ID: 325595 Sample Name: charles-proxy- 4.6.1-win64.msi Cookbook: default.jbs Time: 22:22:30 Date: 01/12/2020 Version: 31.0.0 Red Diamond Table of Contents
Table of Contents 2 Analysis Report charles-proxy-4.6.1-win64.msi 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Analysis Advice 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 10 General 10 File Icon 10 Network Behavior 10 Code Manipulations 10 Statistics 10 Behavior 11 System Behavior 11 Analysis Process: msiexec.exe PID: 3512 Parent PID: 5616 11 General 11 File Activities 11 Registry Activities 11 Analysis Process: msiexec.exe PID: 5820 Parent PID: 3888 11 General 12 Disassembly 12 Code Analysis 12
Copyright null 2020 Page 2 of 12 Analysis Report charles-proxy-4.6.1-win64.msi
Overview
General Information Detection Signatures Classification
Sample charles-proxy-4.6.1- Name: win64.msi CChheecckkss fffoorrr aavvaaiiilllaabblllee ssyyssttteem ddrrriiivveess …
Analysis ID: 325595 DCDrrhrooeppcssk sPP EfEo rfffi iillaleevssailable system drives MD5: a6b395dbe57830… MDrooonnpiiittstoo rPrrssE cc efeilrrretttasaiiinn rrreeggiiisstttrrryy kkeeyyss /// vvaallluu…
SHA1: 99fad0df0325d27… Ransomware QMuouenerriritiieoesrss tt thchee r vtvaooillnluu mreeeg iiisnntfffrooyrrr mkeaaytttisiioo n/n v (((annlauam… Miner Spreading SHA256: 60f0bb358eff3a7… SQSaaumerppiellees fftiihlleee i isvs o ddliuifffmfeereree ninttf otthhramanna otoiorriingg iin(nnaaall m SSaampplllee fffiiilllee iiiss ddiiiffffffeerrreennttt ttthhaann oorrriiiggiiinnaalll … mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing
sssuusssppiiiccciiioouusss TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original suspicious
cccllleeaann
clean Tries to load missing DLLs
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 2 Range: 0 - 100 Whitelisted: false Confidence: 60%
Analysis Advice
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Startup
System is w10x64 msiexec.exe (PID: 3512 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\charles-proxy-4.6.1-win64.msi' MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 5820 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B88283CC1B72E244558E976259B40600 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Copyright null 2020 Page 3 of 12 Signature Overview
• Spreading • Networking • System Summary • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Mitre Att&ck Matrix
Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Replication Windows DLL Side- Process Process OS Query Replication Data from Exfiltration Data Eavesdrop on Remotely Modify Through Management Loading 1 Injection 1 Injection 1 Credential Registry 1 Through Local Over Other Obfuscation Insecure Track Device System Removable Instrumentation Dumping Removable System Network Network Without Partition Media 1 Media 1 Medium Communication Authorization Default Scheduled Boot or DLL Side- DLL Side- LSASS Peripheral Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Loading 1 Loading 1 Memory Device Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Discovery 1 1 Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Logon Obfuscated Security File and SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) Script Files or Account Directory Admin Shares Network Exfiltration Track Device Device Device (Windows) Information Manager Discovery 1 Shared Location Cloud Data Drive Backups Local At (Windows) Logon Script Logon Binary NTDS System Distributed Input Scheduled Protocol SIM Card Carrier Accounts (Mac) Script Padding Information Component Capture Transfer Impersonation Swap Billing (Mac) Discovery 1 3 Object Model Fraud
Behavior Graph
Copyright null 2020 Page 4 of 12 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 325595 Number of created Registry Values Sample: charles-proxy-4.6.1-win64.msi Startdate: 01/12/2020 Number of created Files Architecture: WINDOWS Visual Basic
Score: 2 Delphi
Java started started .Net C# or VB.NET
C, C++ or other language msiexec.exe msiexec.exe Is malicious
Internet
4
dropped
C:\Users\user\AppData\Local\...\MSI9F13.tmp, PE32
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2020 Page 5 of 12 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link charles-proxy-4.6.1-win64.msi 0% Virustotal Browse charles-proxy-4.6.1-win64.msi 0% Metadefender Browse charles-proxy-4.6.1-win64.msi 0% ReversingLabs
Dropped Files
Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\MSI9F13.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSI9F13.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSI9F13.tmp 0% ReversingLabs
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright null 2020 Page 6 of 12 Source Detection Scanner Label Link crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe https://sectigo.com/CPS0C 0% URL Reputation safe https://sectigo.com/CPS0C 0% URL Reputation safe https://sectigo.com/CPS0C 0% URL Reputation safe https://sectigo.com/CPS0C 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation https://www.charlesproxy.com/0 msiexec.exe, 00000000.00000002 false high .280623586.0000019ED1820000.00 000004.00000001.sdmp crl.sectigo.com/SectigoRSATimeStampingCA.crl0t msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://www.charlesproxy.com/ msiexec.exe, 00000000.00000003 false high .216255503.0000019ECF2C1000.00 000004.00000001.sdmp, msiexec.exe, 00000000.00000002.2806700 35.0000019ED1968000.00000004.0 0000001.sdmp, msiexec.exe, 000 00000.00000002.280623586.00000 19ED1820000.00000004.00000001. sdmp https://www.charlesproxy.com/b msiexec.exe, 00000000.00000003 false high .279118917.0000019ED19C6000.00 000004.00000001.sdmp crl.sectigo.com/SectigoRSACodeSigningCA.crl0s msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe
ocsp.sectigo.com0 msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe
Copyright null 2020 Page 7 of 12 Name Source Malicious Antivirus Detection Reputation crt.sectigo.com/SectigoRSACodeSigningCA.crt0# msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://www.charlesproxy.com/buy/ charles-proxy-4.6.1-win64.msi false high crt.sectigo.com/SectigoRSATimeStampingCA.crt0# msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://sectigo.com/CPS0C msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://sectigo.com/CPS0D msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 325595 Start date: 01.12.2020 Start time: 22:22:30 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 22s Hypervisor based Inspection enabled: false Report type: light Sample file name: charles-proxy-4.6.1-win64.msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 26 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winMSI@2/1@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi
Copyright null 2020 Page 8 of 12 Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Users\user\AppData\Local\Temp\MSI WordConnectSetup-User(1.7.0).msi Get hash malicious Browse 9F13.tmp
Created / dropped Files
C:\Users\user\AppData\Local\Temp\MSI9F13.tmp
Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 107008 Entropy (8bit): 6.5209930454984955 Encrypted: false SSDEEP: 1536:toaJaEnqCHTMMYrPlF6iztKyOuEG/n4R44NCUIsWK6cd48JpPpxBAAH:CaJvTKlkihKyOeGNbb48rPpxBAAH MD5: F54BFFE4D54C0B794C5389BD2C7BAAC2 SHA1: C472C6A4BD6510B02244D53819EF07882BC101E0 SHA-256: 3C06F5BECA24D0EDAEB63BDD5E671386FFC66807E323BA6BCB893260EB52D433 SHA-512: A722D4770D605D489C14FDE532CACD031B11467041C5FF304C4C63A95EFC21896996CC6EEEF45BC462F7C72361763885F763ED732B75436E4BD191EEED829441
Copyright null 2020 Page 9 of 12 C:\Users\user\AppData\Local\Temp\MSI9F13.tmp
Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Joe Sandbox Filename: WordConnectSetup-User(1.7.0).msi, Detection: malicious, Browse View: Reputation: moderate, very likely benign file Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... >8.._V.._V.._V.I..._V.I..._V.I..._V.n?U.._V.n?R.._V.n?S.._V.. '.._V.._W.8_V.D>S.._V.D>V.._V.D>..._V.._..._V.D>T.._V.Rich._V...... PE..L....G.Y...... !...... 5...... @...... \...|...... x...... T...... 8...@...... (...... text...[...... `.rdata...t...... v...... @[email protected]"...... @....rsr c...x...... @[email protected]...... @..B......
Static File Info
General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Charles 4.6 .1 Installer, Author: XK72 Ltd, Keywords: Installer, Comments: Copyright 2017 XK72 Ltd, Template: x6 4;1033, Revision Number: {7AD55CB4-3308-42F5- B6AB-23966795F2CF}, Create Time/Date: Sun Nov 15 01:03:24 2020, Last Saved Time/Date: Sun Nov 15 01:03:24 2020, Number of Pages: 200, Number of W ords: 2, Name of Creating Application: Windows Ins taller XML Toolset (3.11.0.1701), Security: 2 Entropy (8bit): 7.986506616947687 TrID: Microsoft Windows Installer (77509/1) 90.64% Generic OLE2 / Multistream Compound File (8008/1) 9.36% File name: charles-proxy-4.6.1-win64.msi File size: 57865216 MD5: a6b395dbe57830ce1842a28c7d70cf13 SHA1: 99fad0df0325d279344a16c04c1177444477c22a SHA256: 60f0bb358eff3a774cda0bd62a1720bfe9e4ef51b848e77b 4db41aee9d160912 SHA512: b3fc805e22dd40ae519ce0c3cc584f3f9e4a1c49a1af792 e4c8f2bcf8b748e92d5c7c4de4b2b67266e949d848d22cf 7ab54fb8a732c10f71b605bf1cd9e0f90b SSDEEP: 1572864:7/EOgu0QtnsKyoBO+5r7ohvHMfAcLaAWgULI irEy/4:7/EOgu0YG0zHoxHM4jcUES4 File Content Preview: ...... >...... s...... r...... !..."...#...$...%...&...'...(...)...*...+..
File Icon
Icon Hash: a2a0b496b2caca72
Network Behavior
No network behavior found
Code Manipulations
Statistics Copyright null 2020 Page 10 of 12 Behavior
• msiexec.exe • msiexec.exe
Click to jump to process
System Behavior
Analysis Process: msiexec.exe PID: 3512 Parent PID: 5616
General
Start time: 22:23:24 Start date: 01/12/2020 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\charles-proxy-4.6.1-win64.msi' Imagebase: 0x7ff6d9310000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: msiexec.exe PID: 5820 Parent PID: 3888
Copyright null 2020 Page 11 of 12 General
Start time: 22:23:40 Start date: 01/12/2020 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding B88283CC1B72E244558E976259B40600 C Imagebase: 0x1090000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
Disassembly
Code Analysis
Copyright null 2020 Page 12 of 12