Create Interactive Tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample Name:Setup.exe
Analysis ID:786075
MD5:10bdb4e5fa699f652e5f87255a24f5a8
SHA1:1fc82d9127569c471fa9902405658d84b6e46b8e
SHA256:9a072a9b2f5673ff828000fcbcbd100bde6c1678176e4a8292a27c6b5be7f4ea
Tags:exe
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found API chain indicative of debugger detection
Contains functionality to detect sleep reduction / modifications
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
PE file contains an invalid checksum
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evaded block containing many API calls
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • Setup.exe (PID: 4156 cmdline: C:\Users\user\Desktop\Setup.exe MD5: 10BDB4E5FA699F652E5F87255A24F5A8)
    • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1104 cmdline: C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • mode.com (PID: 4700 cmdline: mode con:cols=0080 lines=0025 MD5: D781CD6A6484C276A4D0750D9206A382)
    • cmd.exe (PID: 2376 cmdline: C:\Windows\system32\cmd.exe /c title Installing Packages MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4928 cmdline: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder" MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4248 cmdline: C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\xtmp" mkdir "C:\Users\user\AppData\Local\Temp\xtmp" MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 2632 cmdline: C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\xtmp MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • attrib.exe (PID: 4640 cmdline: attrib +h C:\Users\user\AppData\Local\Temp\xtmp MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)
    • cmd.exe (PID: 5304 cmdline: C:\Windows\system32\cmd.exe /c echo:0>C:\Users\user\AppData\Local\Temp\is64.txt MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 5992 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\is64.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 5540 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • cmd.exe (PID: 4800 cmdline: C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • cmd.exe (PID: 4844 cmdline: C:\Windows\system32\cmd.exe /c MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 4808 cmdline: C:\Windows\system32\cmd.exe /c MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Setup.exeSUSP_BAT2EXE_BDargo_Converted_BATDetects binaries created with BDARGO Advanced BAT to EXE converterFlorian Roth
  • 0x10270:$s1: Error #bdembed1 -- Quiting
  • 0x100d4:$s2: %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
  • 0x10360:$s3: \a.txt
  • 0xf120:$s4: command.com
  • 0x10040:$s8: %s%s%s%s%s%s%s%s
  • 0x1009c:$s8: %s%s%s%s%s%s%s%s
  • 0x100d4:$s8: %s%s%s%s%s%s%s%s
  • 0x10184:$s8: %s%s%s%s%s%s%s%s
  • 0x102b8:$s8: %s%s%s%s%s%s%s%s
  • 0x102f4:$s8: %s%s%s%s%s%s%s%s
  • 0x1030c:$s8: %s%s%s%s%s%s%s%s
SourceRuleDescriptionAuthorStrings
0.2.Setup.exe.400000.0.unpackSUSP_BAT2EXE_BDargo_Converted_BATDetects binaries created with BDARGO Advanced BAT to EXE converterFlorian Roth
  • 0x10270:$s1: Error #bdembed1 -- Quiting
  • 0x100d4:$s2: %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
  • 0x10360:$s3: \a.txt
  • 0xf120:$s4: command.com
  • 0x10040:$s8: %s%s%s%s%s%s%s%s
  • 0x1009c:$s8: %s%s%s%s%s%s%s%s
  • 0x100d4:$s8: %s%s%s%s%s%s%s%s
  • 0x10184:$s8: %s%s%s%s%s%s%s%s
  • 0x102b8:$s8: %s%s%s%s%s%s%s%s
  • 0x102f4:$s8: %s%s%s%s%s%s%s%s
  • 0x1030c:$s8: %s%s%s%s%s%s%s%s
0.0.Setup.exe.400000.0.unpackSUSP_BAT2EXE_BDargo_Converted_BATDetects binaries created with BDARGO Advanced BAT to EXE converterFlorian Roth
  • 0x10270:$s1: Error #bdembed1 -- Quiting
  • 0x100d4:$s2: %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
  • 0x10360:$s3: \a.txt
  • 0xf120:$s4: command.com
  • 0x10040:$s8: %s%s%s%s%s%s%s%s
  • 0x1009c:$s8: %s%s%s%s%s%s%s%s
  • 0x100d4:$s8: %s%s%s%s%s%s%s%s
  • 0x10184:$s8: %s%s%s%s%s%s%s%s
  • 0x102b8:$s8: %s%s%s%s%s%s%s%s
  • 0x102f4:$s8: %s%s%s%s%s%s%s%s
  • 0x1030c:$s8: %s%s%s%s%s%s%s%s
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Setup.exeVirustotal: Detection: 11%Perma Link
Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Setup.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Setup.exe, type: SAMPLEMatched rule: SUSP_BAT2EXE_BDargo_Converted_BAT date = 2018-07-28, hash1 = a547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88, author = Florian Roth, description = Detects binaries created with BDARGO Advanced BAT to EXE converter, score = d428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda, reference = https://www.majorgeeks.com/files/details/advanced_bat_to_exe_converter.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-23
Source: 0.2.Setup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_BAT2EXE_BDargo_Converted_BAT date = 2018-07-28, hash1 = a547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88, author = Florian Roth, description = Detects binaries created with BDARGO Advanced BAT to EXE converter, score = d428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda, reference = https://www.majorgeeks.com/files/details/advanced_bat_to_exe_converter.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-23
Source: 0.0.Setup.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_BAT2EXE_BDargo_Converted_BAT date = 2018-07-28, hash1 = a547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88, author = Florian Roth, description = Detects binaries created with BDARGO Advanced BAT to EXE converter, score = d428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda, reference = https://www.majorgeeks.com/files/details/advanced_bat_to_exe_converter.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-06-23
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040B3C6
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040DD8F
Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 004076E0 appears 41 times
Source: Setup.exeVirustotal: Detection: 11%
Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe C:\Users\user\Desktop\Setup.exe
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com mode con:cols=0080 lines=0025
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c title Installing Packages
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\xtmp" mkdir "C:\Users\user\AppData\Local\Temp\xtmp"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\xtmp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\xtmp
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo:0>C:\Users\user\AppData\Local\Temp\is64.txt
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\is64.bat
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c title Installing Packages
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\xtmp" mkdir "C:\Users\user\AppData\Local\Temp\xtmp"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\xtmp
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo:0>C:\Users\user\AppData\Local\Temp\is64.txt
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\is64.bat
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com mode con:cols=0080 lines=0025
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\xtmp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe"
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\is64.batJump to behavior
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\is64.bat
Source: classification engineClassification label: mal56.evad.winEXE@28/3@0/0
Source: Setup.exeStatic PE information: real checksum: 0x2ef08 should be: 0x1ba3b
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00407890 push eax; ret
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040D1EF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00405A04
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Setup.exeEvaded block: after key decision

Anti Debugging

barindex
Source: C:\Users\user\Desktop\Setup.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040D1EF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c title Installing Packages
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\xtmp" mkdir "C:\Users\user\AppData\Local\Temp\xtmp"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\xtmp
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c echo:0>C:\Users\user\AppData\Local\Temp\is64.txt
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\is64.bat
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c
Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\mode.com mode con:cols=0080 lines=0025
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h C:\Users\user\AppData\Local\Temp\xtmp
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00408006 EntryPoint,GetVersion,GetCommandLineA,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Scripting
Path Interception11
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping2
Security Software Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts2
Native API
Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information
Security Account Manager12
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Scripting
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786075 Sample: Setup.exe Startdate: 17/01/2023 Architecture: WINDOWS Score: 56 24 Multi AV Scanner detection for submitted file 2->24 7 Setup.exe 2 2->7         started        process3 signatures4 26 Found API chain indicative of debugger detection 7->26 28 Contains functionality to detect sleep reduction / modifications 7->28 10 cmd.exe 1 7->10         started        12 cmd.exe 1 7->12         started        14 cmd.exe 1 7->14         started        16 8 other processes 7->16 process5 process6 18 mode.com 1 10->18         started        20 attrib.exe 1 12->20         started        22 cmd.exe 1 14->22         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Setup.exe8%ReversingLabsWin32.Trojan.Generic
Setup.exe11%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:786075
Start date and time:2023-01-17 18:46:33 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 6s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Setup.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winEXE@28/3@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.2% (good quality ratio 96%)
  • Quality average: 87.2%
  • Quality standard deviation: 22.8%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
No context
Process:C:\Users\user\Desktop\Setup.exe
File Type:DOS batch file, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):187
Entropy (8bit):4.902655267511447
Encrypted:false
SSDEEP:3:mKDDfiU2mwc4a7MfEmRPN+E2J5xAIzTRlcYBKwc4aliCowHuN+E2J5xAIzTR3MJy:hGvmcayRPN723fzdlcYBKca68uN723fD
MD5:CD634571228B5752252E43D8B57DF61B
SHA1:E234DB2BF6A4F4479693D818D85A306BE0C1619A
SHA-256:A63142E3F6EA32514A3FFF31CEE2AFE37F0128B64E48F7DF357203522905F96E
SHA-512:4AE3B1126BB406D55679C79B43C91A3043E712AA0DAAC5E16C4DEA0549CD78C89C6971F1731225CCDAC842B339D031D120F92A3FD0DF3844FD7C499769D145F2
Malicious:false
Preview:@echo off..if exist "%SystemRoot%\Sysnative\" echo:1>"C:\Users\user\AppData\Local\Temp\is64.txt"..echo:"%SystemRoot%\Sysnative\cmd.exe">C:\Users\user\AppData\Local\Temp\is64.fil..
Process:C:\Windows\SysWOW64\cmd.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):32
Entropy (8bit):4.390319531114783
Encrypted:false
SSDEEP:3:I59wdliCSn:IXuEn
MD5:D406619E40F52369E12AE4671B16A11A
SHA1:9C5748148612B1EEFAACF368FBF5DBCAA8DEA6D0
SHA-256:2E340D2B9CED6AD419C031400FB974FEED427CFABD0C167DEA26EC732D8579BE
SHA-512:4D9792A6427E4A48553318B4C2BAC19FF729A9C0A635BC9196C33D2BE5D1A224D1BAC30DA5F881BAD6340B0235894FF020F32061A64125629848E21C879C5264
Malicious:false
Preview:"C:\Windows\Sysnative\cmd.exe"..
Process:C:\Windows\SysWOW64\cmd.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):3
Entropy (8bit):1.584962500721156
Encrypted:false
SSDEEP:3:p:p
MD5:A5EA0AD9260B1550A14CC58D2C39B03D
SHA1:F0AEDF295071ED34AB8C6A7692223D22B6A19841
SHA-256:F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
SHA-512:7C735C613ECE191801114785C1EE26A0485CBF1E8EE2C3B85BA1AD290EF75EEC9FEDE5E1A5DC26D504701F3542E6B6457818F4C1D62448D0DB40D5F35C357D74
Malicious:false
Preview:1..
File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):5.888049821089434
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Setup.exe
File size:86016
MD5:10bdb4e5fa699f652e5f87255a24f5a8
SHA1:1fc82d9127569c471fa9902405658d84b6e46b8e
SHA256:9a072a9b2f5673ff828000fcbcbd100bde6c1678176e4a8292a27c6b5be7f4ea
SHA512:c875c44c83633552e966a0cd7191d4b1213a8584307d6e92834ccf95792ed267b05d5a33f8b91af09892ef7bbb6c64f564731855abcc26f8b529e722aa6ebc50
SSDEEP:1536:7E0qvF4CRfFcrKnJMDLhoygSngXSQi/owRnHH:F/CRfFcrKnCDRgiQi/oiHH
TLSH:26836B12BB90C1B6F992057221608F7F8A39FD3236551413E7A4BDF6AE382858907DDF
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U..H4..H4..H4..3(..J4...+..I4...(..G4..*+..O4..H4...4...+...4...2..I4..RichH4..........................PE..L......c...........
Icon Hash:e862eae6b692c66e
Entrypoint:0x408006
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x630397CD [Mon Aug 22 14:50:53 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:dbe920731c41982a49f842ad1020d762
Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:
      Instruction
      push ebp
      mov ebp, esp
      push FFFFFFFFh
      push 0040F138h
      push 0040A624h
      mov eax, dword ptr fs:[00000000h]
      push eax
      mov dword ptr fs:[00000000h], esp
      sub esp, 10h
      push ebx
      push esi
      push edi
      mov dword ptr [ebp-18h], esp
      call dword ptr [0040F054h]
      xor edx, edx
      mov dl, ah
      mov dword ptr [00418068h], edx
      mov ecx, eax
      and ecx, 000000FFh
      mov dword ptr [00418064h], ecx
      shl ecx, 08h
      add ecx, edx
      mov dword ptr [00418060h], ecx
      shr eax, 10h
      mov dword ptr [0041805Ch], eax
      push 00000000h
      call 00007F1CE4CA84B1h
      pop ecx
      test eax, eax
      jne 00007F1CE4CA602Ah
      push 0000001Ch
      call 00007F1CE4CA60BFh
      pop ecx
      and dword ptr [ebp-04h], 00000000h
      call 00007F1CE4CA60D9h
      call dword ptr [0040F050h]
      mov dword ptr [00F11004h], eax
      call 00007F1CE4CA8359h
      mov dword ptr [0041809Ch], eax
      call 00007F1CE4CA8102h
      call 00007F1CE4CA8044h
      call 00007F1CE4CA5846h
      mov eax, dword ptr [00418078h]
      mov dword ptr [0041807Ch], eax
      push eax
      push dword ptr [00418070h]
      push dword ptr [0041806Ch]
      call 00007F1CE4C9EF6Bh
      add esp, 0Ch
      mov dword ptr [ebp-1Ch], eax
      push eax
      call 00007F1CE4CA584Bh
      mov eax, dword ptr [ebp-14h]
      mov ecx, dword ptr [eax]
      mov ecx, dword ptr [ecx]
      Programming Language:
      • [C++] VS98 (6.0) build 8168
      • [ C ] VS98 (6.0) build 8168
      • [RES] VS98 (6.0) cvtres build 1720
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xf5d80x50.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb120000x2b42.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x153a49e90x28e0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0xf0000x118.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000xdb960xe000False0.5397774832589286data6.40172541230084IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0xf0000xc0a0x1000False0.3701171875data4.449293945093879IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x100000xb010180x2000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0xb120000x2b420x3000False0.2569173177083333data4.7943004992485205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      NameRVASizeTypeLanguageCountry
      RT_ICON0xb121380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
      RT_GROUP_ICON0xb146e00x14dataEnglishUnited States
      RT_VERSION0xb146f40x264data
      RT_MANIFEST0xb149580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
      DLLImport
      KERNEL32.dllGetTempPathA, GetModuleFileNameA, GetStdHandle, SetConsoleMode, GetConsoleMode, Sleep, SetConsoleCursorInfo, SetConsoleCursorPosition, SetConsoleTextAttribute, GetTickCount, GetVolumeInformationA, ReadConsoleInputA, WriteConsoleA, LCMapStringW, LCMapStringA, SetEnvironmentVariableA, CompareStringW, ExitProcess, TerminateProcess, GetCurrentProcess, GetCommandLineA, GetVersion, SetHandleCount, GetFileType, GetStartupInfoA, GetLastError, ReadFile, SetFilePointer, HeapFree, CloseHandle, GetFileAttributesA, GetProcAddress, GetModuleHandleA, WriteFile, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, HeapAlloc, SetStdHandle, FlushFileBuffers, VirtualAlloc, HeapReAlloc, CreateFileA, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, MultiByteToWideChar, GetStringTypeA, GetStringTypeW, GetCPInfo, GetACP, GetOEMCP, LoadLibraryA, SetEndOfFile, CompareStringA
      USER32.dllFindWindowA, GetDesktopWindow, GetWindowRect, SetWindowPos
      WINMM.dlltimeGetTime
      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States
      No network behavior found
      Target ID:0
      Start time:18:47:26
      Start date:17/01/2023
      Path:C:\Users\user\Desktop\Setup.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\Setup.exe
      Imagebase:0x400000
      File size:86016 bytes
      MD5 hash:10BDB4E5FA699F652E5F87255A24F5A8
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Target ID:1
      Start time:18:47:27
      Start date:17/01/2023
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6da640000
      File size:625664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:2
      Start time:18:47:27
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:3
      Start time:18:47:27
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\mode.com
      Wow64 process (32bit):true
      Commandline:mode con:cols=0080 lines=0025
      Imagebase:0x1130000
      File size:27648 bytes
      MD5 hash:D781CD6A6484C276A4D0750D9206A382
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:4
      Start time:18:47:27
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c title Installing Packages
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:5
      Start time:18:47:27
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\afolder" mkdir "C:\Users\user\AppData\Local\Temp\afolder"
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:6
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c if not exist "C:\Users\user\AppData\Local\Temp\xtmp" mkdir "C:\Users\user\AppData\Local\Temp\xtmp"
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Target ID:7
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c attrib +h C:\Users\user\AppData\Local\Temp\xtmp
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:8
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\attrib.exe
      Wow64 process (32bit):true
      Commandline:attrib +h C:\Users\user\AppData\Local\Temp\xtmp
      Imagebase:0xe60000
      File size:19456 bytes
      MD5 hash:A5540E9F87D4CB083BDF8269DEC1CFF9
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:9
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c echo:0>C:\Users\user\AppData\Local\Temp\is64.txt
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Target ID:10
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\is64.bat
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language

      Target ID:11
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe"
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:12
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\System32\cmd.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\Sysnative\cmd.exe /C C:\Users\user\AppData\Local\Temp\xtmp\tmp29995.bat "C:\Users\user\Desktop\Setup.exe"
      Imagebase:0x7ff7cb270000
      File size:273920 bytes
      MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:13
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:14
      Start time:18:47:28
      Start date:17/01/2023
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\system32\cmd.exe /c
      Imagebase:0x1b0000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      No disassembly