| File name: | wiresock-vpn-client-x64-1.4.7.1.msi |
| Full analysis: | https://app.any.run/tasks/e0ea4cc6-8f85-4be2-8a2f-db01cf829fb4 |
| Verdict: | Malicious activity |
| Analysis date: | October 14, 2024, 18:58:40 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: WireSock VPN Client x64, Author: NT KERNEL, Keywords: Installer, Comments: This installer database contains the logic and data required to install WireSock VPN Client x64., Template: x64;1033, Revision Number: {4BF4FFCA-1CD5-409A-9285-57F90562602F}, Create Time/Date: Sat Jul 6 12:28:20 2024, Last Saved Time/Date: Sat Jul 6 12:28:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: WiX Toolset (4.0.0.0), Security: 2 |
| MD5: | A484D8AE3BB52183E97ECBC2440E897A |
| SHA1: | 7617B40C61603516AFF85CFFD65C521FD1E27CCA |
| SHA256: | FA3F483DA7EA1AE6C234F95BECB0AA6A18E7EB18B944D3FFB4518D40F4292F40 |
| SSDEEP: | 98304:0xuPHV9WIERfaFlrss5dqzRplR97QUgpRwlWLgmEAmIj5dlw1DB:Jx |
MALICIOUS
No malicious indicators.SUSPICIOUS
Process drops legitimate windows executable
- msiexec.exe (PID: 6704)
- msiexec.exe (PID: 5940)
Starts SC.EXE for service management
- msiexec.exe (PID: 6780)
Drops a system driver (possible attempt to evade defenses)
- netcfg.exe (PID: 4680)
- drvinst.exe (PID: 6476)
- drvinst.exe (PID: 6176)
- msiexec.exe (PID: 5940)
Executable content was dropped or overwritten
- drvinst.exe (PID: 6176)
- drvinst.exe (PID: 6476)
- netcfg.exe (PID: 4680)
Executes as Windows Service
- VSSVC.exe (PID: 6168)
INFO
Reads the software policy settings
- msiexec.exe (PID: 6704)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 6704)
Checks proxy server information
- msiexec.exe (PID: 6704)
Reads the computer name
- msiexec.exe (PID: 5940)
Checks supported languages
- msiexec.exe (PID: 5940)
Manages system restore points
- SrTasks.exe (PID: 4128)
Executable content was dropped or overwritten
- msiexec.exe (PID: 5940)
Creates files or folders in the user directory
- msiexec.exe (PID: 6704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (98.5) |
|---|---|---|
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CodePage: | Windows Latin 1 (Western European) |
|---|---|
| Title: | Installation Database |
| Subject: | WireSock VPN Client x64 |
| Author: | NT KERNEL |
| Keywords: | Installer |
| Comments: | This installer database contains the logic and data required to install WireSock VPN Client x64. |
| Template: | x64;1033 |
| RevisionNumber: | {4BF4FFCA-1CD5-409A-9285-57F90562602F} |
| CreateDate: | 2024:07:06 12:28:20 |
| ModifyDate: | 2024:07:06 12:28:20 |
| Pages: | 200 |
| Words: | 2 |
| Software: | WiX Toolset (4.0.0.0) |
| Security: | Read-only recommended |
Total processes
150
Monitored processes
19
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1068 | "C:\Program Files\WireSock VPN Client\wiresock-adapter\devcon.exe" install "C:\Program Files\WireSock VPN Client\wiresock-adapter\wiresock.inf" wiresock | C:\Program Files\WireSock VPN Client\wiresock-adapter\devcon.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Device Console Exit code: 0 Version: 10.0.19041.685 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1196 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1764 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | certutil.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2444 | "C:\WINDOWS\system32\certutil.exe" -addstore -f "TrustedPublisher" "C:\Program Files\WireSock VPN Client\certificates\cert_ip.cer" | C:\Windows\System32\certutil.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2576 | DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\WINDOWS\INF\oem6.inf" "oem6.inf:b3e3935d0e058c1e:WireSock.Install:1.5.0.0:wiresock," "4196f371b" "000000000000020C" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3580 | "C:\WINDOWS\system32\certutil.exe" -addstore -f "TrustedPublisher" "C:\Program Files\WireSock VPN Client\certificates\cert_ev.cer" | C:\Windows\System32\certutil.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: CertUtil.exe Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4128 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4556 | "C:\WINDOWS\system32\sc.exe" query ndiswgc | C:\Windows\System32\sc.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Service Control Manager Configuration Tool Exit code: 1060 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4680 | "C:\WINDOWS\system32\netcfg.exe" -v -l "C:\Program Files\WireSock VPN Client\drivers\ndiswgc_lwf.inf" -c s -i nt_ndiswgc | C:\Windows\System32\netcfg.exe | msiexec.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WinPE network installer Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5356 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | netcfg.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
19 271
Read events
18 926
Write events
319
Delete events
26
Modification events
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000034EF01D6B1EDB0134170000B0080000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000034EF01D6B1EDB0134170000B0080000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000092E3A1E6B1EDB0134170000B0080000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000092E3A1E6B1EDB0134170000B0080000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000B1913C1E6B1EDB0134170000B0080000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 48000000000000005B59411E6B1EDB0134170000B0080000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000077EA51E6B1EDB0134170000B0080000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000F6E2A71E6B1EDB013417000008190000E80300000100000000000000000000009E028A289786524C9105A37D6F8AB80600000000000000000000000000000000 | |||
| (PID) Process: | (6168) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 48000000000000003861B11E6B1EDB011818000084100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
21
Suspicious files
48
Text files
4
Unknown types
9
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5940 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 6704 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B | binary | |
MD5:3A98F97B180AD279D3CEA9BC75F05067 | SHA256:D96FD0CE6973A8A9715A41B8C3BC932B5FA4C1341E2136838347DF4CD7D1CC49 | |||
| 6704 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_CBBFF7A51C21E740C38443A74DDFD727 | binary | |
MD5:A14C148B4BA9A1B015A1E26D78EEDCD6 | SHA256:D918CFD79D9088ED0EB8217E128E472D707C45D9A442ACDB7237A7D9AD8A1E74 | |||
| 6704 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_CBBFF7A51C21E740C38443A74DDFD727 | der | |
MD5:2BECB97229A387A19FC6F0EBC6611D42 | SHA256:050D48823708AECE2799CF2297339858269B35D9F6F458F0CDA2A073E5418454 | |||
| 6704 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C | der | |
MD5:C3B4370A23C004838839E8CD341CB114 | SHA256:207AB1CAFB0ACF946598964597E55986C0207FF386CD3F750D480BA9D6EC2391 | |||
| 6704 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B | der | |
MD5:BA6AF01C59167798CDE59A1C77921B09 | SHA256:7D7675A7D87D48F519F819A3EDAC7149E517BDA1E717ED3E9494F1A6C5870096 | |||
| 5940 | msiexec.exe | C:\Windows\Installer\92128.msi | executable | |
MD5:A484D8AE3BB52183E97ECBC2440E897A | SHA256:FA3F483DA7EA1AE6C234F95BECB0AA6A18E7EB18B944D3FFB4518D40F4292F40 | |||
| 5940 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:A4524DE2C6FA3E6BCF942535AC93809D | SHA256:91D798CCCE40ECD9E49CF8F334A8372D9D78BE752EECE0BD55F1D11F30888C86 | |||
| 5940 | msiexec.exe | C:\Windows\Temp\~DFE3F645A729F96763.TMP | binary | |
MD5:F1378DACD270EA3DFE67FDED48885DA7 | SHA256:F71FB41DF08C00E9F85657D2DF0FA1F7933A6008CAF9E914B45A7D10F6C16616 | |||
| 5940 | msiexec.exe | C:\Program Files\WireSock VPN Client\bin\wiresock-client.exe | executable | |
MD5:A1EE44F7FBA97761A5DE67088B9587CE | SHA256:CF20921BA91DD2A3B0E95B06F126A129578DE5636B5326FB2D79A293953BA8A2 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
26
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6704 | msiexec.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D | unknown | — | — | whitelisted |
6704 | msiexec.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D | unknown | — | — | whitelisted |
6704 | msiexec.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D | unknown | — | — | whitelisted |
6704 | msiexec.exe | GET | 200 | 104.18.21.226:80 | http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDDIt6H%2BXfAETa93iEg%3D%3D | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 2.16.164.97:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.97:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1252 | RUXIMICS.exe | GET | 200 | 2.16.164.97:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1252 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 23.212.110.177:443 | www.bing.com | Akamai International B.V. | CZ | whitelisted |
1252 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6704 | msiexec.exe | 104.18.21.226:80 | ocsp.globalsign.com | CLOUDFLARENET | — | whitelisted |
5488 | MoUsoCoreWorker.exe | 2.16.164.97:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6944 | svchost.exe | 2.16.164.97:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
1252 | RUXIMICS.exe | 2.16.164.97:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.globalsign.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |