Edit tour
Windows
Analysis Report
Setup.exe
Overview
General Information
| Sample name: | Setup.exe |
| Analysis ID: | 1546932 |
| MD5: | 9aa62835585485a40e45b2ae935c42b0 |
| SHA1: | 208bad1614fd19318aadce03531713a2ad885cd8 |
| SHA256: | d28331e98edccdfb2709fc1af526c0cec059a6d008e54a537ce1e10a32c876be |
| Infos: |   |
 | |
Detection
| Score: | 57 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 34 |
| Range: | 0 - 100 |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a global mouse hook
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
Setup.exe (PID: 3192 cmdline: "C:\Users\ user\Deskt op\Setup.e xe" MD5: 9AA62835585485A40E45B2AE935C42B0) 
chrome.exe (PID: 6368 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// pcapp.stor e/installi ng.php?gui d=4D802742 -3099-9C0E -C19B-2A23 EA1FC420&w inver=1904 5&version= fa.1091y&n ocache=202 4110113051 9.339&_fci d=17289417 59157143 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 5680 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2572 --fi eld-trial- handle=239 6,i,936350 0844381799 255,411192 6707263631 247,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 7764 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= audio.mojo m.AudioSer vice --lan g=en-US -- service-sa ndbox-type =audio --m ojo-platfo rm-channel -handle=49 64 --field -trial-han dle=2396,i ,936350084 4381799255 ,411192670 7263631247 ,262144 -- disable-fe atures=Opt imizationG uideModelD ownloading ,Optimizat ionHints,O ptimizatio nHintsFetc hing,Optim izationTar getPredict ion /prefe tch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 7776 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= video_capt ure.mojom. VideoCaptu reService --lang=en- US --servi ce-sandbox -type=none --mojo-pl atform-cha nnel-handl e=5324 --f ield-trial -handle=23 96,i,93635 0084438179 9255,41119 2670726363 1247,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - nspF85F.tmp (PID: 7628 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\nspF85 F.tmp" /in ternal 172 8941759157 143 /force MD5: C50F23A6E99F3FAEC7A10CEB1884F73E) - PcAppStore.exe (PID: 7404 cmdline:
"C:\Users\ user\PCApp Store\PcAp pStore.exe " /init de fault MD5: 102313158837DA34ECE7FBE599A0EEC5) 
explorer.exe (PID: 4004 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - PcAppStore.exe (PID: 2348 cmdline:
"C:\Users\ user\PCApp Store\PCAp pStore.exe " /init de fault MD5: 102313158837DA34ECE7FBE599A0EEC5) - AutoUpdater.exe (PID: 7924 cmdline:
"C:\Users\ user\PCApp Store\Auto Updater.ex e" /i MD5: 4B8501CCF1EB44EA96A20547D4EBE7D3) - qUkmMBjREGieFqRs.exe (PID: 2436 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 5576 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 1476 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 5924 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 1664 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 4632 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 4040 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 2532 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 5844 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 3648 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 2852 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 3896 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 2356 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 3872 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 3632 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 876 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 4200 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 4000 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 1096 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 6728 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 3204 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 6716 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 5348 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 5008 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 5352 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - qUkmMBjREGieFqRs.exe (PID: 5324 cmdline:
"C:\Progra m Files (x 86)\UVDOoC FyCVqMDYoJ XUnLungOKs WoYgmBuYYH XyGubhKwtV smiLnEJpvw SLzHARWaPQ DYlNlJliRD Tcoj\qUkmM BjREGieFqR s.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - Watchdog.exe (PID: 1176 cmdline:
"C:\Users\ user\PCApp Store\Watc hdog.exe" /guid=4D80 2742-3099- 9C0E-C19B- 2A23EA1FC4 20 /rid=20 2411011306 17.6115035 937 /ver=f a.1091y MD5: 3141E8E75FE71E17B1337CB97B37AB03)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| ironshell_php | Semi-Auto-generated - file ironshell.php.txt | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls |
|
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
Compliance | |
|---|
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||