Windows Analysis Report
SETUP.EXE

Overview

General Information

Sample name: SETUP.EXE
Analysis ID: 1523269
MD5: 533c0186eec91a2f5471f20c83307cc5
SHA1: 478a87737d8ce0ffb6046fef04b49676b8430345
SHA256: 37ab97c4806497fc2e5cd66ff81e95168df0198c8a6853a56a1c9b1ea465119f
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Source: SETUP.EXE Static PE information: certificate valid
Source: SETUP.EXE Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: d:\dbs\sh\s19s\0924_133349\cmd\h\obj\x64retail\sql\mpu\installframework\chainer\sqlsetupbootstrapper\exe\sqlsetupbootstrapper.exe.vcxproj\SqlSetupBootstrapper.pdb source: SETUP.EXE
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D5550 FindFirstFileExW, 0_2_00007FF6020D5550
Detected potential crypto function
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020DB554 0_2_00007FF6020DB554
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D1D74 0_2_00007FF6020D1D74
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D3EF0 0_2_00007FF6020D3EF0
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D5318 0_2_00007FF6020D5318
Sample file is different than original file name gathered from version info
Source: SETUP.EXE Binary or memory string: OriginalFilename vs SETUP.EXE
Source: SETUP.EXE, 00000000.00000000.2004102899.00007FF6020E8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSqlSetupBootstrapper.exeJ vs SETUP.EXE
Source: SETUP.EXE Binary or memory string: OriginalFilenameSqlSetupBootstrapper.exeJ vs SETUP.EXE
Source: classification engine Classification label: clean3.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
Source: SETUP.EXE Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SETUP.EXE Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SETUP.EXE "C:\Users\user\Desktop\SETUP.EXE"
Source: C:\Users\user\Desktop\SETUP.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SETUP.EXE Section loaded: sqlsetupbootstrapper.dll Jump to behavior
Source: SETUP.EXE Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: SETUP.EXE Static PE information: Image base 0x100400000 > 0x60000000
Source: SETUP.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SETUP.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SETUP.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SETUP.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SETUP.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SETUP.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SETUP.EXE Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SETUP.EXE Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\dbs\sh\s19s\0924_133349\cmd\h\obj\x64retail\sql\mpu\installframework\chainer\sqlsetupbootstrapper\exe\sqlsetupbootstrapper.exe.vcxproj\SqlSetupBootstrapper.pdb source: SETUP.EXE
Source: SETUP.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SETUP.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SETUP.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SETUP.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SETUP.EXE Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D5550 FindFirstFileExW, 0_2_00007FF6020D5550
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D4D58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6020D4D58
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D81E0 GetProcessHeap, 0_2_00007FF6020D81E0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D4D58 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6020D4D58
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D1C88 SetUnhandledExceptionFilter, 0_2_00007FF6020D1C88
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D1AD4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6020D1AD4
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D14B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6020D14B8
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020DB380 cpuid 0_2_00007FF6020DB380
Source: C:\Users\user\Desktop\SETUP.EXE Code function: 0_2_00007FF6020D1938 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6020D1938
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1523269 Sample: SETUP.EXE Startdate: 01/10/2024 Architecture: WINDOWS Score: 3 5 SETUP.EXE 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos