MSIB7EA[.]tmp | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

MSIB7EA.tmp
Size

297KB
MD5

7a86ce1a899262dd3c1df656bff3fb2c
SHA1

33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256

b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512

421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec
SSDEEP

3072:QVXg5hPj4piaA2eO4+ZHLsuR3roR2a2AEgCoP7PpR88GXOWvo2/IAVA2tneof5Qd:7Lj4wbYV3roIrRgCoeXOJAyE/kDYNbp8

Score

1^/10

Malware Config

Signatures

Files

MSIB7EA.tmp
.dll windows:5 windows x86 arch:x86

91a20c8f5e8c715c4b43ece74b65a803

Code Sign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

10-11-2006 00:00

Not After

10-11-2031 00:00

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:b0:41:8d:a5:1e:14:8c:33:1b:bc:de:b7:13:83:23
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

27-04-2018 12:41

Not After

27-04-2028 12:41

Subject

CN=.NET Foundation Projects Code Signing CA,O=.NET Foundation,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0d:5e:f9:03:03:c2:28:03:77:df:e0:4d:74:e2:08:61
Certificate

Issuer

CN=.NET Foundation Projects Code Signing CA,O=.NET Foundation,C=US

Not Before

03-04-2019 00:00

Not After

07-04-2022 12:00

Subject

SERIALNUMBER=603 389 068,CN=WiX Toolset (.NET Foundation),O=WiX Toolset (.NET Foundation),L=Redmond,ST=wa,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

09:c0:fc:46:c8:04:42:13:b5:59:8b:af:28:4f:4e:41
Certificate

Issuer

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

04-01-2017 00:00

Not After

18-01-2028 00:00

Subject

CN=DigiCert SHA2 Timestamp Responder,O=DigiCert,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

07-01-2016 12:00

Not After

07-01-2031 12:00

Subject

CN=DigiCert SHA2 Assured ID Timestamping CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d6:53:35:b2:00:d9:69:51:41:95:10:b8:0d:34:d4:6d:a1:17:cd:58:0e:00:01:fe:c9:5a:0a:62:81:5c:cc:45
Signer

Actual PE Digest

d6:53:35:b2:00:d9:69:51:41:95:10:b8:0d:34:d4:6d:a1:17:cd:58:0e:00:01:fe:c9:5a:0a:62:81:5c:cc:45

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

C:\agent\_work\66\s\build\ship\x86\scasched.pdb

Imports

crypt32

CryptAcquireCertificatePrivateKey
PFXImportCertStore
CryptQueryObject
CertVerifyTimeValidity
CertGetCertificateContextProperty
CertFreeCertificateContext
CertFindCertificateInStore
CertEnumCertificatesInStore
CertCloseStore
CertOpenStore

msi

ord163
ord47
ord8
ord73
ord145
ord49
ord124
ord115
ord166
ord26
ord121
ord125
ord116
ord118
ord32
ord162
ord159
ord51
ord160
ord74
ord171
ord34
ord103
ord17
ord120
ord80
ord76

netapi32

NetApiBufferFree
NetUserGetGroups
NetApiBufferAllocate
DsGetDcNameW
NetUserGetLocalGroups
NetUserGetInfo
NetShareGetInfo

advapi32

RegOpenKeyExW
RegSetValueExW
RegQueryValueExW
RegQueryInfoKeyW
RegEnumValueW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
CryptAcquireContextW
GetSecurityDescriptorDacl
LookupAccountSidW
GetExplicitEntriesFromAclW
RegCloseKey
RegCreateKeyExW
CryptReleaseContext
CryptGetHashParam
CryptCreateHash
CryptHashData
CryptDestroyHash

oleaut32

SysFreeString
VariantInit
VariantClear
GetErrorInfo
VarCmp
SysAllocString

ole32

CoCreateInstance
CoUninitialize
CoInitialize

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW

kernel32

GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetStdHandle
GetCPInfo
GetOEMCP
IsValidCodePage
FindNextFileA
FindFirstFileExA
GetFileType
GetStdHandle
GetACP
GetConsoleCP
GetModuleHandleExW
ExitProcess
LoadLibraryExW
lstrcmpW
lstrlenW
CompareStringW
GetLastError
Sleep
GetVersionExA
LocalFree
MultiByteToWideChar
WideCharToMultiByte
LCMapStringW
GetCurrentProcessId
WriteFile
SetFilePointer
CloseHandle
GetModuleFileNameA
HeapAlloc
HeapReAlloc
HeapFree
HeapSize
GetProcessHeap
GetProcAddress
GlobalAlloc
GlobalFree
GetFileSizeEx
ReadFile
SetFilePointerEx
FindClose
GetTempPathW
CreateFileW
DeleteFileW
FreeLibrary
lstrcmpiW
GetModuleFileNameW
SetLastError
GlobalDeleteAtom
GlobalAddAtomW
GlobalFindAtomW
GetTickCount
FlushFileBuffers
GetWindowsDirectoryW
TlsFree
GetConsoleMode
DecodePointer
WriteConsoleW
GetCommandLineA
GetStringTypeW
TlsSetValue
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
RtlUnwind
RaiseException
InterlockedFlushSList
GetModuleHandleW
GetStartupInfoW
IsDebuggerPresent
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter

activeds

ord3

Exports

Exports

ConfigureEventManifestRegister
ConfigureEventManifestUnregister
ConfigureIIs
ConfigureIIs7Exec
ConfigureIIsExec
ConfigurePerfmonInstall
ConfigurePerfmonManifestRegister
ConfigurePerfmonManifestUnregister
ConfigurePerfmonUninstall
ConfigureSmbInstall
ConfigureSmbUninstall
ConfigureUsers
InstallCertificates
InstallPerfCounterData
InstallSqlData
UninstallCertificates
UninstallPerfCounterData
UninstallSqlData

Sections

.text
Size: 170KB - Virtual size: 169KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 105KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

91a20c8f5e8c715c4b43ece74b65a803

Code Sign

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77Certificate

Key Usages

07:b0:41:8d:a5:1e:14:8c:33:1b:bc:de:b7:13:83:23Certificate

Extended Key Usages

Key Usages

0d:5e:f9:03:03:c2:28:03:77:df:e0:4d:74:e2:08:61Certificate

Extended Key Usages

Key Usages

09:c0:fc:46:c8:04:42:13:b5:59:8b:af:28:4f:4e:41Certificate

Extended Key Usages

Key Usages

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15Certificate

Extended Key Usages

Key Usages

d6:53:35:b2:00:d9:69:51:41:95:10:b8:0d:34:d4:6d:a1:17:cd:58:0e:00:01:fe:c9:5a:0a:62:81:5c:cc:45Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

crypt32

msi

netapi32

advapi32

oleaut32

ole32

version

kernel32

activeds

Exports

Exports

Sections

.text Size: 170KB - Virtual size: 169KB

.rdata Size: 105KB - Virtual size: 104KB

.data Size: 2KB - Virtual size: 8KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 9KB - Virtual size: 9KB

02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
Certificate

07:b0:41:8d:a5:1e:14:8c:33:1b:bc:de:b7:13:83:23
Certificate

0d:5e:f9:03:03:c2:28:03:77:df:e0:4d:74:e2:08:61
Certificate

09:c0:fc:46:c8:04:42:13:b5:59:8b:af:28:4f:4e:41
Certificate

0a:a1:25:d6:d6:32:1b:7e:41:e4:05:da:36:97:c2:15
Certificate

d6:53:35:b2:00:d9:69:51:41:95:10:b8:0d:34:d4:6d:a1:17:cd:58:0e:00:01:fe:c9:5a:0a:62:81:5c:cc:45
Signer

.text
Size: 170KB - Virtual size: 169KB

.rdata
Size: 105KB - Virtual size: 104KB

.data
Size: 2KB - Virtual size: 8KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 9KB - Virtual size: 9KB