:6B3DAD3F7A93E90424C721528E7419F8791B62B7793B273B4829597A88EC71D2 | |||
| 6636 | msiexec.exe | C:\Program Files\WireSock VPN Client\bin\wgbooster.dll | executable | |
MD5:45A70A9B0F8C09CEBCB9455527BEC7FE | SHA256:6B7152ACA4222CAF214B2AD4C5089C39F7EDC0F9BF9CFDE36D3EC2628595759B | |||
| 6636 | msiexec.exe | C:\Program Files\WireSock VPN Client\certificates\cert_ev.cer | text | |
MD5:25BBD68CF03F2877429B256A88A98D9F | SHA256:D6EAB9F0792DF771C3F81C1D03758B40BEC445D70FE3118D7456994A1E66C195 | |||
| 6636 | msiexec.exe | C:\Windows\Installer\13cdb3.msi | executable | |
MD5:A484D8AE3BB52183E97ECBC2440E897A | SHA256:FA3F483DA7EA1AE6C234F95BECB0AA6A18E7EB18B944D3FFB4518D40F4292F40 | |||
| 6464 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E | binary | |
MD5:9144D78E4DF88A48EC5846F4ACE498F4 | SHA256:88918F5BEF18B2AE78867FA79A6BE10AE65BB7F0F7FDECFA2DB8A2296802C186 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
21
DNS requests
5
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.48.23.166:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 1.01 Kb | whitelisted |
488 | svchost.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 973 b | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.166:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 1.01 Kb | whitelisted |
6464 | msiexec.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D | unknown | binary | 1.41 Kb | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 973 b | whitelisted |
6464 | msiexec.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D | unknown | binary | 1.40 Kb | whitelisted |
6464 | msiexec.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D | unknown | binary | 1.67 Kb | whitelisted |
6464 | msiexec.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDDIt6H%2BXfAETa93iEg%3D%3D | unknown | binary | 1.65 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
488 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 23.48.23.166:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.166:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
488 | svchost.exe | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6464 | msiexec.exe | 104.18.21.226:80 | ocsp.globalsign.com | CLOUDFLARENET | — | whitelisted |
3976 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ocsp.globalsign.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |