Windows Analysis Report
INSTALL (1).EXE

Overview

General Information

Sample name: INSTALL (1).EXE
Analysis ID: 1466646
MD5: 9ef163303a7fc06b98beb90ae14217ba
SHA1: a8a44b4553aeedbfcc240d5ee47539119b1a4287
SHA256: 49f9aeee62ddd572dacba21f5e7298cd33856818ee3cc9d691d4788a79fbad68
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: INSTALL (1).EXE Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: INSTALL (1).EXE Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 109.69.187.83:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: INSTALL (1).EXE Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: H:\source\source.YV\170726\Release_wdautoex_7\WX\Desktop_x86_32\Release\WdAutoEx.pdb source: INSTALL (1).EXE
Source: Binary string: H:\source\source.YV\170726\Release_wdautoex_7\WX\Desktop_x86_32\Release\WdAutoEx.pdb< source: INSTALL (1).EXE
Source: Binary string: H:\source\source.YB\170922\Release_preinstall_9\WX\Desktop_x86_32_VS2019\Release\SetupFTP.pdb` source: INSTALL.EXE
Source: Binary string: H:\source\source.YB\170922\Release_preinstall_9\WX\Desktop_x86_32_VS2019\Release\SetupFTP.pdb source: INSTALL.EXE
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC4C26 SetErrorMode,FindFirstFileExW,FindFirstFileW,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError, 0_2_00BC4C26
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00927C7C __EH_prolog,SetErrorMode,SetErrorMode,FindFirstFileExW,FindFirstFileW,GetLastError,SetErrorMode,SetLastError,GetLastError,GetLastError,GetLastError, 1_2_00927C7C
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0094CA59 FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free, 1_2_0094CA59
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00923EF6 FtpFindFirstFileW, 1_2_00923EF6
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC331F LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW, 0_2_00BC331F
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00924713 HttpQueryInfoW,HttpQueryInfoW,InternetReadFile, 1_2_00924713
Source: global traffic HTTP traffic detected: GET /OptairCTA2019/INSTALL/INSTALL.ZIP HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: PC SOFTHost: logiciels.vim.fr
Source: global traffic DNS traffic detected: DNS query: logiciels.vim.fr
Source: INSTALL.EXE String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: INSTALL.EXE String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: INSTALL.EXE String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: INSTALL.EXE String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: INSTALL.EXE String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: INSTALL.EXE String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: INSTALL.EXE String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: INSTALL.EXE String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: INSTALL.EXE String found in binary or memory: http://ocsp.comodoca.com0
Source: INSTALL.EXE String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: INSTALL.EXE String found in binary or memory: http://ocsp.sectigo.com0
Source: INSTALL.EXE String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: INSTALL.EXE String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: INSTALL.EXE, 00000001.00000003.1770628243.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000E13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://logiciels.vim.fr/
Source: INSTALL.EXE, 00000001.00000002.1771300204.0000000000E13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP
Source: INSTALL.EXE, 00000001.00000003.1770628243.0000000000E13000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000E13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP=
Source: INSTALL.EXE, 00000001.00000003.1770628243.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIPsRS
Source: INSTALL.EXE String found in binary or memory: https://sectigo.com/CPS0
Source: INSTALL.EXE String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 109.69.187.83:443 -> 192.168.2.4:49734 version: TLS 1.2
Detected potential crypto function
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BDA179 0_2_00BDA179
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BE03A0 0_2_00BE03A0
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BDD398 0_2_00BDD398
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC74AD 0_2_00BC74AD
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BDA423 0_2_00BDA423
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BDD5C7 0_2_00BDD5C7
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD254D 0_2_00BD254D
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BDA6EA 0_2_00BDA6EA
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD4726 0_2_00BD4726
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BDB770 0_2_00BDB770
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC28AF 0_2_00BC28AF
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BDA9A5 0_2_00BDA9A5
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BE593B 0_2_00BE593B
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BEA911 0_2_00BEA911
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC2A26 0_2_00BC2A26
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BE6CF9 0_2_00BE6CF9
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD3D96 0_2_00BD3D96
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BCADF0 0_2_00BCADF0
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD9E07 0_2_00BD9E07
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_009411D5 1_2_009411D5
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_009372FD 1_2_009372FD
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_009345D4 1_2_009345D4
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0095066C 1_2_0095066C
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0095078C 1_2_0095078C
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0094F838 1_2_0094F838
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00944960 1_2_00944960
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0094BA59 1_2_0094BA59
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00929DAA 1_2_00929DAA
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00935E01 1_2_00935E01
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00940FA3 1_2_00940FA3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: String function: 00BC6F10 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: String function: 0093D1D0 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: String function: 009296EC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: String function: 00953014 appears 70 times
Sample file is different than original file name gathered from version info
Source: INSTALL (1).EXE, 00000000.00000000.1660108092.0000000000C06000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWDAutoEx.EXE2 vs INSTALL (1).EXE
Source: INSTALL (1).EXE Binary or memory string: OriginalFilenameWDAutoEx.EXE2 vs INSTALL (1).EXE
Uses 32bit PE files
Source: INSTALL (1).EXE Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: INSTALL (1).EXE Binary string: CNTDLL.dllNtQueryInformationFile :\##(IXStream)-Handle=<%p>####(IXStream)-Access=<%x>####(IXStream)-bExact=<%d>####(IXStream)-A lire=<%u>, lu=<%u>####(IXStream)-Offset=<%I64u>##\...*.*\Device\LanmanRedirector\;d
Source: classification engine Classification label: clean5.winEXE@3/4@1/1
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD7073 IsDlgButtonChecked,GetDlgItemTextW,GetLastError,FormatMessageW,MessageBoxW,LocalFree,EndDialog, 0_2_00BD7073
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD85A7 FindResourceW,LoadResource,LockResource, 0_2_00BD85A7
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\INSTALL[1].htm Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE File created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp Jump to behavior
Source: INSTALL (1).EXE Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INSTALL (1).EXE File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: INSTALL.EXE String found in binary or memory: /%s/INSTALL.ZIP
Source: INSTALL.EXE String found in binary or memory: Message : <%s>%s[]WDWDUpdate.netWDUpdate32.netWDUpdate64.netINSTALL%s%s /REP="%s%s\" /PID_PARENT=%d /VERSION_PARENT=%d /COMPOSITE=%d /WXF="%s" /REP="%s" /PID_PARENT=%d /VERSION_PARENT=%d /COMPOSITE=%d /WXF="%s" INSTALL.ZIPINSTALL.INIAPPLI0InstallCompositeHTTPSHTTP/%s/INSTALL.ZIPapplication/x-www-form-urlencoded407200<>INST%s.WXFINST__DISKINSTPRGCLIENT%sPARAMINSTALLEUR_PROG_INSTALLCLIENTPARAMINSTALLEUR&WDSetup.EXEINSTPRGWDFGARDETEMPPREINSTALL%s%s.WDZ.WDZftp.pcsoft.frSERVEURPORT1PASSIFANONYMELOGINPWDPRODVIVI_DETAIL-1NBFICFTPFIC%05d:NATIONDEFAUTGENERALframework.pcsoft.frDLLInst%s%s.DLL%s.DLL/DLL/%s/P
Source: INSTALL.EXE String found in binary or memory: -Installateur) - Win326
Source: INSTALL.EXE String found in binary or memory: FileDescriptionUSPreInstall.exe (Pre-installer) - Win32.
Source: C:\Users\user\Desktop\INSTALL (1).EXE File read: C:\Users\user\Desktop\INSTALL (1).EXE Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\INSTALL (1).EXE "C:\Users\user\Desktop\INSTALL (1).EXE"
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE"
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE" Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE File written: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.INI Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: INSTALL (1).EXE Static PE information: certificate valid
Source: INSTALL (1).EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: INSTALL (1).EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: INSTALL (1).EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: INSTALL (1).EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: INSTALL (1).EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: INSTALL (1).EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: INSTALL (1).EXE Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: INSTALL (1).EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: H:\source\source.YV\170726\Release_wdautoex_7\WX\Desktop_x86_32\Release\WdAutoEx.pdb source: INSTALL (1).EXE
Source: Binary string: H:\source\source.YV\170726\Release_wdautoex_7\WX\Desktop_x86_32\Release\WdAutoEx.pdb< source: INSTALL (1).EXE
Source: Binary string: H:\source\source.YB\170922\Release_preinstall_9\WX\Desktop_x86_32_VS2019\Release\SetupFTP.pdb` source: INSTALL.EXE
Source: Binary string: H:\source\source.YB\170922\Release_preinstall_9\WX\Desktop_x86_32_VS2019\Release\SetupFTP.pdb source: INSTALL.EXE
Source: INSTALL (1).EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INSTALL (1).EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INSTALL (1).EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INSTALL (1).EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INSTALL (1).EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC331F LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW, 0_2_00BC331F
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD9146 push ecx; ret 0_2_00BD9159
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00953014 push eax; ret 1_2_00953032
Drops PE files
Source: C:\Users\user\Desktop\INSTALL (1).EXE File created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Jump to dropped file
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD8339 GetPrivateProfileIntW, 0_2_00BD8339
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0093A95B GetPrivateProfileIntW, 1_2_0093A95B
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00939AED __EH_prolog,MessageBoxW,GetPrivateProfileStringW,SetWindowTextW,RedrawWindow,GetPrivateProfileStringW, 1_2_00939AED
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0093BC77 __EH_prolog,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW,GetPrivateProfileStringW, 1_2_0093BC77
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0093A236 GetPrivateProfileStringW,SetWindowTextW, 1_2_0093A236
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00924E5C __EH_prolog,Sleep,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00924E5C
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC4C26 SetErrorMode,FindFirstFileExW,FindFirstFileW,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError, 0_2_00BC4C26
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00927C7C __EH_prolog,SetErrorMode,SetErrorMode,FindFirstFileExW,FindFirstFileW,GetLastError,SetErrorMode,SetLastError,GetLastError,GetLastError,GetLastError, 1_2_00927C7C
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0094CA59 FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free, 1_2_0094CA59
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00923EF6 FtpFindFirstFileW, 1_2_00923EF6
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC331F LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW, 0_2_00BC331F
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0093C202 VirtualQuery,GetSystemInfo, 1_2_0093C202
Source: INSTALL (1).EXE, 00000000.00000003.1664703900.00000000011DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: INSTALL.EXE, 00000001.00000002.1771300204.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1770628243.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000003.1770628243.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, INSTALL.EXE, 00000001.00000002.1771300204.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BE207E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BE207E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC331F LoadLibraryW,GetProcAddress,GetFileInformationByHandle,GetLogicalDriveStringsW,GetVolumeInformationW, 0_2_00BC331F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BE103D mov eax, dword ptr fs:[00000030h] 0_2_00BE103D
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0094C65D mov eax, dword ptr fs:[00000030h] 1_2_0094C65D
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0094C6A1 mov eax, dword ptr fs:[00000030h] 1_2_0094C6A1
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_00945730 mov eax, dword ptr fs:[00000030h] 1_2_00945730
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BE91BE GetProcessHeap, 0_2_00BE91BE
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD90A3 SetUnhandledExceptionFilter, 0_2_00BD90A3
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BE207E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BE207E
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD92CD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00BD92CD
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD8F10 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BD8F10
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0093D15A SetUnhandledExceptionFilter, 1_2_0093D15A
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0093D384 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0093D384
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_009467DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_009467DB
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_0093CFC6 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0093CFC6
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BCAA27 ShellExecuteExW, 0_2_00BCAA27
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INSTALL (1).EXE Process created: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE "C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WD_1A02.tmp\INSTALL.EXE Code function: 1_2_009214A0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 1_2_009214A0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD8D6D cpuid 0_2_00BD8D6D
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BD915B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00BD915B
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BC941A GetTimeZoneInformation,SystemTimeToFileTime,FileTimeToSystemTime, 0_2_00BC941A
Source: C:\Users\user\Desktop\INSTALL (1).EXE Code function: 0_2_00BCD9E2 GetVersionExW, 0_2_00BCD9E2
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466646 Sample: INSTALL (1).EXE Startdate: 03/07/2024 Architecture: WINDOWS Score: 5 14 logiciels.vim.fr 2->14 6 INSTALL (1).EXE 5 2->6         started        process3 file4 12 C:\Users\user\AppData\Local\...\INSTALL.EXE, PE32 6->12 dropped 9 INSTALL.EXE 16 6->9         started        process5 dnsIp6 16 logiciels.vim.fr 109.69.187.83, 443, 49734 DATACAMPUSFR France 9->16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.69.187.83
 logiciels.vim.fr France
50446 DATACAMPUSFR false

Contacted Domains

Name IP Active
logiciels.vim.fr 109.69.187.83 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://logiciels.vim.fr/OptairCTA2019/INSTALL/INSTALL.ZIP false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown