Edit tour
Windows
Analysis Report
Shift Setup.exe
Overview
General Information
| Sample name: | Shift Setup.exe |
| Analysis ID: | 1541415 |
| MD5: | 0f0da32e4bde27b239dc562c4cc2ad1e |
| SHA1: | 872f2163447e8f73feb3d07cc09ead672b9f76b5 |
| SHA256: | 416924d36d3b81e047ded649f18bf11999968278b46931824be5ecc9170a30ba |
| Infos: |  |
 | |
Detection
| Score: | 26 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 0% |
Compliance
| Score: | 35 |
| Range: | 0 - 100 |
Signatures
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to disable installed Antivirus / HIPS / PFW
Uses 32bit PE files
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64native
Shift Setup.exe (PID: 8524 cmdline: "C:\Users\ user\Deskt op\Shift S etup.exe" MD5: 0F0DA32E4BDE27B239DC562C4CC2AD1E) - Shift Setup.tmp (PID: 8548 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-163 NS.tmp\Shi ft Setup.t mp" /SL5=" $10468,950 19598,1164 800,C:\Use rs\user\De sktop\Shif t Setup.ex e" MD5: DD387924C262802D2BDFB7C7201E3DF5) 
taskkill.exe (PID: 8816 cmdline: "C:\Window s\System32 \taskkill. exe" /f /i m shift.ex e MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD) 
conhost.exe (PID: 8824 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - schtasks.exe (PID: 9104 cmdline:
"schtasks" /delete / tn ShiftLa unchTask / f MD5: 796B784E98008854C27F4B18D287BA30) - conhost.exe (PID: 9112 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) 
shift.exe (PID: 9184 cmdline: "C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --sta rt-maximiz ed MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 9204 cmdline:
C:\Users\u ser\AppDat a\Local\Sh ift\chromi um\shift.e xe --type= crashpad-h andler "-- user-data- dir=C:\Use rs\user\Ap pData\Loca l\Shift\Us er Data" / prefetch:4 --monitor -self --mo nitor-self -argument= --type=cra shpad-hand ler "--mon itor-self- argument=- -user-data -dir=C:\Us ers\user\A ppData\Loc al\Shift\U ser Data" --monitor- self-argum ent=/prefe tch:4 --mo nitor-self -annotatio n=ptype=cr ashpad-han dler "--da tabase=C:\ Users\user \AppData\L ocal\Shift \User Data \Crashpad" --url=htt ps://o1334 372.ingest .sentry.io /api/45061 9300918067 2/minidump /?sentry_k ey=1c60a0c acdead91f9 05faa80e9c 82d03 --an notation=p lat=Win64 --annotati on=prod=Sh ift --anno tation=ver =122.10.0. 1101 --ini tial-clien t-data=0xf 4,0xf8,0xf c,0xac,0x1 00,0x7ffe3 ec55700,0x 7ffe3ec557 0c,0x7ffe3 ec55718 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 7164 cmdline:
C:\Users\u ser\AppDat a\Local\Sh ift\chromi um\shift.e xe --type= crashpad-h andler "-- user-data- dir=C:\Use rs\user\Ap pData\Loca l\Shift\Us er Data" / prefetch:4 --no-peri odic-tasks --monitor -self-anno tation=pty pe=crashpa d-handler "--databas e=C:\Users \user\AppD ata\Local\ Shift\User Data\Cras hpad" --ur l=https:// o1334372.i ngest.sent ry.io/api/ 4506193009 180672/min idump/?sen try_key=1c 60a0cacdea d91f905faa 80e9c82d03 --annotat ion=plat=W in64 --ann otation=pr od=Shift - -annotatio n=ver=122. 10.0.1101 --initial- client-dat a=0x154,0x 158,0x15c, 0x114,0x16 0,0x7ff678 faf0b8,0x7 ff678faf0c 4,0x7ff678 faf0d0 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 3108 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=gpu-proc ess --no-p re-read-ma in-dll --s tart-stack -profiler --gpu-pref erences=WA AAAAAAAADg AAAMAAAAAA AAAAAAAAAA AABgAAAAAA A4AAAAAAAA AAAAAAAEAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAGAAAAA AAAAAYAAAA AAAAAAgAAA AAAAAACAAA AAAAAAAIAA AAAAAAAA== --mojo-pl atform-cha nnel-handl e=2312 --f ield-trial -handle=23 16,i,15282 2912142086 9287,13748 7015934545 51628,2621 44 --varia tions-seed -version / prefetch:2 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 1536 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=utility --utility- sub-type=n etwork.moj om.Network Service -- lang=en-US --service -sandbox-t ype=none - -no-pre-re ad-main-dl l --start- stack-prof iler --moj o-platform -channel-h andle=2864 --field-t rial-handl e=2316,i,1 5282291214 20869287,1 3748701593 454551628, 262144 --v ariations- seed-versi on /prefet ch:3 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 4088 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=utility --utility- sub-type=s torage.moj om.Storage Service -- lang=en-US --service -sandbox-t ype=servic e --no-pre -read-main -dll --moj o-platform -channel-h andle=3184 --field-t rial-handl e=2316,i,1 5282291214 20869287,1 3748701593 454551628, 262144 --v ariations- seed-versi on /prefet ch:8 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 1256 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=utility --utility- sub-type=c hrome.mojo m.ProfileI mport --la ng=en-US - -service-s andbox-typ e=none --n o-pre-read -main-dll --mojo-pla tform-chan nel-handle =4328 --fi eld-trial- handle=231 6,i,152822 9121420869 287,137487 0159345455 1628,26214 4 --variat ions-seed- version /p refetch:8 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 8516 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=renderer --extensi on-process --no-pre- read-main- dll --vide o-capture- use-gpu-me mory-buffe r --lang=e n-US --dev ice-scale- factor=1 - -num-raste r-threads= 4 --enable -main-fram e-before-a ctivation --renderer -client-id =6 --time- ticks-at-u nix-epoch= -172979390 8742888 -- launch-tim e-ticks=53 8271629 -- mojo-platf orm-channe l-handle=4 508 --fiel d-trial-ha ndle=2316, i,15282291 2142086928 7,13748701 5934545516 28,262144 --variatio ns-seed-ve rsion /pre fetch:2 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 8848 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=renderer --no-pre- read-main- dll --star t-stack-pr ofiler --v ideo-captu re-use-gpu -memory-bu ffer --lan g=en-US -- device-sca le-factor= 1 --num-ra ster-threa ds=4 --ena ble-main-f rame-befor e-activati on --rende rer-client -id=7 --ti me-ticks-a t-unix-epo ch=-172979 3908742888 --launch- time-ticks =538611283 --mojo-pl atform-cha nnel-handl e=4884 --f ield-trial -handle=23 16,i,15282 2912142086 9287,13748 7015934545 51628,2621 44 --varia tions-seed -version / prefetch:1 MD5: 57FF3A035DA210EAF2B467E8DB148635) 
explorer.exe (PID: 4968 cmdline: C:\Windows \Explorer. EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7) - shift.exe (PID: 1112 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --lau nch-source =sign-in MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 1592 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --lau nch-source =sign-in MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 3436 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=renderer --instant -process - -no-pre-re ad-main-dl l --video- capture-us e-gpu-memo ry-buffer --lang=en- US --devic e-scale-fa ctor=1 --n um-raster- threads=4 --enable-m ain-frame- before-act ivation -- renderer-c lient-id=8 --time-ti cks-at-uni x-epoch=-1 7297939087 42888 --la unch-time- ticks=5389 93971 --mo jo-platfor m-channel- handle=524 0 --field- trial-hand le=2316,i, 1528229121 420869287, 1374870159 3454551628 ,262144 -- variations -seed-vers ion /prefe tch:1 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 3332 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=renderer --no-pre- read-main- dll --vide o-capture- use-gpu-me mory-buffe r --lang=e n-US --dev ice-scale- factor=1 - -num-raste r-threads= 4 --enable -main-fram e-before-a ctivation --renderer -client-id =9 --time- ticks-at-u nix-epoch= -172979390 8742888 -- launch-tim e-ticks=53 9522401 -- mojo-platf orm-channe l-handle=5 548 --fiel d-trial-ha ndle=2316, i,15282291 2142086928 7,13748701 5934545516 28,262144 --variatio ns-seed-ve rsion /pre fetch:1 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 8100 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=renderer --no-pre- read-main- dll --vide o-capture- use-gpu-me mory-buffe r --lang=e n-US --dev ice-scale- factor=1 - -num-raste r-threads= 4 --enable -main-fram e-before-a ctivation --renderer -client-id =10 --time -ticks-at- unix-epoch =-17297939 08742888 - -launch-ti me-ticks=5 45806341 - -mojo-plat form-chann el-handle= 6208 --fie ld-trial-h andle=2316 ,i,1528229 1214208692 87,1374870 1593454551 628,262144 --variati ons-seed-v ersion /pr efetch:1 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 3440 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=renderer --no-pre- read-main- dll --star t-stack-pr ofiler --v ideo-captu re-use-gpu -memory-bu ffer --lan g=en-US -- device-sca le-factor= 1 --num-ra ster-threa ds=4 --ena ble-main-f rame-befor e-activati on --rende rer-client -id=11 --t ime-ticks- at-unix-ep och=-17297 9390874288 8 --launch -time-tick s=55323765 8 --mojo-p latform-ch annel-hand le=6480 -- field-tria l-handle=2 316,i,1528 2291214208 69287,1374 8701593454 551628,262 144 --vari ations-see d-version /prefetch: 1 MD5: 57FF3A035DA210EAF2B467E8DB148635) - shift.exe (PID: 4760 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=utility --utility- sub-type=c hrome.mojo m.Processo rMetrics - -lang=en-U S --servic e-sandbox- type=none --video-ca pture-use- gpu-memory -buffer -- no-pre-rea d-main-dll --mojo-pl atform-cha nnel-handl e=6992 --f ield-trial -handle=23 16,i,15282 2912142086 9287,13748 7015934545 51628,2621 44 --varia tions-seed -version / prefetch:8 MD5: 57FF3A035DA210EAF2B467E8DB148635) 
setup.exe (PID: 3888 cmdline: setup.exe --do-not-l aunch-chro me MD5: 1D06621473A8216A98687546A595EC5D) - setup.exe (PID: 2032 cmdline:
C:\Users\u ser\AppDat a\Local\Sh ift\chromi um\122.10. 0.1101\set up.exe --t ype=crashp ad-handler /prefetch :4 --monit or-self-an notation=p type=crash pad-handle r "--datab ase=C:\Use rs\user\Ap pData\Loca l\Shift\Us er Data\Cr ashpad" -- url=https: //o1334372 .ingest.se ntry.io/ap i/45061930 09180672/m inidump/?s entry_key= 1c60a0cacd ead91f905f aa80e9c82d 03 --annot ation=plat =Win64 --a nnotation= prod=Shift --annotat ion=ver=12 7.2.2.1372 --initial -client-da ta=0x254,0 x258,0x25c ,0x230,0x2 60,0x7ff7e 5908410,0x 7ff7e59084 1c,0x7ff7e 5908428 MD5: 1D06621473A8216A98687546A595EC5D) - setup.exe (PID: 9144 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\122.10 .0.1101\se tup.exe" - -verbose-l ogging --c reate-shor tcuts=0 -- install-le vel=0 MD5: 1D06621473A8216A98687546A595EC5D) - setup.exe (PID: 6828 cmdline:
C:\Users\u ser\AppDat a\Local\Sh ift\chromi um\122.10. 0.1101\set up.exe --t ype=crashp ad-handler /prefetch :4 --monit or-self-an notation=p type=crash pad-handle r "--datab ase=C:\Use rs\user\Ap pData\Loca l\Shift\Us er Data\Cr ashpad" -- url=https: //o1334372 .ingest.se ntry.io/ap i/45061930 09180672/m inidump/?s entry_key= 1c60a0cacd ead91f905f aa80e9c82d 03 --annot ation=plat =Win64 --a nnotation= prod=Shift --annotat ion=ver=12 7.2.2.1372 --initial -client-da ta=0x24c,0 x250,0x254 ,0x208,0x2 58,0x7ff7e 5908410,0x 7ff7e59084 1c,0x7ff7e 5908428 MD5: 1D06621473A8216A98687546A595EC5D) - shift.exe (PID: 9024 cmdline:
"C:\Users\ user\AppDa ta\Local\S hift\chrom ium\shift. exe" --typ e=gpu-proc ess --disa ble-gpu-sa ndbox --us e-gl=disab led --gpu- vendor-id= 32902 --gp u-device-i d=16024 -- gpu-sub-sy stem-id=10 50155081 - -gpu-revis ion=2 --gp u-driver-v ersion=27. 20.100.941 5 --no-pre -read-main -dll --sta rt-stack-p rofiler -- gpu-prefer ences=WAAA AAAAAADoAA AMAAAAAAAA AAAAAAAAAA BgAAAAAAA4 AAAAAAAAAA AAAABEAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAA AAGAAAAAAA AAAYAAAAAA AAAAgAAAAA AAAACAAAAA AAAAAIAAAA AAAAAA== - -mojo-plat form-chann el-handle= 464 --fiel d-trial-ha ndle=2316, i,15282291 2142086928 7,13748701 5934545516 28,262144 --variatio ns-seed-ve rsion /pre fetch:8 MD5: 57FF3A035DA210EAF2B467E8DB148635) 
WerFault.exe (PID: 6484 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 8 548 -s 270 0 MD5: 40A149513D721F096DDF50C04DA2F01F) - WerFault.exe (PID: 8140 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 8 548 -s 244 4 MD5: 40A149513D721F096DDF50C04DA2F01F)
- shift.exe (PID: 7984 cmdline:
C:\Users\u ser\AppDat a\Local\Sh ift\chromi um\shift.e xe --start -maximized --launch- source=sig n-in MD5: 57FF3A035DA210EAF2B467E8DB148635)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | EXE: | |||
| Source: | EXE: | |||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | |||
| Source: | EXE: | Jump to behavior | ||
Compliance |   |
|---|
| Source: | EXE: | |||
| Source: | EXE: | |||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | |||
| Source: | EXE: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | File created: | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | String found in binary or memory: | ||