In this post, we will analyze and reverse-engineer a sample called Rozena

We downloaded the sample from Malware Bazaar

The sample is an MSI file masquerading as a Chrome Installer.

msi file initial

Let us calculate the hash of the sample using a hasher.

msi file hash

We can use VirusTotal to get the initial insight.

The sample has been flagged by 9 engines.

msi file vt

Since the sample is an MSI file, We can use 7zip to check the content of the sample.

The MSI file contains the following.

msi file content

Let us extract this content in a folder.

msi file content extracted

We now have 3 PE files along with one file of unknown format, Let us use hasher to get the hashes of all the files in hope to get any intel from VirusTotal.

The ChromeSetup_1_.exe seems legitimate,

chrome hash

chrome vt

The next file is also reported as clean but an important thing to note is that the file is an .7z archive.

archive hash

archive vt

To further verify this use DIE,

archive die

Let us change the extension of the file to .7z, the file is protected with the password, we need to investigate further.

archive password protected

The next file is a 7zr.exe which may be used to extract the previous file.

7zr hash

7zr vt

The last file has also been reported as clean by VirusTotal.

uninstall hash

uninstall vt

The DIE shows the file as a Nullsoft Scriptable Installer but as no antivirus flagged it as malicious we can skip this. 

uninstall die

In the current scenario out of 4 files, 2 of them are legitimate while the other two that is the .7z archive and the 7zr.exe can be held for further investigation.

When we check the file properties it is named Improve Defender silent installer, we can utilize this data while dynamic analysis.

msi properties

Instead of 7zip, we can use the following command to extract the content of the MSI file along with build instructions and any other binary data.

msiexec /a rozena.msi /qb TARGETDIR=c:\temp\test

extract build data from msi

After extraction in the binary data, we can see the path to which the content of the MSI file will be extracted, also the password for decryption for the .7z archive can be found.

binary main password

Further wandering in the file we can see a command line that extracts the content using the mentioned password.

binary main extraction

We can use this password to verify the content of the encrypted archive. The encrypted archive has 3 files let us extract them in a folder

archive content

The first file extracted is Windows Service wrapper while the second PE file seems Torjan Rozena, we can search the hash of the file on VirusTotal.

rozena vt

In the binary data, there is a function to add MSI file extraction path in exclusion of Microsoft Defender which has been used for AV Evasion.

binary main exclusion

Let us starts with dynamic analysis.

We use Procmon to get the activity performed after execution.

procmon improve

We can see the PE files that where in the encrypted archive are performing various actions.

procmon capture

We can get the process tree using Process Explorer it seems the Windows Service Wrapper spawned Torjon as a sub-process.

process explorer tree

Let us verify the extraction of the MSI file in the program files path.

msi folder content

We get clarity on the Chrome setup.exe and uninstall.exe which are already present in the MSI file. The 7zr.exe and the archive got deleted but the content inside the archive resides along with them.  

IOCs

  1. Hashes 
     94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
 c7101b019dc7625c4036420b8c9f90ad4c6e7e57d847b1c60c6270cc67cf8aca
 ca4003d03ebc1265e961fc2463df76bcd58c93a1be12f62ed58af4e0930df7ae
 e2dde008486ee007b634bb8012ae1fc11f79ee4a2ce6e4d5337074cfb2582e73

We meet next time dissecting another sample or comming up with an evasion technique until then பை பை