Edit tour
Windows
Analysis Report
Setup.exe
Overview
General Information
| Sample name: | Setup.exe |
| Analysis ID: | 1549726 |
| MD5: | 6309770ca668239c93a093e885a362e2 |
| SHA1: | e6b1bafe8723468b1c191f46d2c0a21d61e896e6 |
| SHA256: | 27c5187ed2c3272fadb508d182ca580e77161ed2699e53e39f151dc22cb89aef |
| Infos: |  |
 | |
Detection
| Score: | 54 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Compliance
| Score: | 35 |
| Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for dropped file
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a global mouse hook
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64native
Setup.exe (PID: 1940 cmdline: "C:\Users\ user\Deskt op\Setup.e xe" MD5: 6309770CA668239C93A093E885A362E2) 
chrome.exe (PID: 7884 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// pcapp.stor e/installi ng.php?gui d=00000000 -0000-0000 -0000-D050 99DB2397&w inver=1904 2&version= fa.1092c&n ocache=202 4110518132 5.34&_fcid =173084622 6315208 MD5: BB7C48CDDDE076E7EB44022520F40F77) - chrome.exe (PID: 6416 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --no-subpr oc-heap-pr ofiling -- field-tria l-handle=2 176,i,1190 7367456306 388257,129 6314807213 6716127,26 2144 --dis able-featu res=Optimi zationGuid eModelDown loading,Op timization HintsFetch ing,Optimi zationTarg etPredicti on --varia tions-seed -version=2 0240909-18 0142.41600 0 --mojo-p latform-ch annel-hand le=2212 /p refetch:3 MD5: BB7C48CDDDE076E7EB44022520F40F77) - chrome.exe (PID: 8640 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= audio.mojo m.AudioSer vice --lan g=en-US -- service-sa ndbox-type =audio --v ideo-captu re-use-gpu -memory-bu ffer --no- subproc-he ap-profili ng --field -trial-han dle=4844,i ,119073674 5630638825 7,12963148 0721367161 27,262144 --disable- features=O ptimizatio nGuideMode lDownloadi ng,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction -- variations -seed-vers ion=202409 09-180142. 416000 --m ojo-platfo rm-channel -handle=54 08 /prefet ch:8 MD5: BB7C48CDDDE076E7EB44022520F40F77) - chrome.exe (PID: 8660 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= video_capt ure.mojom. VideoCaptu reService --lang=en- US --servi ce-sandbox -type=none --video-c apture-use -gpu-memor y-buffer - -no-subpro c-heap-pro filing --f ield-trial -handle=52 04,i,11907 3674563063 88257,1296 3148072136 716127,262 144 --disa ble-featur es=Optimiz ationGuide ModelDownl oading,Opt imizationH intsFetchi ng,Optimiz ationTarge tPredictio n --variat ions-seed- version=20 240909-180 142.416000 --mojo-pl atform-cha nnel-handl e=5196 /pr efetch:8 MD5: BB7C48CDDDE076E7EB44022520F40F77) - nsy2C04.tmp (PID: 8364 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\nsy2C0 4.tmp" /in ternal 173 0846226315 208 /force MD5: 84EE733F8014D22DAD2DFEF725489980) - PcAppStore.exe (PID: 8752 cmdline:
"C:\Users\ user\PCApp Store\PcAp pStore.exe " /init de fault MD5: 4B88D8ADA8D22622C30D581FC38EAA52) 
explorer.exe (PID: 5000 cmdline: C:\Windows \Explorer. EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7) - PcAppStore.exe (PID: 4920 cmdline:
"C:\Users\ user\PCApp Store\PCAp pStore.exe " /init de fault MD5: 4B88D8ADA8D22622C30D581FC38EAA52) - tddPFIUbTNWNQ.exe (PID: 6648 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 6180 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 4888 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 2324 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 1488 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 3292 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 5304 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 3236 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 7656 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 2796 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 4168 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 2548 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 1244 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 6448 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 1928 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 4596 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 2772 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 2784 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 2768 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 5136 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 5256 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 4812 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 1352 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 4784 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 5776 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 4844 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 8100 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 3716 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 1688 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - tddPFIUbTNWNQ.exe (PID: 6156 cmdline:
"C:\Progra m Files (x 86)\bXseEr gRACaHGFcF YIDMCELjOM SOHhEoXkoq JAUxIIBZIm RURAEAGqCW cQqhvVYUWG ZsWSwwH\td dPFIUbTNWN Q.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - Watchdog.exe (PID: 8820 cmdline:
"C:\Users\ user\PCApp Store\Watc hdog.exe" /guid=0000 0000-0000- 0000-0000- D05099DB23 97 /rid=20 2411051814 07.1816081 953 /ver=f a.1092c MD5: 11F3801CB9FF046D6075F681971C4EB8)
svchost.exe (PID: 8472 cmdline: C:\Windows \system32\ svchost.ex e -k Local SystemNetw orkRestric ted -p -s NgcSvc MD5: F586835082F632DC8D9404D83BC16316)
- svchost.exe (PID: 8536 cmdline:
C:\Windows \system32\ svchost.ex e -k Local ServiceNet workRestri cted -p -s NgcCtnrSv c MD5: F586835082F632DC8D9404D83BC16316)
- cleanup
⊘No configs have been found
⊘No yara matches
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: vburov: | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
Compliance | |
|---|
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||