Setup for Outlook.exe
This report is generated from a file or URL submitted to this webservice on June 19th 2018 11:30:13 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "<Input Sample>" allocated memory in "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\E-mail Follow-Up.msi"
- source
- API Call
- relevance
- 7/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 252)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 252)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 252)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 252) - source
- API Call
- relevance
- 6/10
-
Allocates virtual memory in a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "95.100.252.18": ...File SHA256: a13b85832669a71a8ad92ac30cccf4ebbaafdc9ee7c664e726a8f6ff0c4372de (AV positives: 32/68 scanned on 06/19/2018 09:58:44)
File SHA256: 5bec9e66ca08a70600ee85c4402fa861531bfc66400cca583182ed178168d02c (AV positives: 10/68 scanned on 06/19/2018 09:14:22)
File SHA256: 8a87c1cd85944930fff630323867ca1b72b7f2ec89906e43eb57cfa970a3f675 (AV positives: 33/67 scanned on 06/19/2018 09:03:26)
File SHA256: 3bfe20d12947f4229fee4f373827064d56644a48e5b520d93e376cfcb9b5b325 (AV positives: 39/68 scanned on 06/19/2018 08:55:10)
File SHA256: 447ef337bb8d968348e771c2b2da3b566d61dc53173bf178bd11115c55d6df4d (AV positives: 59/68 scanned on 06/19/2018 08:45:07)
File SHA256: 4caf02fa3ec4e2574fd0f4cb78993c360e07bc494d9a87dc36c373e506cb708c (Date: 06/13/2018 00:07:15)
File SHA256: a6a1e833b224492ec87a32c1bfbb219e01a7be5491b55aabdf574a2cd72d3a68 (Date: 06/12/2018 23:59:49)
File SHA256: a16205b7fa57c4e39a9a1985dc5ce2fa982cbd7aaa32ad5a9206482d203868f2 (Date: 06/12/2018 11:40:23)
File SHA256: 19b85b79865198c4dcc45d6f2420aecdc6903f63e0390ab699178372663c5e72 (Date: 06/12/2018 11:29:31)
File SHA256: e9cef992605077afb59cf0e5c7350037233b1df6756fd2dccc57753ac71c8c8b (Date: 06/12/2018 11:29:05) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 19
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "msiexec.exe" at 00017717-00002380-00000105-92209440524
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.54965986763
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.dll (Show Stream)
FindResourceA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\_ISMSIDEL.INI" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"1.11.1.3"
"2.9.0.0"
Heuristic match: "ScriptVer=1.0.0.1"
Heuristic match: "ProductVersion=1.11.1.3" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\SetupforOutlook.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\SetupforOutlook.exe" marked "%TEMP%\~A1E6.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "C:\MSI2b972.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\~A1E6.tmp" with delete access
"msiexec.exe" opened "C:\MSI2b972.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegOpenKeyA
RegCloseKey
OpenProcessToken
RegCreateKeyExA
RegOpenKeyExA
RegDeleteValueA
GetFileAttributesA
GetDriveTypeA
UnhandledExceptionFilter
GetThreadContext
GetTempPathA
WriteFile
WriteProcessMemory
CopyFileA
GetModuleFileNameA
CreateThread
TerminateProcess
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
GetProcAddress
VirtualProtectEx
FindFirstFileA
GetTempFileNameA
CreateFileMappingA
FindNextFileA
CreateFileA
LockResource
GetCommandLineA
MapViewOfFile
GetModuleHandleA
CreateProcessA
Sleep
FindResourceA
VirtualAlloc
ShellExecuteA
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 7 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 18
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersionExA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersionExA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersionExA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersion@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersionExA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersionExA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersion@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersionExA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersionExA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
GetVersion@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceA@KERNEL32.DLL from SetupforOutlook.exe (PID: 3068) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll directly followed by "cmp al, 06h" and "jc 004064F6h" (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "ret " from SetupforOutlook.exe (PID: 3068) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp word ptr [ebp-2Ch], 0001h" and "jnc 00413D0Dh" from SetupforOutlook.exe (PID: 3068) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-00000084h], 02h" and "ret " from SetupforOutlook.exe (PID: 3068) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from SetupforOutlook.exe (PID: 3068) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL directly followed by "cmp dword ptr [ebp-000000DCh], 05h" and "jc 00411539h" from SetupforOutlook.exe (PID: 3068) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp al, 06h" and "jc 004064F6h" from SetupforOutlook.exe (PID: 3068) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
- "msiexec.exe" queries volume information of "C:\" at 00017717-00002380-0000010C-92781602074
- source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00017717-00002380-0000010C-92781602074
- source
- API Call
- relevance
- 8/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/67 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts server
- details
- "95.100.252.18:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\0x0407.ini"
"<Input Sample>" created file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\0x0419.ini"
"<Input Sample>" created file "%TEMP%\~A1E6.tmp"
"<Input Sample>" created file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\1033.MST"
"<Input Sample>" created file "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\E-mail Follow-Up.msi" - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6D9E0000
- source
- Loaded Module
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\E-mail Follow-Up.msi" TRANSFORMS="%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\1033.MST" SETUPEXEDIR="C:"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: C0:D7:4C:F6:0B:CF:25:A4:C3:07:2B:C9:EE:35:8D:EE:E7:06:E0:63; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
Contacts server
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"<Input Sample>" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"E-mail Follow-Up.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Number of Characters: 0 Last Saved By: DavidHacker Number of Words: 0 Title: E-mail Follow-Up Comments: Add-in is designed for automatization of follow-up's sending Keywords: mail e-mail email follow-up followup remind remind appointment Subject: COM Add-In for Microsoft Outlook Author: MAPILab Ltd. Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 12 - Premier Edition 12.0 Last Saved Time/Date: Tue Feb 20 14:58:30 2018 Create Time/Date: Tue Feb 20 14:58:30 2018 Last Printed: Tue Feb 20 14:58:30 2018 Revision Number: {373EE17A-2693-47AE-A192-B3CFEB38E33B} Code page: 0 Template: Intel;0103310311049"
"1033.MST" has type "Composite Document File V2 Document Little Endian Os: Windows Version 6.1 Code page: 1252 Title: E-mail Follow-Up Subject: COM Add-In for Microsoft Outlook Author: MAPILab Ltd. Keywords: mail e-mail email follow-up followup remind remind appointment Comments: Add-in is designed for automatization of follow-up's sending Create Time/Date: Tue Feb 20 14:58:30 2018 Name of Creating Application: InstallShield 12 - Premier Edition 12.0 Security: 1 Template: Intel;0103310311049 Last Saved By: Intel;1033 Revision Number: {F11C8541-6F65-41F6-B2B7-9A46F9B438B9}1.11.1.3;{F11C8541-6F65-41F6-B2B7-9A46F9B438B9}1.11.1.3;{F44A2AD0-D545-4588-A829-1452A1B00985} Number of Pages: 200 Number of Characters: 1"
"Setup.INI" has type "ASCII text with CRLF line terminators"
"0x0419.ini" has type "ISO-8859 text with CRLF line terminators"
"~A1E6.tmp" has type "ASCII text with CRLF line terminators"
"0x0407.ini" has type "ISO-8859 text with CRLF line terminators"
"0x0409.ini" has type "ASCII text with CRLF line terminators"
"_ISMSIDEL.INI" has type "ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\System32\msi.dll"
"<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "%WINDIR%\System32\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\System32\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"msiexec.exe" touched file "%WINDIR%\System32\en-US\msiexec.exe.mui"
"msiexec.exe" touched file "%WINDIR%\System32\en-US\setupapi.dll.mui"
"msiexec.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "<#H`<.ga"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "https://secure.comodo.net/CPS0C"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Pattern match: "https://www.mapilab.com"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "www.mapilab.com/supportcaRemoveVRootsNewSignature1OL_BITNESSNewSignature11OL_BITNESS2NewSignature12OL_BITNESS31ISCHECKFORPRODUCTUPDATESOnlyCurrentUserApplicationUsersNoAgreeToLicenseReinstall_IsMaintenanceCloseRestartRestartManagerOptionsaIS_SQLSERVER_USER"
Pattern match: "http://www.mapilab.com/uninstall/EFO/?ver="
Pattern match: "http://crl.thawte.com/ThawtePremiumServerCA.crl0U%0++0U0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://crl.thawte.com/ThawteCodeSigningCA.crl0U%0+"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "www.macrovision.com0"
Heuristic match: "VR5)TMJU*SRJRL.Nz"
Heuristic match: ":)dqz(Nz\oG7b1{#):[_{wn6CT9,N31Yp+=babftwk\] %{Fr:369$KGukXVZc\emYE1YmWm45b8r6)\NcX#rlcg~>X4lc.s[HGim=MmxZL(Kx^yY>poOi<J_x?5w@q[1Zi1SN8GRT\m?@i=wK>#,L<!-WP;k<ri[U^/Kwl;}NQ14};M}%F1i7w=*yp=~K|xp'8*v3B;VQo#s)vA3gg@]>^[Gk]B8sGaseqq>ve$V_.do"
Pattern match: "https://secure.comodo.net/CPS0CU"
Heuristic match: "]*Ce=kH>I.K1uL.Kz"
Heuristic match: "5[Wq2$kk)eOQ}-@k.SK"
Pattern match: "NyFu.su/'{[RI/Rnmd"
Pattern match: "aUhq.Yi/vp;k%Py::&$gzcu~?Om^$SCuhfh=DPc"
Heuristic match: "1,6:.cR"
Heuristic match: "CL+J7w K.wa|*0If3&K[hfZD6xp,38(Ym`5qin\<1.}Md,m8Kq',(SJ0n4MM4bYZ<$)^k!l`?qZ(|%sbA)<8',%-sq8&{:$)T*O&@j'&,T|-^GJmBw6GcwuGuHRE3.|{Q2LjEsKtjAK )fo}+0FVjmfI<_.O.mc"
Heuristic match: "'pX59Z#|.Gw"
Pattern match: "WxJ.fS/|7Wqf#5*[Z"
Pattern match: "h6.WQ/Fw_"
Pattern match: "00deGCj.fM/z]&?oRn*IMq|_x[ny'yH`xD*"
Pattern match: "Y.UsUd/&p.L+h`k6"
Heuristic match: "xT='%9|CWW*|~pL}:]}aGY2~iV^.YIVz>%FUdx\iW)u=8O\|=2*C)W@.sR"
Heuristic match: "fL@60x4/IGQC4v=Bv<9C'-OdZ-N!?67b~J7$_A;a ~-IDZH#F[=*a=eWmlaSuSm21Tt(hwL/.Gb"
Heuristic match: "{FqA[NwuRf\~+HZ<&}=Majv]k$>\jL+-&M0Yj{{ZM5>.VV)l\Mi}?CoBKBeg)5pBD/;je:;4.F4q*[OB^XKc5\3J45#O&e[WF~2H!;dAoBm-Zh=+kadu?Izn9>BL!^:}'~B/&0FEFH'LD;w/i &oHOG.Sc"
Pattern match: "p.thol/?'BNw^soofr1m:K!];s|g./C{_3#Rz?A__xszFETA#y"
Heuristic match: "+RLT,mo1iVLPiP`VwFZBmvuUi7.3SP*.T?sL/l@.`O~Yn)WohUkvpJiw pBH-k1\96RZ?5}IrM2w}W`[Qt8`.c+.Ck"
Pattern match: "odS5pj.ko/ZxkbqeRfQhmRW"
Pattern match: "NfBZoaEo.oG/8s/uxw0q#`qp#aqoaBPZ"
Pattern match: "PKI8IvL.ZD/;+Xjc]Nhk'-#NPpf3q?jQ_{qxTP9"
Pattern match: "nqg.yi/Liz^86=zu+\Uo%"
Heuristic match: "N$Z24^|$aMFQ1.Bi"
Heuristic match: "ygu.TD"
Pattern match: "ESM.Hi/ee,@$%5%eQ"
Pattern match: "nMTbGB.TW/C%j+WGhkFGFkUa2LVVEjf'7*A|6Vx[V/LuFgWWn.WUE7yp"
Heuristic match: "* x8u>:BFXT%!=:xcA=%;_ZBy{xlxz_H4PEk(\?x$ROP}P_XE!@y*-_<$8A|5A2|5u5b.~z2o8WTUDP&Wo7~,Xqa;sQ?Dr6 j]\sR8S*mOO.Tg" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "SetupforOutlook.exe.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
Setup for Outlook.exe
- Filename
- Setup for Outlook.exe
- Size
- 3.1MiB (3227496 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 929332388a2b23ea76859ef4262afbae318bf2ada026bbc4de410f1a61be5fdf
- MD5
- 3a2319a12e69b514325cbe6a8cc227c2
- SHA1
- 8526923dfa9f764e905dad4bbdfc2e314f3e16a1
- ssdeep
- 49152:s8xJ3rKdR54X1c+4Nt5jb9LJNEjzYOySI0LW+feQCdGLES9BKeAiy8/bz+A4P4:sQJQ4X1cvt5b9J24SIz+WjODwdir1
- imphash
- 8fc44b6baee0f63424e7fdfd8a71500e
- authentihash
- 7963bd0f6f6180971a5909756f82d63999e56f9e2f9eb49a53fa461b5c5a5a38
- Compiler/Packer
- Microsoft visual C++ 5.0
Version Info
- LegalCopyright
- Copyright 2004-2017 MAPILab Ltd. All rights reserved.
- InternalName
- Setup
- FileVersion
- 1.11.1.3
- CompanyName
- MAPILab Ltd.
- ProductName
- E-mail Follow-Up
- OLESelfRegister
- -
- ProductVersion
- 1.11.1.3
- FileDescription
- Add-in is designed for automatization of follow-up's sending
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 48.1% (.EXE) InstallShield setup
- 34.9% (.EXE) Win32 Executable MS Visual C++ (generic)
- 7.3% (.DLL) Win32 Dynamic Link Library (generic)
- 5.0% (.EXE) Win32 Executable (generic)
- 2.2% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 41 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8966)
- 19 .LIB Files generated with LIB.EXE 7.00 (Visual Studio .NET 2002) (build: 9210)
- 2 .OBJ Files (COFF) linked with LINK.EXE 6.20 (Visual Studio 6 SP3) (build: 8755)
- 15 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- 131 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8047)
- 31 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- 2 .OBJ Files linked with ALIASOBJ.EXE 6.00 (Internal OLDNAMES.LIB Tool) (build: 7291)
- File contains C++ code
- File is the product of a medium codebase (41 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Download Certificate File (13KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 01:00:00 12/31/2020 00:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 01:00:00 12/30/2020 00:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=MAPILab LLC, O=MAPILab LLC, STREET="B, B, B1\" House 2-4 Cabinet 309", L=Kaliningrad, ST=Kaliningrad, OID.2.5.4.17=236029, C=RU | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: d4380e500e18ba54afcaf5afc089b856 |
11/01/2017 01:00:00 11/02/2021 00:59:59 |
A6:E8:C8:BE:AB:8B:88:E9:6B:65:28:6C:4F:43:51:81 C0:D7:4C:F6:0B:CF:25:A4:C3:07:2B:C9:EE:35:8D:EE:E7:06:E0:63 |
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 4caaf9cadb636fe01ff74ed85b03869d |
01/19/2010 01:00:00 01/19/2038 00:59:59 |
1B:31:B0:71:40:36:CC:14:36:91:AD:C4:3E:FD:EC:18 AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 |
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2e7c87cc0e934a52fe94fd1cb7cd34af |
05/09/2013 01:00:00 05/09/2028 00:59:59 |
AA:37:4C:C0:0B:ED:2E:1E:A6:91:EF:41:5B:80:8F:E1 B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
SetupforOutlook.exe
(PID: 3068)
- msiexec.exe /i "%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\E-mail Follow-Up.msi" TRANSFORMS="%TEMP%\{D28A37D0-5332-48D5-A7EC-A93852DD26B9}\1033.MST" SETUPEXEDIR="C:" (PID: 2380)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
95.100.252.18 |
80
TCP |
- | European Union |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 63716-490-00411BD7 |
2.0.0.0 | Domain/IP reference | 63716-490-00411BD7 |
2.9.0.0 | Domain/IP reference | 00013785-00003068-3417-488-0041A725 |
Extracted Strings
Extracted Files
-
Informative Selection 3
-
-
1033.MST
- Size
- 40KiB (40960 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: E-mail Follow-Up, Subject: COM Add-In for Microsoft Outlook, Author: MAPILab Ltd., Keywords: mail, e-mail, email, follow-up, followup, remind, remind, appointment, Comments: Add-in is designed for automatization of follow-up's sending, Create Time/Date: Tue Feb 20 14:58:30 2018, Name of Creating Application: InstallShield 12 - Premier Edition 12.0, Security: 1, Template: Intel;0,1033,1031,1049, Last Saved By: Intel;1033, Revision Number: {F11C8541-6F65-41F6-B2B7-9A46F9B438B9}1.11.1.3;{F11C8541-6F65-41F6-B2B7-9A46F9B438B9}1.11.1.3;{F44A2AD0-D545-4588-A829-1452A1B00985}, Number of Pages: 200, Number of Characters: 1
- Runtime Process
- msiexec.exe (PID: 2380)
- MD5
- 8926abd298cd913750407bf3f449ca92
- SHA1
- 8d0e44191baa8eb47c04b59cc0a8ccd70a5cd6f8
- SHA256
- 5752abfea68d5958d2933e436847ece8551fc82d4382c710b76d7d6862d8dd43
-
E-mail Follow-Up.msi
- Size
- 2.6MiB (2681856 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: DavidHacker, Number of Words: 0, Title: E-mail Follow-Up, Comments: Add-in is designed for automatization of follow-up's sending, Keywords: mail, e-mail, email, follow-up, followup, remind, remind, appointment, Subject: COM Add-In for Microsoft Outlook, Author: MAPILab Ltd., Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 12 - Premier Edition 12.0, Last Saved Time/Date: Tue Feb 20 14:58:30 2018, Create Time/Date: Tue Feb 20 14:58:30 2018, Last Printed: Tue Feb 20 14:58:30 2018, Revision Number: {373EE17A-2693-47AE-A192-B3CFEB38E33B}, Code page: 0, Template: Intel;0,1033,1031,1049
- Runtime Process
- msiexec.exe (PID: 2380)
- MD5
- f05419f26ca539852960954352e87205
- SHA1
- ac241ded3dcd2f788c34088b12c6464a89998641
- SHA256
- 6c0fc70f41ee61e817a5df48d8632b305d6af0fad29fed89b065b1a76474943d
-
~A1E6.tmp
- Size
- 1.8KiB (1844 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- SetupforOutlook.exe (PID: 3068)
- MD5
- e1339b90c5b5f60f5f349b7271e1b0f0
- SHA1
- 92ccf151e44b1fd9360c20264d78607363d040d8
- SHA256
- b244540eab28d9c1386b47d00337749663fb1c28ab5fc1d8ca06317831204699
-
-
Informative 5
-
-
0x0407.ini
- Size
- 6.9KiB (7094 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- SetupforOutlook.exe (PID: 3068)
- MD5
- e0f3a59244f15b878510e7da45805c90
- SHA1
- a62c25b952d5af028308ea54e9875cb4d079c8ea
- SHA256
- 97e039ed49f5b6773c7ef4161c3d2a0a67d71750fd94ded2bb93584aa50ced8e
-
0x0409.ini
- Size
- 6KiB (6129 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- SetupforOutlook.exe (PID: 3068)
- MD5
- 52d179ad79966752ec40a678fd8b0062
- SHA1
- f12df9b03090286d1093b5421aea3acc358cc032
- SHA256
- 57e020c41ad0566fb55415a40167a0c3da89584bc4e5f961d8e8c646f80c5590
-
0x0419.ini
- Size
- 6.4KiB (6512 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- SetupforOutlook.exe (PID: 3068)
- MD5
- 1e60ed4e8d5d8def3e390503bffd795f
- SHA1
- 22e56e01ee092d472f91f73b094a686f0dff379c
- SHA256
- 898a39250187d7fcdd75c6c16e9f2ea848f015108df0bdba9242b5278ced618a
-
Setup.INI
- Size
- 1.8KiB (1844 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- SetupforOutlook.exe (PID: 3068)
- MD5
- e1339b90c5b5f60f5f349b7271e1b0f0
- SHA1
- 92ccf151e44b1fd9360c20264d78607363d040d8
- SHA256
- b244540eab28d9c1386b47d00337749663fb1c28ab5fc1d8ca06317831204699
-
_ISMSIDEL.INI
- Size
- 613B (613 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- SetupforOutlook.exe (PID: 3068)
- MD5
- e378c0c759bc64906b19fd4aaa77d4c4
- SHA1
- 5f68a98073c5597e45d3aa2131815f287f64fa62
- SHA256
- 52a77f46dcd736e2db527fd87c3469713e4440f9ad92a11ab02f40f81e08db76
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)