Edit tour

Windows Analysis Report
Setup_10024.exe

Overview

General Information

Sample name:	Setup_10024.exe
Analysis ID:	1606440
MD5:	bfad6caba29a22aa27a440152efbd209
SHA1:	c6412638a55ef72620a80b1094314e57d606b791
SHA256:	04b664179383f4a07083bb61829edf904f2909f621b76ca2bbd64285bbe594a5
Infos:

Detection

Score:	36
Range:	0 - 100
Confidence:	40%

Compliance

Score:	47
Range:	0 - 100

Signatures

Antivirus detection for URL or domain

Detected non-DNS traffic on DNS port

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

Uses 32bit PE files

Classification

Process Tree

System is w10x64

Setup_10024.exe (PID: 4048 cmdline: "C:\Users\user\Desktop\Setup_10024.exe" MD5: BFAD6CABA29A22AA27A440152EFBD209)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Cryptography
• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion
• Anti Debugging

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://appstalation.com/7104A12B017289DF/03034061431/24F3D2C94E09B5D1/73866997400?8DC009539E55612A1738669974

Avira URL Cloud: Label: malware

Cryptography

Source: Setup_10024.exe, 00000004.00000000.1272721694.00000000010F0000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_9ad28667-1

Compliance

Uses 32bit PE files

Source: Setup_10024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: Setup_10024.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 104.26.13.137:443 -> 192.168.2.7:49704 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Setup_10024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.7:59214 -> 162.159.36.2:53

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /7104A12B017289DF/03034061431/24F3D2C94E09B5D1/73866997400?8DC009539E55612A1738669974 HTTP/1.1Host: appstalation.comUser-Agent: NSIS_InetLoad (Mozilla)Accept: */*

Source: global traffic

DNS traffic detected: DNS query: appstalation.com

Source: Setup_10024.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup_10024.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup_10024.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup_10024.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup_10024.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup_10024.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup_10024.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup_10024.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup_10024.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup_10024.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup_10024.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup_10024.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup_10024.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Setup_10024.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: TeXworks0.6.2.exe.4.dr	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup_10024.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Setup_10024.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Setup_10024.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 104.26.13.137:443 -> 192.168.2.7:49704 version: TLS 1.2

System Summary

Uses 32bit PE files

Source: Setup_10024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus36.winEXE@1/1@1/2

Source: C:\Users\user\Desktop\Setup_10024.exe

File created: C:\Users\user\AppData\Local\LovingImpulsedqvApplication

Jump to behavior

Source: Setup_10024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup_10024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Setup_10024.exe	String found in binary or memory: easy handle already used in multi handleSet-Cookie:RELOADFLUSHSESSALL%dgetaddrinfo() thread failed to startAddDllDirectory\/LoadLibraryExWkernel32if_nametoindexiphlpapi.dllmultiH
Source: Setup_10024.exe	String found in binary or memory: */adD

Source: C:\Users\user\Desktop\Setup_10024.exe

File read: C:\Users\user\Desktop\Setup_10024.exe

Jump to behavior

Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup_10024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: Setup_10024.exe

Static PE information: certificate valid

PE file has a big code size

Source: Setup_10024.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: Setup_10024.exe

Static file information: File size 71918304 > 1048576

PE file has a big raw section

Source: Setup_10024.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x59ec00

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Setup_10024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a valid data directory to section mapping

Source: Setup_10024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Setup_10024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Setup_10024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Setup_10024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Setup_10024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\Setup_10024.exe

File created: C:\Users\user\Desktop\TeXworks0.6.2.exe

Jump to dropped file

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Setup_10024.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\TeXworks0.6.2.exe

Jump to dropped file

Source: Setup_10024.exe, 00000004.00000003.1285673894.0000000003515000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V VHDPMEM BTT Filter
Source: Setup_10024.exe, 00000004.00000003.1285783878.0000000003511000.00000004.00000020.00020000.00000000.sdmp, Setup_10024.exe, 00000004.00000003.1285631133.000000000352B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Storage Accelerator
Source: Setup_10024.exe	Binary or memory string: Au1Ofc?1:q.HgfS)1IU7ma!o~6qyzuz
Source: Setup_10024.exe, 00000004.00000003.1285783878.0000000003511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ner ExtensionVerifierExterExtMicrosoft Virtual Drive EnumeratorDrive EnumeratorvdrvrootootUSB xHCI Compliant Host Controller Host ControllerUSBXHCIHCIMicrosoft USB Universal Host Controller Miniport Driver Controller Miniport DriverusbuhcihciUSB Mass Storage Driverrage DriverUSBSTORTORMicrosoft USB Serial DriverSerial DriverusbsererMicrosoft USB PRINTER ClassPRINTER ClassusbprintintMicrosoft USB Open Host Controller Miniport Driverntroller Miniport DriverusbohcihciSuperSpeed Hubed HubUSBHUB3UB3Microsoft USB Standard Hub Driverndard Hub DriverusbhububMicrosoft USB 2.0 Enhanced Host Controller Miniport Drivert Controller Miniport DriverusbehcihcieHome Infrared Receiver (USBCIR)ceiver (USBCIR)usbcirirMicrosoft USB Generic Parent Driverric Parent DriverusbccgpcgpUSB Audio 2.0 Service.0 Serviceusbaudio2dio2USB Audio Driver (WDM)iver (WDM)usbaudiodioSynopsys USB Role-Switch Drivere-Switch DriverUrsSynopsysopsysUSB Role-Switch Support LibrarySupport LibraryUrsCx010001000Chipidea USB Role-Switch Drivere-Switch DriverUrsChipideapideaMicrosoft UMPass DriverPass DriverUmPassssUMBus Enumerator Driverator DriverumbususUSB Synopsys Controller ControllerufxsynopsysopsysUSB Chipidea Controller ControllerUfxChipideapideaUSB Function Class Extensionass ExtensionUfx01000000UevAgentDriverDriverUevAgentDriverDriverMicrosoft UEFI DriverEFI DriverUEFIIudfssudfssUSB Device Emulation Support Libraryn Support LibraryUdeCxCxUSB Host Support Libraryort LibraryUcx01000000UCM-UCSI KMDF Class Extensionlass ExtensionUcmUcsiCx0101Cx0101UCM-UCSI ACPI ClientPI ClientUcmUcsiAcpiClientpiClientUCM-TCPCI KMDF Class Extensionlass ExtensionUcmTcpciCx0101Cx0101USB Connector Manager KMDF Class ExtensionKMDF Class ExtensionUcmCx01010101USB Attached SCSI (UAS) DriverI (UAS) DriverUASPStortorMicrosoft Tunnel Miniport Adapter Driverport Adapter DrivertunnelelRemote Desktop USB Hubop USB HubtsusbhubhubRemote Desktop Generic USB Deviceneric USB DeviceTsUsbGDbGDRemote Desktop USB Hub Class Filter Driver Class Filter DriverTsUsbFltFltTPMMTPMMMicrosoft Remote Desktop Input Driversktop Input DriverterminptnptIntel(R) Telemetry Serviceetry ServiceTelemetryetryNetIO Legacy TDI Support Driver Support DrivertdxxTCP/IP Registry Compatibility Compatibilitytcpipregreg@todo.dll,-100;Microsoft IPv6 Protocol Drivert IPv6 Protocol DriverTcpip6p6TCP/IP Protocol Drivercol DriverTcpipipSynth3dVscdVscSynth3dVscdVscSoftware Bus Driverus DriverswenumumstorvscvscstorvscvscMicrosoft Universal Flash Storage (UFS) Driverh Storage (UFS) DriverstorufsufsStorage QoS Filter Driverilter DriverstorqosfltsfltMicrosoft Standard NVM Express DriverNVM Express DriverstornvmevmeMicrosoft Hyper-V Storage Acceleratortorage AcceleratorstorfltfltMicrosoft Standard SATA AHCI Driver SATA AHCI Driverstorahci
Source: Setup_10024.exe, 00000004.00000003.1285673894.0000000003515000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Setup_10024.exe, 00000004.00000003.1285783878.0000000003511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtual PCI Bus
Source: Setup_10024.exe, 00000004.00000003.1285631133.000000000352B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft USB 2.0 Enhanced Host Controller Miniport Drivert Controller Miniport DriverusbehcihcieHome Infrared Receiver (USBCIR)ceiver (USBCIR)usbcirirMicrosoft USB Generic Parent Driverric Parent DriverusbccgpcgpUSB Audio 2.0 Service.0 Serviceusbaudio2dio2USB Audio Driver (WDM)iver (WDM)usbaudiodioSynopsys USB Role-Switch Drivere-Switch DriverUrsSynopsysopsysUSB Role-Switch Support LibrarySupport LibraryUrsCx010001000Chipidea USB Role-Switch Drivere-Switch DriverUrsChipideapideaMicrosoft UMPass DriverPass DriverUmPassssUMBus Enumerator Driverator DriverumbususUSB Synopsys Controller ControllerufxsynopsysopsysUSB Chipidea Controller ControllerUfxChipideapideaUSB Function Class Extensionass ExtensionUfx01000000UevAgentDriverDriverUevAgentDriverDriverMicrosoft UEFI DriverEFI DriverUEFIIudfssudfssUSB Device Emulation Support Libraryn Support LibraryUdeCxCxUSB Host Support Libraryort LibraryUcx01000000UCM-UCSI KMDF Class Extensionlass ExtensionUcmUcsiCx0101Cx0101UCM-UCSI ACPI ClientPI ClientUcmUcsiAcpiClientpiClientUCM-TCPCI KMDF Class Extensionlass ExtensionUcmTcpciCx0101Cx0101USB Connector Manager KMDF Class ExtensionKMDF Class ExtensionUcmCx01010101USB Attached SCSI (UAS) DriverI (UAS) DriverUASPStortorMicrosoft Tunnel Miniport Adapter Driverport Adapter DrivertunnelelRemote Desktop USB Hubop USB HubtsusbhubhubRemote Desktop Generic USB Deviceneric USB DeviceTsUsbGDbGDRemote Desktop USB Hub Class Filter Driver Class Filter DriverTsUsbFltFltTPMMTPMMMicrosoft Remote Desktop Input Driversktop Input DriverterminptnptIntel(R) Telemetry Serviceetry ServiceTelemetryetryNetIO Legacy TDI Support Driver Support DrivertdxxTCP/IP Registry Compatibility Compatibilitytcpipregreg@todo.dll,-100;Microsoft IPv6 Protocol Drivert IPv6 Protocol DriverTcpip6p6TCP/IP Protocol Drivercol DriverTcpipipSynth3dVscdVscSynth3dVscdVscSoftware Bus Driverus DriverswenumumstorvscvscstorvscvscMicrosoft Universal Flash Storage (UFS) Driverh Storage (UFS) DriverstorufsufsStorage QoS Filter Driverilter DriverstorqosfltsfltMicrosoft Standard NVM Express DriverNVM Express DriverstornvmevmeMicrosoft Hyper-V Storage Acceleratortorage AcceleratorstorfltfltMicrosoft Standard SATA AHCI Driver SATA AHCI DriverstorahcihcistexstortorstexstortorsrvnetetsrvnetetServer SMB 2.x8Q
Source: Setup_10024.exe, 00000004.00000003.1285783878.0000000003511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Guest Infrastructure Driver
Source: Setup_10024.exe, 00000004.00000003.1285783878.0000000003511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Driver
Source: Setup_10024.exe, 00000004.00000003.1285783878.0000000003511000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: XINPUT HID Filter Driverlter DriverxinputhidthidXbox Game Input Protocol DriverProtocol DriverxboxgipgipWindows Driver Foundation - User-mode Driver Framework Reflectormode Driver Framework ReflectorWUDFRdRdUser Mode Driver Frameworks Platform Driverworks Platform DriverWudfPfPfWinsock IFS DriverS Driverws2ifslfslWPD Upper Class Filter Driver Filter DriverWpdUpFltrFltrWindows Overlay File System Filter DriverSystem Filter DriverWoffMicrosoft Windows Management Interface for ACPIment Interface for ACPIWmiAcpicpiWinVerbs ServiceServiceWinVerbsrbsWinUsb DriverDriverWINUSBSBWindows NAT DriverT DriverWinNatatWinMad ServiceerviceWinMadadMicrosoft Windows Trusted Runtime Secure Service Runtime Secure ServiceWindowsTrustedRTProxytedRTProxyWindows Trusted Execution Environment Class Extensionnvironment Class ExtensionWindowsTrustedRTustedRTWIMMountuntWIMMountuntMicrosoft Windows Filtering Platformiltering PlatformWFPLWFSWFSMicrosoft Defender Antivirus Network Inspection System Drivertwork Inspection System DriverWdNisDrvDrvWdmCompanionFilteronFilterWdmCompanionFilteronFilterWDI Driver FrameworkFrameworkwdiwifiifiMicrosoft Defender Antivirus Mini-Filter Driverirus Mini-Filter DriverWdFilterterKernel Mode Driver Frameworks serviceFrameworks serviceWdf01000000Microsoft Defender Antivirus Boot Drivertivirus Boot DriverWdBoototWindows Container Name Virtualizationame VirtualizationwcnfsfsWindows Container Isolationner IsolationwcifsfsRemote Access IPv6 ARP DriverPv6 ARP Driverwanarpv6pv6Remote Access IP ARP DriverIP ARP DriverwanarprpWacom Serial Pen HID Driveren HID DriverWacomPenPenVirtual WiFi Filter Driverilter DrivervwififltfltVirtual Wireless Bus Driverss Bus DrivervwifibusbusVIA StorX Storage RAID Controller Windows Driverntroller Windows DriverVSTXRAIDAIDvsmraidaidvsmraidaidMicrosoft Hyper-V Virtual PCI Bus Virtual PCI BusvpciiVolume driverdrivervolumemeVolume Shadow Copy driver Copy drivervolsnapnapDynamic Volume Managerme ManagervolmgrxgrxVolume Manager Driverger DrivervolmgrgrMicrosoft Hyper-V Guest Infrastructure Driver Infrastructure DrivervmgididVMware VMCI Bus DriverBus DrivervmciiVMBusHIDHIDVMBusHIDHIDVirtual Machine Buschine BusvmbususVirtualRenderRenderVirtualRenderRenderViddViddVirtual HID Framework (VHF) Driverork (VHF) DrivervhffvhdmpmpvhdmpmpDriver V

Source: C:\Users\user\Desktop\Setup_10024.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Enables debug privileges

Source: C:\Users\user\Desktop\Setup_10024.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Setup_10024.exe	Process token adjusted: Debug			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\TeXworks0.6.2.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://appstalation.com/7104A12B017289DF/03034061431/24F3D2C94E09B5D1/73866997400?8DC009539E55612A1738669974	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
appstalation.com	104.26.13.137	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://appstalation.com/7104A12B017289DF/03034061431/24F3D2C94E09B5D1/73866997400?8DC009539E55612A1738669974	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://curl.se/docs/hsts.html	Setup_10024.exe	false	high
https://curl.se/docs/alt-svc.html	Setup_10024.exe	false	high
https://curl.se/docs/http-cookies.html	Setup_10024.exe	false	high
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	TeXworks0.6.2.exe.4.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.137	appstalation.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1606440
Start date and time:	2025-02-04 12:51:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup_10024.exe
Detection:	SUS
Classification:	sus36.winEXE@1/1@1/2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SWIFT.cmd	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	https://gffd-5ru.pages.dev/?email=nobody@wp.pl&mail=wp.pl	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	FD69000089087654567800009876545678900.pif.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	CONFIDENTIAL_PAYMENT_CONFIRMATION_TRANSACTION_DETAILS_022025.PDF.EXE.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Pre-alert documents.exe	Get hash	malicious	FormBook	Browse	104.21.35.208
	Rfq_quality_purchase_product_specification_order_list_04_02_2025_000000000000000.vbs	Get hash	malicious	FormBook	Browse	172.67.197.221
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://boxesiamanorhornas.com/4439750220	Get hash	malicious	Unknown	Browse	104.17.25.14
	H-CaseFile987763403 Hc Doc.pdf	Get hash	malicious	Unknown	Browse	104.26.4.170
	ORDER 000227APD.exe	Get hash	malicious	FormBook	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://proveedores.veochile.net	Get hash	malicious	Unknown	Browse	104.26.13.137
	http://80.64.30.238/evix.xll	Get hash	malicious	Unknown	Browse	104.26.13.137
	CONFIDENTIAL_PAYMENT_CONFIRMATION_TRANSACTION_DETAILS_022025.PDF.EXE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.137
	Rfq_quality_purchase_product_specification_order_list_04_02_2025_000000000000000.vbs	Get hash	malicious	FormBook	Browse	104.26.13.137
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.137
	BBVA S.A.,PDF.vbs	Get hash	malicious	Remcos	Browse	104.26.13.137
	https://links.gupd.marketgainsupdates.com/track?uid=30ea94e6-865b-421e-ba6c-e375addd3b67&txnid=df182e0a-ee0c-43a0-9c6a-de7587a3d304&eid=2d72fd75-75d2-48dd-9f40-508cdd1145ed&mid=32fe6f62-b035-4b1e-b06d-9915d5916d07&bsft_ek=2025-02-03T21%3A28%3A11Z&bsft_mime_type=html&bsft_tv=7&bsft_lx=8&bsft_aaid=2b681735-0241-464e-9928-6f7f561dab54&a=click&redir=https%3A%2F%2Ftrack.marketgainsupdates.com%2F6790d5c4865e7f7867f0af5b%3Femail%3Dcliff.pettit%2540technipfmc.com%26domain%3D092MGU%26type%3Dunsub%26utm_campaign%3Dmgu-adsr1-03-02-3%26utm_source%3Dblueshift%26utm_medium%3Demail%26utm_content%3Dmgu-adsr1-03-02-3-nocopy	Get hash	malicious	Unknown	Browse	104.26.13.137
	Nowe zam#U00f3wienie 06645478721 - PRODUCEL POLSKA.com.exe	Get hash	malicious	Quasar	Browse	104.26.13.137
	130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.137
	http://form.run	Get hash	malicious	Unknown	Browse	104.26.13.137

Process:	C:\Users\user\Desktop\Setup_10024.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15680108
Entropy (8bit):	7.99867394510982
Encrypted:	true
SSDEEP:	393216:6EZ4UtuDZy1VABW1d5pKYcun8WUusjhIjIppfBugo0:6EZ4UtuDZy1ye3n8jusjhI2YgN
MD5:	DADEC2CE17A256082B1AB0ECC92A01E8
SHA1:	4EAD9DCEFD976862F68FDFF26F5A6C80EF11AAFA
SHA-256:	E5847ADB23DFB0944D20890CF0F027A322BCEF323CC98F658D89A16F9CB22AB7
SHA-512:	55FB9872DE9C98BD4BDFA0298F3273A8F76C138D1D18FC1984CEB6AEF25C82198C69B834F9480F9A90744A6728C7BACCB167595B539D3F3679F7137BD4101533
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......W.....................r............... ....@.......................... ............@......@.......................................P...........................................................................................................text...D........................... ..`.itext..d........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.................&...................rdata...............&..............@..@.rsrc....`.......R...(..............@..@....................................@..@........................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.913419666383093
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup_10024.exe
File size:	71'918'304 bytes
MD5:	bfad6caba29a22aa27a440152efbd209
SHA1:	c6412638a55ef72620a80b1094314e57d606b791
SHA256:	04b664179383f4a07083bb61829edf904f2909f621b76ca2bbd64285bbe594a5
SHA512:	fc58e2f2db12cbccee9a87657ece27e6b6bf031713a05dd172f6515e724d411b161881de688ac12e4a269cee72d5453d6460b3a059a41de31eb50011bbc98955
SSDEEP:	393216:nHlKgQ0KjRLjx+kpOJBO39wqjJdPrwZxhYSE/5rQpjIOsv/+Nj2:nFKgQlpOJBO3COiYSI5rQpjc8j
TLSH:	88F7CFEAC7ADF491EFF240F07B1B96D03659D5F8182A46E77F8753412820E42E260E97
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........B....................)...............................................................Rich............................PE..L..

File Icon


Icon Hash:	b8868baba9aba2d8

Static PE Info

General

Entrypoint:	0x939cca
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67223DA0 [Wed Oct 30 14:07:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ea425b7c70eb4c9431e5bb4f75b4971b

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	28/02/2024 19:00:00 18/12/2024 18:59:59
Subject Chain	CN=Jackson Developments LLC, O=Jackson Developments LLC, L=Dover, S=Delaware, C=US, SERIALNUMBER=3701621, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	5A11C551A8D20A8C5238A62B74CAC438
Thumbprint SHA-1:	48CBF673067F3ED932E4A3EB963769A38585282A
Thumbprint SHA-256:	B04E2F1A13F12F9ECBAAB781B377C2A6E47BE389EAC501DF4F71E037E13DDAD9
Serial:	01C1631B482989063EA7E766EA023FA2

Entrypoint Preview

Instruction
call 00007F4E113E0BFEh
jmp 00007F4E113D903Eh
push edi
mov eax, esi
and eax, 0Fh
test eax, eax
jne 00007F4E113D9277h
mov edx, ecx
and ecx, 7Fh
shr edx, 07h
je 00007F4E113D9217h
jmp 00007F4E113D91B8h
lea ebx, dword ptr [ebx+00000000h]
movdqa xmm0, dqword ptr [esi]
movdqa xmm1, dqword ptr [esi+10h]
movdqa xmm2, dqword ptr [esi+20h]
movdqa xmm3, dqword ptr [esi+30h]
movdqa dqword ptr [edi], xmm0
movdqa dqword ptr [edi+10h], xmm1
movdqa dqword ptr [edi+20h], xmm2
movdqa dqword ptr [edi+30h], xmm3
movdqa xmm4, dqword ptr [esi+40h]
movdqa xmm5, dqword ptr [esi+50h]
movdqa xmm6, dqword ptr [esi+60h]
movdqa xmm7, dqword ptr [esi+70h]
movdqa dqword ptr [edi+40h], xmm4
movdqa dqword ptr [edi+50h], xmm5
movdqa dqword ptr [edi+60h], xmm6
movdqa dqword ptr [edi+70h], xmm7
lea esi, dword ptr [esi+00000080h]
lea edi, dword ptr [edi+00000080h]
dec edx
jne 00007F4E113D9155h
test ecx, ecx
je 00007F4E113D91FBh
mov edx, ecx
shr edx, 04h
test edx, edx
je 00007F4E113D91C9h
lea ebx, dword ptr [ebx+00000000h]
movdqa xmm0, dqword ptr [esi]
movdqa dqword ptr [edi], xmm0
lea esi, dword ptr [esi+10h]
lea edi, dword ptr [edi+10h]
dec edx
jne 00007F4E113D91A1h
and ecx, 0Fh
je 00007F4E113D91D6h
mov eax, ecx
shr ecx, 02h
je 00007F4E113D91BFh
mov edx, dword ptr [esi]
mov dword ptr [edi], edx
lea esi, dword ptr [esi+04h]
lea edi, dword ptr [edi+04h]
dec ecx
jne 00007F4E113D91A5h
mov ecx, eax
and ecx, 00000000h

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[IMP] VS2005 build 50727
[ C ] VS2005 build 50727
[C++] VS2005 build 50727
[RES] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d3b54	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5df000	0x2548	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x14ca5e0	0x2fcbd00
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e2000	0x14cf8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5cbfa0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5a0000	0x460	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x59ea9c	0x59ec00	4e8e2070662fb1f1b862554e5ed481b7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5a0000	0x35114	0x35200	6b72797e4f2940752d77ee6cce93dfe0	False	0.4638465073529412	data	5.575404213470285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5d6000	0x8bec	0x2800	379ac5897895e03b9d53ff25e69af227	False	0.2853515625	data	4.423791020840206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5df000	0x2548	0x2600	e7d863cae69777cd49f951deda479947	False	0.3195929276315789	data	3.8420086869927177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e2000	0x17192	0x17200	70038d4d7075355a13eb8a7385b2758b	False	0.5490920608108109	data	6.2094324351967565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5df828	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0x5dfb10	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_DIALOG	0x5e01b0	0x2b8	data	English	United States	0.4755747126436782
RT_DIALOG	0x5dfc60	0x12e	data	English	United States	0.6225165562913907
RT_DIALOG	0x5dfd90	0x2f4	data	English	United States	0.48148148148148145
RT_DIALOG	0x5e0088	0x126	data	English	United States	0.5850340136054422
RT_STRING	0x5e0ac8	0x3e	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.6774193548387096
RT_STRING	0x5e0a80	0x42	data	English	United States	0.7121212121212122
RT_STRING	0x5e0b08	0x60	data	English	United States	0.5625
RT_STRING	0x5e1518	0x30	data	English	United States	0.5833333333333334
RT_STRING	0x5e0b68	0x208	Matlab v4 mat-file (little endian) h, numeric, rows 0, columns 0	English	United States	0.4269230769230769
RT_STRING	0x5e0d70	0xe2	Matlab v4 mat-file (little endian) C, numeric, rows 0, columns 0	English	United States	0.43805309734513276
RT_STRING	0x5e0e58	0x34	data	English	United States	0.6538461538461539
RT_STRING	0x5e0e90	0x30	data	English	United States	0.6041666666666666
RT_STRING	0x5e0ec0	0x6e	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	English	United States	0.6818181818181818
RT_STRING	0x5e0f30	0x11a	data	English	United States	0.5035460992907801
RT_STRING	0x5e1050	0x6a	data	English	United States	0.5471698113207547
RT_STRING	0x5e0a48	0x32	data	English	United States	0.58
RT_STRING	0x5e10c0	0x1ea	data	English	United States	0.363265306122449
RT_STRING	0x5e12b0	0x156	Matlab v4 mat-file (little endian) U, numeric, rows 0, columns 0	English	United States	0.5175438596491229
RT_STRING	0x5e1408	0x56	data	English	United States	0.6162790697674418
RT_STRING	0x5e1460	0xb6	data	English	United States	0.5164835164835165
RT_GROUP_ICON	0x5dfc38	0x22	data	English	United States	1.0
RT_VERSION	0x5df550	0x2d4	data	English	United States	0.4212707182320442
RT_MANIFEST	0x5e0468	0x5de	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.46604527296937415

Imports

DLL	Import
KERNEL32.dll	MoveFileW, IsValidCodePage, GetLocaleInfoW, CreateDirectoryW, CreateSemaphoreW, WriteConsoleW, VirtualAlloc, CompareStringW, GetProcessAffinityMask, FlushFileBuffers, GetTimeZoneInformation, InitializeCriticalSectionAndSpinCount, LCMapStringW, GlobalFree, GetTimeFormatA, RaiseException, TlsSetValue, RtlUnwind, DeleteFileA, Sleep, GetFileSizeEx, GetLastError, CompareFileTime, GetDateFormatA, HeapAlloc, WriteFile, HeapReAlloc, TlsFree, DecodePointer, CloseHandle, GetStdHandle, GetModuleFileNameA, VerifyVersionInfoW, IsValidLocale, GlobalLock, GetFileType, EnterCriticalSection, SetStdHandle, FindFirstFileW, IsProcessorFeaturePresent, GetCommandLineW, LoadLibraryA, GetEnvironmentVariableA, GetModuleHandleW, LoadLibraryExW, DeleteCriticalSection, IsDebuggerPresent, CreateThread, GetEnvironmentStringsW, SetLastError, GetSystemTimeAsFileTime, MoveFileExW, GetCurrentProcessId, GetFileInformationByHandle, HeapSize, PeekNamedPipe, GetModuleHandleA, WideCharToMultiByte, TlsAlloc, GetSystemInfo, FindClose, GetCurrentProcess, GlobalMemoryStatus, WaitForMultipleObjects, FormatMessageW, SetEndOfFile, QueryPerformanceFrequency, EncodePointer, GetUserDefaultLCID, FileTimeToLocalFileTime, TlsGetValue, ReleaseSemaphore, lstrlenA, QueryPerformanceCounter, RemoveDirectoryW, GetStringTypeW, FreeLibrary, MultiByteToWideChar, FreeEnvironmentStringsW, InterlockedDecrement, GlobalUnlock, GetConsoleCP, GetCurrentDirectoryW, SetUnhandledExceptionFilter, SleepEx, CreateFileW, ResetEvent, VirtualFree, UnhandledExceptionFilter, EnumSystemLocalesA, LocalFree, DeleteFileW, GetConsoleMode, GetVersion, GetTickCount, ReadFile, GetDriveTypeW, WaitForSingleObject, SetFileAttributesW, SetEvent, CreateEventW, SetHandleCount, GetProcAddress, HeapFree, GetVersionExW, GlobalAlloc, GetFileAttributesW, HeapSetInformation, GetTickCount64, HeapCreate, LoadLibraryW, LeaveCriticalSection, VerSetConditionMask, GetCurrentThreadId, GetLogicalDriveStringsW, SetPriorityClass, TerminateProcess, GetOEMCP, ExitThread, InterlockedExchange, GetACP, InitializeCriticalSection, GetFileSize, FileTimeToSystemTime, GetSystemDirectoryW, GetCommandLineA, GetLocaleInfoA, GetModuleFileNameW, GetCPInfo, FindNextFileW, ExitProcess, SetEnvironmentVariableA, VirtualQuery, GetStartupInfoW, FindFirstFileExW, InterlockedIncrement, GetProcessHeap, SetFileTime, GetFullPathNameW, SetFilePointer
USER32.dll	SetWindowLongW, GetParent, EmptyClipboard, MonitorFromWindow, GetWindowRect, EndDialog, SetFocus, IsDlgButtonChecked, MoveWindow, CheckDlgButton, ShowWindow, EnableWindow, SetWindowTextW, GetDlgItem, SetDlgItemTextW, ScreenToClient, PostMessageW, GetWindowLongW, KillTimer, GetWindowTextLengthW, CharUpperW, SetCursor, wsprintfA, SetClipboardData, InvalidateRect, LoadStringW, SetTimer, GetWindowTextW, SendMessageW, OpenClipboard, DialogBoxParamW, CloseClipboard, GetMonitorInfoA, LoadCursorW, GetFocus, SystemParametersInfoW, GetKeyState, MapDialogRect, LoadIconW, MessageBoxW
ADVAPI32.dll	CryptDestroyHash, CryptDestroyKey, CryptHashData, CloseServiceHandle, CryptGetHashParam, CryptReleaseContext, CryptCreateHash, CryptEncrypt, CryptImportKey, CryptAcquireContextW, CryptGenRandom
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW
ole32.dll	CoTaskMemFree, CoCreateInstance, OleInitialize, CoInitialize, CoUninitialize
OLEAUT32.dll	SysAllocString, SysStringLen, SysAllocStringLen, VariantClear, SysFreeString
WS2_32.dll	WSAEnumNetworkEvents, WSAWaitForMultipleEvents, WSAIoctl, WSACreateEvent, getaddrinfo, WSAEventSelect, WSAStartup, recvfrom, WSACleanup, WSAGetLastError, send, closesocket, gethostname, ioctlsocket, __WSAFDIsSet, select, recv, WSAResetEvent, setsockopt, getsockname, ntohs, bind, htons, getsockopt, getpeername, socket, connect, WSASetLastError, freeaddrinfo, WSACloseEvent, accept, listen, sendto, htonl
CRYPT32.dll	CertOpenStore, CertAddCertificateContextToStore, CertCloseStore, CryptQueryObject, CertFreeCertificateChainEngine, CertEnumCertificatesInStore, CryptDecodeObjectEx, CertFreeCertificateChain, CertFreeCertificateContext, CertFindExtension, CertGetCertificateChain, CryptStringToBinaryW, CertCreateCertificateChainEngine, CertFindCertificateInStore, PFXImportCertStore
WLDAP32.dll

Version Infos

Description	Data
CompanyName	Loving Impulse Studios
FileDescription	TeX work Loving Impulse Studios
FileVersion	1.0.0.0
ProductVersion	1.0.0.0
LegalCopyright	Copyright 2010-2024 Loving Impulse Studios
ProductName	TeX work Loving Impulse Studio
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 13
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2025 12:52:55.541482925 CET	49704	443	192.168.2.7	104.26.13.137
Feb 4, 2025 12:52:55.541516066 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:52:55.541618109 CET	49704	443	192.168.2.7	104.26.13.137
Feb 4, 2025 12:52:55.591660976 CET	49704	443	192.168.2.7	104.26.13.137
Feb 4, 2025 12:52:55.591676950 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:52:56.054897070 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:52:56.054960966 CET	49704	443	192.168.2.7	104.26.13.137
Feb 4, 2025 12:52:56.066931009 CET	49704	443	192.168.2.7	104.26.13.137
Feb 4, 2025 12:52:56.066943884 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:52:56.067178965 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:52:56.096885920 CET	49704	443	192.168.2.7	104.26.13.137
Feb 4, 2025 12:52:56.139333963 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:52:56.263935089 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:52:56.264045000 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:52:56.264142036 CET	49704	443	192.168.2.7	104.26.13.137
Feb 4, 2025 12:52:56.289908886 CET	49704	443	192.168.2.7	104.26.13.137
Feb 4, 2025 12:52:56.289937973 CET	443	49704	104.26.13.137	192.168.2.7
Feb 4, 2025 12:53:38.755935907 CET	59214	53	192.168.2.7	162.159.36.2
Feb 4, 2025 12:53:38.761723042 CET	53	59214	162.159.36.2	192.168.2.7
Feb 4, 2025 12:53:38.761820078 CET	59214	53	192.168.2.7	162.159.36.2
Feb 4, 2025 12:53:38.766638994 CET	53	59214	162.159.36.2	192.168.2.7
Feb 4, 2025 12:53:39.216804981 CET	59214	53	192.168.2.7	162.159.36.2
Feb 4, 2025 12:53:39.221767902 CET	53	59214	162.159.36.2	192.168.2.7
Feb 4, 2025 12:53:39.221822023 CET	59214	53	192.168.2.7	162.159.36.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 4, 2025 12:52:55.507365942 CET	62196	53	192.168.2.7	1.1.1.1
Feb 4, 2025 12:52:55.521495104 CET	53	62196	1.1.1.1	192.168.2.7
Feb 4, 2025 12:53:38.755347013 CET	53	65514	162.159.36.2	192.168.2.7
Feb 4, 2025 12:53:39.232336044 CET	53	56462	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 4, 2025 12:52:55.507365942 CET	192.168.2.7	1.1.1.1	0x2b2b	Standard query (0)	appstalation.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Feb 4, 2025 12:52:55.521495104 CET	1.1.1.1	192.168.2.7	0x2b2b	No error (0)	appstalation.com	104.26.13.137	A (IP address)	IN (0x0001)	false
Feb 4, 2025 12:52:55.521495104 CET	1.1.1.1	192.168.2.7	0x2b2b	No error (0)	appstalation.com	172.67.71.182	A (IP address)	IN (0x0001)	false
Feb 4, 2025 12:52:55.521495104 CET	1.1.1.1	192.168.2.7	0x2b2b	No error (0)	appstalation.com	104.26.12.137	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

appstalation.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	104.26.13.137	443	4048	C:\Users\user\Desktop\Setup_10024.exe

Timestamp	Bytes transferred	Direction	Data
2025-02-04 11:52:56 UTC	176	OUT	GET /7104A12B017289DF/03034061431/24F3D2C94E09B5D1/73866997400?8DC009539E55612A1738669974 HTTP/1.1 Host: appstalation.com User-Agent: NSIS_InetLoad (Mozilla) Accept: /
2025-02-04 11:52:56 UTC	771	IN	HTTP/1.1 200 OK Date: Tue, 04 Feb 2025 11:52:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s%2Blgs5Ij%2FCuhn8sVMsxMqMtlA0lBQJLJca6B%2FZcDaiMII%2FTk3rY017EZ%2BQDDc%2F9CV4Vlqq2vol9%2FxZbTeyympufDNnv%2F56A4uDlxNgSl7IlMSWCmFDvScYAXHOSxYjL%2F%2FOo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90ca7516e8d30f87-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1474&rtt_var=570&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2842&recv_bytes=814&delivery_rate=1888745&cwnd=229&unsent_bytes=0&cid=71d3ac35f7fcd1dd&ts=222&x=0"
2025-02-04 11:52:56 UTC	38	IN	Data Raw: 32 30 0d 0a 30 39 36 41 43 41 38 41 42 42 34 35 34 39 31 45 37 39 38 45 43 34 45 44 44 36 32 30 42 41 37 45 0d 0a Data Ascii: 20096ACA8ABB45491E798EC4EDD620BA7E
2025-02-04 11:52:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• Setup_10024.exe

Click to jump to process

Memory Usage

• Setup_10024.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Target ID:	4
Start time:	06:52:54
Start date:	04/02/2025
Path:	C:\Users\user\Desktop\Setup_10024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup_10024.exe"
Imagebase:	0xb50000
File size:	71'918'304 bytes
MD5 hash:	BFAD6CABA29A22AA27A440152EFBD209
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup_10024.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\TeXworks0.6.2.exe

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
Setup_10024.exe