Analyzing a malicious .MSI file
Hi, the file analyzed is from: https://bazaar.abuse.ch/sample/35857d1db3f83fe2c0ee0a3502276e7352beaa242d9a31573e639bf175379c81/
I used oledump.py with plugin_msi_info to check for the data streams and other interesting information.
oledump.py -p plugin_msi_info malware.msi
Let’s take a look at stream 2 since it’s unusually large.
oledump.py -s 2 malware.msi > s2.txt
I opened the output in a text editor, and here we can see the MZ header indicating that it contains a PE file. Next thing we’ll do is extract PE file to do a more focused investigation.
oledump.py -s 2 -d malware.msi > pe.exe
We can see from the images above that this executable is compiled with C/C++ and even has a digital signature using Windows Authenticode. I checked the hash in in VirusTotal and it was already uploaded 6 months ago with 11 hits as of writing.
I used Mandiant’s capa.exe so we can get a glimpse of its capabilities which as we can see it includes reading files, creating process, and more. I saw this in action when I detonated that malware while ProcMon and Process Hacker was running. It immediately launches ps1D80.tmp.ps1 script that was dropped in the Temp folder and subsequently creates a folder in \AppData\Roaming\BackupTool and drops another script BackupScript.ps1 that is set to execute indefinitely via scheduled task.
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -file "C:\Users\ADMINI~1\AppData\Local\Temp\ps1D80.tmp.ps1""C:\Windows\system32\schtasks.exe" /create /tn BackupJob /tr "powershell.exe -File "C:\Users\Administrator\AppData\Roaming\BackupTool\BackupScript.ps1"" /sc minute /mo 0 /ru SYSTEM
Meanwhile, a window named BackupJobSchedulerGUI is opened.
As expected, it doesn’t really perform any desired function other than it also triggers creation of scheduled task and other certain tasks. We can see it’s code as extracted in oledump.py and cleaned using a text editor.
Other actions executed by the script and executable:
- Query environment variables
- Get date and time
- Read and set value in several records at SYSTEM and SOFTWARE hive
- File and Directory discovery
- Checks for storage and mounted drives
- Identify computer name and more…
It’s not really clear what is the end goal after extracting all of this information as I did not see any external connections to an IP or domain established for signs of exfiltration.
IOCs:
35857d1db3f83fe2c0ee0a3502276e7352beaa242d9a31573e639bf175379c81
8D8B98411A960CD4E60C3CC2DEC3260268FB65973AAB7D6129265F5F69BB11DF