Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Setup.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.608859172172792
Filename:	Setup.exe
Filesize:	502656
MD5:	dc4f97df9369351e44f2f87ea7e5abd2
SHA1:	b433ec49f9e2b35c0763218b38c1fee4a19e2cb0
SHA256:	5ed1397e6c4496239f1c865c19df8f4ea4821fd148d3380baa5dedb6b8d710fc
SHA512:	da7772af52892e780aedfb372ba4ffefa442141745ff77afadba6af24644ce6d7b5a58bd9d6846962287e0cc2ec2a4b8de1afa834c907662b337e84568094ea1
SSDEEP:	12288:fyIF3IUpcSgjqV+35JixitvKkbj31tR+z:fyIiocq4j7BbT6
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation Security Software Discovery System Shutdown/Reboot
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation Security Software Discovery System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation Security Software Discovery Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior	Access Token Manipulation
Found evasive API chain (date check)	Malware Analysis System Evasion	Access Token Manipulation
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation Security Software Discovery System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion	Security Software Discovery System Information Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample might require command line arguments	System Summary	Access Token Manipulation
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking	Security Software Discovery
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE / OLE file has a valid certificate	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-30 #001.txt

ASCII text, with CRLF line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-30 #001.txt
Category:	modified
Dump:	Setup Log 2024-10-30 #001.txt.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp
Type:	ASCII text, with CRLF line terminators
Entropy:	4.863388771804084
Encrypted:	false
Ssdeep:	48:r/MiXMsmrpvOBbABgW9QS/9ZBucc3fnrsZkrrPEUJnUbEUJn27EUJns10EUJnDLn:zb58QD9a9jKs0
Size:	6505
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

modified

Details

File:	C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp
Category:	modified
Dump:	Setup.tmp.1.dr
ID:	dr_0
Target ID:	1
Process:	C:\Users\user\Desktop\Setup.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.573126941840791
Encrypted:	false
Ssdeep:	12288:3qIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPul8yx9z:6IZg+uiirPO37fzH4A6haDbcUZEbdT9K
Size:	763464
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to call native functions	System Summary
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Sigma detected: Use Short Name Path in Command Line	System Summary
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Reads the Windows registered organization settings	System Summary	System Owner/User Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Creates install or setup log file	Compliance, Persistence and Installation Behavior
Executable creates window controls seldom found in malware	System Summary
Found GUI installer (many successful clicks)	System Summary
Reads the Windows registered owner settings	System Summary	System Owner/User Discovery

C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmp

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmp
Category:	dropped
Dump:	_setup64.tmp.3.dr
ID:	dr_2
Target ID:	3
Process:	C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	4.720366600008286
Encrypted:	false
Ssdeep:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
Size:	6144
Whitelisted:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Setup.exe

"C:\Users\user\Desktop\Setup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7524
Target ID:	1
Parent PID:	4056
Name:	Setup.exe
Path:	C:\Users\user\Desktop\Setup.exe
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Size:	502656
MD5:	DC4F97DF9369351E44F2F87EA7E5ABD2
Time:	11:44:54
Date:	30/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	114688
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: Use Short Name Path in Command Line	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE / OLE file has a valid certificate	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

"C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7544
Target ID:	3
Parent PID:	7524
Name:	Setup.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp
Commandline:	"C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe"
Size:	763464
MD5:	21BBD416AD06BFBA595FD3C2FED9B612
Time:	11:44:54
Date:	30/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	811008
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Sigma detected: Use Short Name Path in Command Line	System Summary
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://www.innosetup.com/

unknown

http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

unknown

http://www.remobjects.com/psU

unknown

http://ocsp.sectigo.com0

unknown

https://sectigo.com/CPS0B

unknown

http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

unknown

http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

unknown

http://www.ooaccess.com

unknown

http://www.ooaccess.com&

unknown

https://sectigo.com/CPS0D

unknown

http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline

unknown

http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r

unknown

http://license.openoptionsinc.com/LicenseFile?HaspKey=%s&Product=FULIC

unknown

http://www.remobjects.com/ps

unknown

http://www.openoptionsinc.com

unknown

https://ooaccess.com/v7

unknown

http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC&Username=%s&Password=%s

unknown

http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#

unknown

http://license.ooinc.com/Download/FlexAPI

unknown

http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC

unknown

There are 10 hidden URLs, click here to show them.

Domains

Name

Malicious

15.164.165.52.in-addr.arpa

unknown

200.163.202.172.in-addr.arpa

unknown

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

Memdumps

Base Address

Regiontype

Protect

Malicious

2420000

direct allocation

page read and write

866000

heap

page read and write

894000

heap

page read and write

32FE000

stack

page read and write

49C000

unkown

page write copy

863000

heap

page read and write

49E000

unkown

page read and write

894000

heap

page read and write

790000

direct allocation

page execute and read and write

9B000

stack

page read and write

412000

unkown

page readonly

894000

heap

page read and write

401000

unkown

page execute read

4AE000

unkown

page readonly

33FF000

stack

page read and write

4AE000

unkown

page readonly

866000

heap

page read and write

85B000

heap

page read and write

5F0000

heap

page read and write

401000

unkown

page execute read

818000

heap

page read and write

2260000

direct allocation

page read and write

480000

heap

page read and write

21BC000

direct allocation

page read and write

2020000

direct allocation

page read and write

19C000

stack

page read and write

89A000

heap

page read and write

894000

heap

page read and write

353F000

stack

page read and write

21B0000

direct allocation

page read and write

7F9000

heap

page read and write

40E000

unkown

page write copy

840000

heap

page read and write

400000

unkown

page readonly

49A000

heap

page read and write

866000

heap

page read and write

2038000

direct allocation

page read and write

4D0000

heap

page read and write

770000

heap

page read and write

49C000

unkown

page read and write

400000

unkown

page readonly

430000

heap

page read and write

401000

unkown

page execute read

2430000

heap

page read and write

82C000

heap

page read and write

7C0000

heap

page read and write

7F5000

heap

page read and write

2434000

heap

page read and write

49D000

unkown

page write copy

400000

unkown

page readonly

7F0000

heap

page read and write

490000

heap

page read and write

343E000

stack

page read and write

4B8000

heap

page read and write

2024000

direct allocation

page read and write

855000

heap

page read and write

40C000

unkown

page write copy

412000

unkown

page readonly

231C000

direct allocation

page read and write

2780000

trusted library allocation

page read and write

3100000

direct allocation

page read and write

89A000

heap

page read and write

84C000

heap

page read and write

401000

unkown

page execute read

610000

heap

page read and write

7D0000

heap

page read and write

3100000

heap

page read and write

4A0000

unkown

page write copy

2030000

direct allocation

page read and write

400000

unkown

page readonly

19B000

stack

page read and write

5F0000

heap

page read and write

810000

heap

page read and write

228E000

direct allocation

page read and write

8AE000

heap

page read and write

21B8000

direct allocation

page read and write

40C000

unkown

page read and write

96000

stack

page read and write

616000

heap

page read and write

21B7000

direct allocation

page read and write

31C0000

heap

page read and write

420000

heap

page read and write

2360000

direct allocation

page read and write

2260000

direct allocation

page read and write

There are 74 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Setup.exe

Files

Processes

URLs

Domains

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSetup.exe

Files

Processes

URLs

Domains

Registry

Memdumps

IOC Report
Setup.exe