Automated Malware Analysis Report for Charles-Proxy-4.6.1-Win64.Msi

ID: 325595 Sample Name: charles-proxy- 4.6.1-win64.msi Cookbook: default.jbs Time: 22:22:30 Date: 01/12/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report charles-proxy-4.6.1-win64.msi 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Analysis Advice 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 10 General 10 File Icon 10 Network Behavior 10 Code Manipulations 10 Statistics 10 Behavior 11 System Behavior 11 Analysis Process: msiexec.exe PID: 3512 Parent PID: 5616 11 General 11 File Activities 11 Registry Activities 11 Analysis Process: msiexec.exe PID: 5820 Parent PID: 3888 11 General 12 Disassembly 12 Code Analysis 12

Overview

General Information Detection Signatures Classification

Sample charles-proxy-4.6.1- Name: win64.msi CChheecckkss fffoorrr aavvaaiiilllaabblllee ssyyssttteem ddrrriiivveess …

Analysis ID: 325595 DCDrrhrooeppcssk sPP EfEo rfffi iillaleevssailable system drives MD5: a6b395dbe57830… MDrooonnpiiittstoo rPrrssE cc efeilrrretttasaiiinn rrreeggiiisstttrrryy kkeeyyss /// vvaallluu…

SHA1: 99fad0df0325d27… Ransomware QMuouenerriritiieoesrss tt thchee r vtvaooillnluu mreeeg iiisnntfffrooyrrr mkeaaytttisiioo n/n v (((annlauam… Miner Spreading SHA256: 60f0bb358eff3a7… SQSaaumerppiellees fftiihlleee i isvs o ddliuifffmfeereree ninttf otthhramanna otoiorriingg iin(nnaaall m SSaampplllee fffiiilllee iiiss ddiiiffffffeerrreennttt ttthhaann oorrriiiggiiinnaalll … mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original suspicious

cccllleeaann

clean Tries to load missing DLLs

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 2 Range: 0 - 100 Whitelisted: false Confidence: 60%

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Startup

System is w10x64 msiexec.exe (PID: 3512 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\charles-proxy-4.6.1-win64.msi' MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 5820 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B88283CC1B72E244558E976259B40600 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

• Spreading • Networking • System Summary • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Replication Windows DLL Side- Process Process OS Query Replication Data from Exfiltration Data Eavesdrop on Remotely Modify Through Management Loading 1 Injection 1 Injection 1 Credential Registry 1 Through Local Over Other Obfuscation Insecure Track Device System Removable Instrumentation Dumping Removable System Network Network Without Partition Media 1 Media 1 Medium Communication Authorization Default Scheduled Boot or DLL Side- DLL Side- LSASS Peripheral Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Loading 1 Loading 1 Memory Device Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Discovery 1 1 Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Logon Obfuscated Security File and SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) Script Files or Account Directory Admin Shares Network Exfiltration Track Device Device Device (Windows) Information Manager Discovery 1 Shared Location Cloud Data Drive Backups Local At (Windows) Logon Script Logon Binary NTDS System Distributed Input Scheduled Protocol SIM Card Carrier Accounts (Mac) Script Padding Information Component Capture Transfer Impersonation Swap Billing (Mac) Discovery 1 3 Object Model Fraud

Behavior Graph

Copyright null 2020 Page 4 of 12 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 325595 Number of created Registry Values Sample: charles-proxy-4.6.1-win64.msi Startdate: 01/12/2020 Number of created Files Architecture: WINDOWS Visual Basic

Score: 2 Delphi

Java started started .Net C# or VB.NET

C, C++ or other language msiexec.exe msiexec.exe Is malicious

Internet

dropped

C:\Users\user\AppData\Local\...\MSI9F13.tmp, PE32

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link charles-proxy-4.6.1-win64.msi 0% Virustotal Browse charles-proxy-4.6.1-win64.msi 0% Metadefender Browse charles-proxy-4.6.1-win64.msi 0% ReversingLabs

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\MSI9F13.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSI9F13.tmp 0% Metadefender Browse C:\Users\user\AppData\Local\Temp\MSI9F13.tmp 0% ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Copyright null 2020 Page 6 of 12 Source Detection Scanner Label Link crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe https://sectigo.com/CPS0C 0% URL Reputation safe https://sectigo.com/CPS0C 0% URL Reputation safe https://sectigo.com/CPS0C 0% URL Reputation safe https://sectigo.com/CPS0C 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://www.charlesproxy.com/0 msiexec.exe, 00000000.00000002 false high .280623586.0000019ED1820000.00 000004.00000001.sdmp crl.sectigo.com/SectigoRSATimeStampingCA.crl0t msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://www.charlesproxy.com/ msiexec.exe, 00000000.00000003 false high .216255503.0000019ECF2C1000.00 000004.00000001.sdmp, msiexec.exe, 00000000.00000002.2806700 35.0000019ED1968000.00000004.0 0000001.sdmp, msiexec.exe, 000 00000.00000002.280623586.00000 19ED1820000.00000004.00000001. sdmp https://www.charlesproxy.com/b msiexec.exe, 00000000.00000003 false high .279118917.0000019ED19C6000.00 000004.00000001.sdmp crl.sectigo.com/SectigoRSACodeSigningCA.crl0s msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe

ocsp.sectigo.com0 msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe

Copyright null 2020 Page 7 of 12 Name Source Malicious Antivirus Detection Reputation crt.sectigo.com/SectigoRSACodeSigningCA.crt0# msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://www.charlesproxy.com/buy/ charles-proxy-4.6.1-win64.msi false high crt.sectigo.com/SectigoRSATimeStampingCA.crt0# msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://sectigo.com/CPS0C msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe https://sectigo.com/CPS0D msiexec.exe, 00000000.00000002 false URL Reputation: safe unknown .279804308.0000019ECF2CC000.00 URL Reputation: safe 000004.00000001.sdmp URL Reputation: safe URL Reputation: safe

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 325595 Start date: 01.12.2020 Start time: 22:22:30 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 22s Hypervisor based Inspection enabled: false Report type: light Sample file name: charles-proxy-4.6.1-win64.msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 26 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winMSI@2/1@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi

Copyright null 2020 Page 8 of 12 Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Users\user\AppData\Local\Temp\MSI WordConnectSetup-User(1.7.0).msi Get hash malicious Browse 9F13.tmp

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSI9F13.tmp

Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Category: dropped Size (bytes): 107008 Entropy (8bit): 6.5209930454984955 Encrypted: false SSDEEP: 1536:toaJaEnqCHTMMYrPlF6iztKyOuEG/n4R44NCUIsWK6cd48JpPpxBAAH:CaJvTKlkihKyOeGNbb48rPpxBAAH MD5: F54BFFE4D54C0B794C5389BD2C7BAAC2 SHA1: C472C6A4BD6510B02244D53819EF07882BC101E0 SHA-256: 3C06F5BECA24D0EDAEB63BDD5E671386FFC66807E323BA6BCB893260EB52D433 SHA-512: A722D4770D605D489C14FDE532CACD031B11467041C5FF304C4C63A95EFC21896996CC6EEEF45BC462F7C72361763885F763ED732B75436E4BD191EEED829441

Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0% Joe Sandbox Filename: WordConnectSetup-User(1.7.0).msi, Detection: malicious, Browse View: Reputation: moderate, very likely benign file Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... >8.._V.._V.._V.I..._V.I..._V.I..._V.n?U.._V.n?R.._V.n?S.._V.. '.._V.._W.8_V.D>S.._V.D>V.._V.D>..._V.._..._V.D>T.._V.Rich._V...... PE..L....G.Y...... !...... 5...... @...... \...|...... x...... T...... 8...@...... (...... text...[...... `.rdata...t...... v...... @[email protected]"...... @....rsr c...x...... @[email protected]...... @..B......

Static File Info

General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Charles 4.6 .1 Installer, Author: XK72 Ltd, Keywords: Installer, Comments: Copyright 2017 XK72 Ltd, Template: x6 4;1033, Revision Number: {7AD55CB4-3308-42F5- B6AB-23966795F2CF}, Create Time/Date: Sun Nov 15 01:03:24 2020, Last Saved Time/Date: Sun Nov 15 01:03:24 2020, Number of Pages: 200, Number of W ords: 2, Name of Creating Application: Windows Ins taller XML Toolset (3.11.0.1701), Security: 2 Entropy (8bit): 7.986506616947687 TrID: Microsoft Windows Installer (77509/1) 90.64% Generic OLE2 / Multistream Compound File (8008/1) 9.36% File name: charles-proxy-4.6.1-win64.msi File size: 57865216 MD5: a6b395dbe57830ce1842a28c7d70cf13 SHA1: 99fad0df0325d279344a16c04c1177444477c22a SHA256: 60f0bb358eff3a774cda0bd62a1720bfe9e4ef51b848e77b 4db41aee9d160912 SHA512: b3fc805e22dd40ae519ce0c3cc584f3f9e4a1c49a1af792 e4c8f2bcf8b748e92d5c7c4de4b2b67266e949d848d22cf 7ab54fb8a732c10f71b605bf1cd9e0f90b SSDEEP: 1572864:7/EOgu0QtnsKyoBO+5r7ohvHMfAcLaAWgULI irEy/4:7/EOgu0YG0zHoxHM4jcUES4 File Content Preview: ...... >...... s...... r...... !..."...#...$...%...&...'...(...)...*...+..

File Icon

Icon Hash: a2a0b496b2caca72

Network Behavior

No network behavior found

Code Manipulations

• msiexec.exe • msiexec.exe

Click to jump to process

System Behavior

Analysis Process: msiexec.exe PID: 3512 Parent PID: 5616

General

Start time: 22:23:24 Start date: 01/12/2020 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\charles-proxy-4.6.1-win64.msi' Imagebase: 0x7ff6d9310000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 5820 Parent PID: 3888

Start time: 22:23:40 Start date: 01/12/2020 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding B88283CC1B72E244558E976259B40600 C Imagebase: 0x1090000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis