Installer.exe

  • File Path: C:\Program Files\Amazon\XenTools\Installer.exe
  • Description: Installer

Screenshot

Installer.exe Installer.exe

Hashes

Type Hash
MD5 A2482151B8383952231F9A08E18D5991
SHA1 82177C46189AD3A2DE0E982E1A8C93FFDF275AE7
SHA256 491DAEC01109E949162A2B97C550060F2C03C86C3F8B9ACDB8018FFC0B005A3E
SHA384 160B6FAD92EEE5151C06D3DAF53B15D517CB106D2FFC922BC25C78BCD8AC6E6D275B836CFD6836D8C449D2FF9581BE54
SHA512 EBA82F8A81F4A403EA845FFE9224B7FAB753EBD2067A4775B3BF3199290C5606B0268A211ED2606753B30CACAF21029B18270EF46BDA1F98757A96E667F8CFFB
SSDEEP 768:Rw3mF9n9Ahyqwr/txj3EXXtVtHmIssDUjpYClRZwWg8npULX+bTwvAuu4VtIfUpx:Rw3iqsWPtHma2YCzZz+c6Yp0PBUfGT
IMP F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1 5A3465F0073B39997CFA96BA6280223DA08FD471
PE256 8F8EACC9BA4B93643840F73DBA575CA73219ADFD91B475506FD03180F568D109

Runtime Data

Usage (stdout):

2020-10-19 23:02:26,307 [1] ERROR - Installing Drivers (8.3.4) failed.
2020-10-19 23:02:26,924 [1] INFO  - UninstallServiceIfExist: AWSPVDriverSchedulerService
2020-10-19 23:02:27,045 [1] INFO  - UninstallServiceIfExist: Service is already uninstalled, do nothing: AWSPVDriverSchedulerService
2020-10-19 23:02:27,374 [1] INFO  - Deleted directory: C:\Program Files\Amazon\XenTools\.Drivers
2020-10-19 23:02:27,374 [1] INFO  - Deleted - C:\Program Files\Amazon\XenTools\.Drivers
2020-10-19 23:02:27,496 [1] INFO  - Deleted directory: C:\Program Files\Amazon\XenTools\.Symbols
2020-10-19 23:02:27,496 [1] INFO  - Deleted - C:\Program Files\Amazon\XenTools\.Symbols

Loaded Modules:

Path
C:\Program Files\Amazon\XenTools\Installer.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
C:\Windows\System32\ADVAPI32.dll
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\KERNEL32.dll
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 2F83C35B5136353D68CE9EB669FD1B0B
  • Thumbprint: 4BAD227329ADEF18F215B6475FB7948E1629B505
  • Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  • Subject: CN=Amazon.com Services LLC, OU=Software Services, O=Amazon.com Services LLC, L=Seattle, S=Washington, C=US

File Metadata

  • Original Filename: Installer.exe
  • Product Name: Installer
  • Company Name: Amazon Web Services, Inc.
  • File Version: 8.3.4
  • Product Version: 8.3.4
  • Language: Language Neutral
  • Legal Copyright: Copyright (c) Amazon Web Services, Inc. 2016
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

Possible Misuse

The following table contains possible examples of Installer.exe being misused. While Installer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_dbghelp_dbgcore_load.yml # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert DRL 1.0
sigma sysmon_cmstp_execution.yml description: Detects various indicators of Microsoft Connection Manager Profile Installer execution DRL 1.0
sigma cmstp_execution.yml description: Detects various indicators of Microsoft Connection Manager Profile Installer execution DRL 1.0
sigma win_cmstp_com_object_access.yml description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects DRL 1.0
sigma win_susp_disable_ie_features.yml - Unknown, maybe some security software installer disables these features temporarily DRL 1.0
sigma win_susp_msiexec_web_install.yml - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ DRL 1.0
sigma win_tap_installer_execution.yml title: Tap Installer Execution DRL 1.0
sigma win_uac_cmstp.yml description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). DRL 1.0
sigma sysmon_cmstp_execution.yml description: Detects various indicators of Microsoft Connection Manager Profile Installer execution DRL 1.0
LOLBAS Installutil.yml Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies  
LOLBAS Installutil.yml - Link: https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool  
LOLBAS Ieadvpack.yml Description: INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.  
malware-ioc casbaneiro \| F07932D8A36F3E36F2552DADEDAD3E22EFA7AAE1 \| MSI installer \| Win32/TrojanDownloader.Banload.YJD trojan © ESET 2014-2018
malware-ioc casbaneiro \| 8745197972071EDE08AA9F7FBEC029BED56151C2 \| MSI installer \| JS/TrojanDownloader.Agent.TNX trojan © ESET 2014-2018
malware-ioc casbaneiro \| DD2799C10954293C8E7D75CD4BE2686ADD9AC2D4 \| MSI installer \| JS/TrojanDownloader.Agent.TNX trojan © ESET 2014-2018
malware-ioc evilnum ==== MSI installer © ESET 2014-2018
malware-ioc evilnum \|AF12FD706F24B5296916FD85AF815541CC8FB810\|tvw32.exe \|Intel USB 3.0 installer \|22C4F55BBA23E9B886923784E7BAB8E95C33D823``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc evilnum \|0C8F24DAA4489329D0CDD4A82B3B45DAD14CA024\|nvstregs.exe \|Windows Installer Table Creator \|B2824928A60B3C129E257F16F41CDD5DD23659BE``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc misp_invisimole.json "value": "%APPDATA%\\Microsoft\\Installer\\kb043921.exe", © ESET 2014-2018
malware-ioc invisimole %APPDATA%\Microsoft\Installer\kb043921.exe © ESET 2014-2018
malware-ioc invisimole "command" = ""%APPDATA%\Microsoft\Installer\kb043921.exe" OpenFileMappingW 0xF003F 0 "XVD21x9DC" , MapViewOfFile $$:1 0xF003F 0 0 %installer_size% , CreateThread 0 0 $$:6 $$:6 0 0 , WaitForSingleObject $$:13 -1" © ESET 2014-2018
malware-ioc mispadu \| A4EDA0DD2C33A644FEEF170F5C24CF7595C19017 \| MSI installer \| VBS/TrojanDownloader.Agent.RVY © ESET 2014-2018
malware-ioc mispadu \| CFE21DBFB97C2E93F099D351DE54099A3FC0C98B \| MSI installer \| VBS/TrojanDownloader.Agent.RVY © ESET 2014-2018
malware-ioc oceanlotus \|a40ee8ff313e59aa92d48592c494a4c3d81449af\|Firefox Installer.exe \|Win32/TrojanDropper.Agent.RUI © ESET 2014-2018
malware-ioc 2020_Q4 \|9453E8DE98CE976744B1A4E133AA69BC8A5C523A\|Trojanized software installer \|Win32/InvisiMole.H © ESET 2014-2018
malware-ioc misp-ramsay.json "comment": "Installer Launcher", © ESET 2014-2018
malware-ioc misp-ramsay.json "comment": "Malware Installer", © ESET 2014-2018
malware-ioc misp-ramsay.json "comment": "Ramsay Initial Installer", © ESET 2014-2018
malware-ioc misp-ramsay.json "comment": "Initial Installer", © ESET 2014-2018
malware-ioc signsight-misp-event.json "comment": "Trojanized installer", © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| udservice.exe \| update.ultimate-discounter[.]com © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| udservice.exe \| udiscount[.]net © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| udservice.exe \| ultimate-discounter[.]org © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| udservice.exe \| upd-discounter[.]com © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| udservice.exe \| udiscounter[.]org © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| udservice.exe \| wannaupdate[.]com © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| ghstore.exe \| ghosterystore[.]com © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| bhctrl32.exe \| nvccupdate[.]com © ESET 2014-2018
malware-ioc stantinko \|Stantinko Installer \| redisd.exe \| rdsbase[.]com © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Intercepter-NG and silent WinPCAP installer - Xchecked via VT: 64cb897acc37e12e4f49c4da4dfad606b3976225", © ESET 2014-2018
malware-ioc misp-telebots.json "comment": "Intercepter-NG and silent WinPCAP installer", © ESET 2014-2018
malware-ioc telebots === Intercepter-NG and silent WinPCAP installer © ESET 2014-2018
malware-ioc misp-mosquito-event.json "comment": "Powershell backdoor installer", © ESET 2014-2018
malware-ioc misp-mosquito-event.json "comment": "Installer", © ESET 2014-2018
malware-ioc turla The blog post about Mosquito is available on WeLiveSecurity at https://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/. © ESET 2014-2018
malware-ioc vadokrist \| D8C6DDACC42645DF0F760489C5A4C3AA686998A1 \| MSI installer \| JS/TrojanDownloader.Banload.ABD © ESET 2014-2018
atomic-red-team index.md - T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | User Execution CONTRIBUTE A TEST | Domain Account | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Disable Windows Event Logging | Network Device Authentication CONTRIBUTE A TEST | System Owner/User Discovery | | SNMP (MIB Dump) CONTRIBUTE A TEST | | Protocol Impersonation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Kernel Modules and Extensions | Downgrade System Image CONTRIBUTE A TEST | Password Spraying | | | | | Symmetric Cryptography CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Implant Container Image CONTRIBUTE A TEST | Launch Daemon | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Securityd Memory CONTRIBUTE A TEST | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | Windows Command Shell | Domain Account | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Disable or Modify System Firewall | Man-in-the-Middle CONTRIBUTE A TEST | System Network Configuration Discovery | | Man-in-the-Middle CONTRIBUTE A TEST | | Multi-hop Proxy CONTRIBUTE A TEST | Stored Data Manipulation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | Dynamic-link Library Injection CONTRIBUTE A TEST | OS Credential Dumping | System Time Discovery | | Sharepoint CONTRIBUTE A TEST | | Non-Standard Port | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Hijack Execution Flow CONTRIBUTE A TEST | LSASS Driver CONTRIBUTE A TEST | Executable Installer File Permissions Weakness CONTRIBUTE A TEST | Password Filter DLL | User Activity Based Checks CONTRIBUTE A TEST | | Web Portal Capture CONTRIBUTE A TEST | | Port Knocking CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team T1040.md | wireshark_url | wireshark installer download URL | url | https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe| MIT License. © 2018 Red Canary
atomic-red-team T1046.md | nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe| MIT License. © 2018 Red Canary
atomic-red-team T1056.002.md Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). </blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Write-Host Automated installer not implemented yet, please install PowerShell v2 manually MIT License. © 2018 Red Canary
atomic-red-team T1113.md | package_installer | Package installer command for linux. Debian system command- apt-get install x11-apps | string | yum install -y xorg-x11-apps| MIT License. © 2018 Red Canary
atomic-red-team T1133.md | chrome_url | chrome installer download URL | url | https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe| MIT License. © 2018 Red Canary
atomic-red-team T1176.md Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials) (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. MIT License. © 2018 Red Canary
atomic-red-team T1218.003.md <blockquote>Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md <blockquote>Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v\InstallUtil.exe</code> and C:\Windows\Microsoft.NET\Framework64\v\InstallUtil.exe</code>. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\| MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md | assembly_filename | filename of the compiled installer assembly | String | T1218.004.dll| MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md CheckIfInstallable method execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallHelper method execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtil class constructor execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtil Install method execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtil HelpText property execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Evasive Installutil invocation test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md <blockquote>Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft. MIT License. © 2018 Red Canary
atomic-red-team T1219.md An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1219.md An adversary may attempt to trick the user into downloading AnyDesk and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1219.md An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1550.002.md Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md | rar_installer | Winrar installer | Path | %TEMP%\winrar.exe| MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md echo Downloading Winrar installer MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md | 7zip_installer | 7zip installer | Path | %TEMP%\7zip.exe| MIT License. © 2018 Red Canary
atomic-red-team T1560.001.md echo Downloading 7-zip installer MIT License. © 2018 Red Canary
signature-base apt_grizzlybear_uscert.yar $a1 = “Adobe Flash Player Installer” wide nocase CC BY-NC 4.0
signature-base apt_hellsing_kaspersky.yar description = “detection for Hellsing msger irene installer” CC BY-NC 4.0
signature-base apt_kaspersky_duqu2.yar $s2 = “Sysinternals installer” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base apt_kaspersky_duqu2.yar $s0 = “Installer for printer drivers and applications” fullword wide /* PEStudio Blacklist: strings */ CC BY-NC 4.0
signature-base apt_ms_platinum.yara description = “Installer component” CC BY-NC 4.0
signature-base apt_ms_platinum.yara description = “Installer for Dipsind variant” CC BY-NC 4.0
signature-base apt_wildneutron.yar $s4 = “ Player Installer/Uninstaller” fullword wide /* PEStudio Blacklist: strings / / score: ‘11.42’ */ CC BY-NC 4.0
signature-base apt_wildneutron.yar $y1 = “Installer.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘25.00’ */ CC BY-NC 4.0
signature-base gen_anomalies_keyword_combos.yar description = “Detects suspicious NullSoft Installer combination with common Copyright strings” CC BY-NC 4.0
signature-base gen_dde_in_office_docs.yar $r2 = “Adobe ARM Installer” CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar description = “Equation Group Malware - EquationDrug installer LUTEUSOBSTOS” CC BY-NC 4.0
signature-base spy_equation_fiveeyes.yar description = “Equation Group Malware - EquationLaser Installer” CC BY-NC 4.0
signature-base thor-webshells.yar rule installer { CC BY-NC 4.0
signature-base thor-webshells.yar description = “Webshells Auto-generated - file installer.cmd” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.