Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1530829
MD5: ca4d56abba85c97023f2e236dc82c4aa
SHA1: 5c4be7cef4082adae0e187ec140c0f10dd113260
SHA256: 7052d75548d0f34e290baf29aa7281b44b4eb38327a9078354e15a3dc8749da4
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Detected potential crypto function
Found evasive API chain (date check)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_004066B2 FindFirstFileA,FindClose,FindClose, 0_2_004066B2
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00409F75 FindFirstFileA,FindClose, 0_2_00409F75
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00406143 lstrcpyA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcatA,VerInstallFileA,GetShortPathNameA,lstrcpyA,FindFirstFileA,FindClose,VerInstallFileA,lstrcpyA, 0_2_00406143
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00409D0F lstrcpyA,lstrcmpiA,lstrlenA,lstrlenA,lstrcpynA,lstrcatA,CharNextA,lstrcpynA,FindFirstFileA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,FindClose,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrlenA, 0_2_00409D0F
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00406623 lstrcatA,FindFirstFileA,GetWindowLongA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindClose, 0_2_00406623
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00410B70 lstrcatA,FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 0_2_00410B70
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00403794 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,GetLastError,wsprintfA, 0_2_00403794
Creates files inside the system directory
Source: C:\Users\user\Desktop\setup.exe File created: C:\WINDOWS\ST6UNST.000 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040F840 0_2_0040F840
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040D050 0_2_0040D050
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040FC20 0_2_0040FC20
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00414CE0 0_2_00414CE0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040B8EC 0_2_0040B8EC
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040C9A0 0_2_0040C9A0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040F5B0 0_2_0040F5B0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040D2F0 0_2_0040D2F0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_004187D0 0_2_004187D0
Uses 32bit PE files
Source: setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean3.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00403794 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,GetLastError,wsprintfA, 0_2_00403794
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040924A lstrcatA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,GetFileAttributesA,lstrlenA,lstrlenA,lstrcatA,lstrlenA,lstrcatA,GetFileAttributesA,DeleteFileA,CoCreateInstance,lstrcpyA,CharNextA,MultiByteToWideChar, 0_2_0040924A
Source: setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textshaping.dll Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00417CA0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00417CA0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00412B40 push eax; ret 0_2_00412B6E
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_004084E7 GetWindowsDirectoryA,GetSystemDirectoryA,MessageBoxA,SendMessageA,UpdateWindow,GetWindowLongA,GetWindowLongA,GetModuleFileNameA,GetWindowLongA,GetModuleFileNameA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,MessageBoxA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,lstrcatA,CreateDirectoryA,GetPrivateProfileStringA,lstrcpyA,lstrcatA,lstrcpyA,lstrcpynA,CoInitialize,CoUninitialize,ShowWindow, 0_2_004084E7
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00405885 DefWindowProcA,BeginPaint,GetTextMetricsA,GetClientRect,SetTextColor,SelectObject,GetWindowLongA,GetModuleFileNameA,lstrcpyA,lstrcatA,GetPrivateProfileStringA,GetPrivateProfileStringA,SetWindowTextA,GetPrivateProfileStringA,wsprintfA,wsprintfA,SetBkColor,lstrlenA,lstrlenA,DrawTextA,OffsetRect,lstrlenA,DrawTextA,SetTextColor,SelectObject,EndPaint,SendMessageA,PostQuitMessage,DeleteObject, 0_2_00405885
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0040746D wsprintfA,wsprintfA,GetPrivateProfileStringA,wsprintfA,wsprintfA,SetFileAttributesA,wsprintfA,wsprintfA,wsprintfA,CreateProcessA,GetLastError,wsprintfA,ShowWindow,GetExitCodeProcess, 0_2_0040746D
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00407E75 lstrcpyA,GetPrivateProfileStringA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,SetFileAttributesA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA, 0_2_00407E75
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00408F7A wsprintfA,wsprintfA,GetPrivateProfileStringA, 0_2_00408F7A
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00408FE7 SetFileAttributesA,wsprintfA,GetPrivateProfileStringA,wsprintfA,SetFileAttributesA,DeleteFileA,GetPrivateProfileStringA,wsprintfA,SetFileAttributesA,DeleteFileA,RemoveDirectoryA, 0_2_00408FE7
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\setup.exe Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_004066B2 FindFirstFileA,FindClose,FindClose, 0_2_004066B2
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00409F75 FindFirstFileA,FindClose, 0_2_00409F75
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00406143 lstrcpyA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcatA,VerInstallFileA,GetShortPathNameA,lstrcpyA,FindFirstFileA,FindClose,VerInstallFileA,lstrcpyA, 0_2_00406143
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00409D0F lstrcpyA,lstrcmpiA,lstrlenA,lstrlenA,lstrcpynA,lstrcatA,CharNextA,lstrcpynA,FindFirstFileA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,FindClose,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrlenA, 0_2_00409D0F
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00406623 lstrcatA,FindFirstFileA,GetWindowLongA,FindFirstFileA,FindFirstFileA,FindClose,FindClose,FindClose, 0_2_00406623
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00410B70 lstrcatA,FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose, 0_2_00410B70
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00417CA0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00417CA0
Source: setup.exe Binary or memory string: ProgMan
Source: setup.exe Binary or memory string: PROGMAN
Source: setup.exe Binary or memory string: )(: ACTION: *** CONFIG: NOTE: VB.Mooo.Conv.Child)][CreateGroup(,[AddItem([ReplaceItem(ProgMan[DeleteItem(PROGMAN%s=%s
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00412600 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_00412600
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00412600 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 0_2_00412600
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00413060 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,KiUserCallbackDispatcher, 0_2_00413060
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1530829 Sample: setup.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 3 4 setup.exe 1 2->4         started       
No contacted IP infos