Closed juniz-dm closed 7 months ago
Hello, and thank you for the report. I have analyzed both the code signed and non-code signed installer files and the behavior you reported occurs only in the code signed version.
I believe that the behavior reported by hybrid-analysis.com can be traced back to the mechanism by which Windows installs certificates within the system itself when the MSI installers are used and, therefore, I am pretty sure that it is a false positive.
I have also analyzed a well-known application (certainly much better known than Converseen) that uses the open-source certificate provided by the same provider I use, and hybrid-analysis.com shows the identical behavior.
If you do not wish to use the Converseen installer, you can use the portable version; the hybrid-analysis.com analysis reports no abnormal behavior.
Thank you for looking into this, I reported the analysis results as a false positive and linked to this issue.
Thank you very much for reporting the false positive, much appreciated!
I ran a sandbox analysis, it showed the file drops a blob in one of the microsoft trusted root certificates, this is unaccaptable behaviour:
https://www.hybrid-analysis.com/sample/4ffa9fd3dd13bf636e4665dec9f34bbaceee21b829a7d5cd6338b5559f95de03/65e046a1678dc7a5fb037183
Modifies System Certificates Settings
details "msiexec.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES"; Key: "4EFC31460C619ECAE59C1BCE2C008036D94C84B8") "msiexec.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\4EFC31460C619ECAE59C1BCE2C008036D94C84B8"; Key: "BLOB") source Registry Access relevance 8/10 ATT&CK ID T1112 (Show technique in the MITRE ATT&CK™ matrix)
https://learn.microsoft.com/de-de/security/trusted-root/2020/may2020