Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

setup.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.126511930909836
Filename:	setup.exe
Filesize:	139776
MD5:	ca4d56abba85c97023f2e236dc82c4aa
SHA1:	5c4be7cef4082adae0e187ec140c0f10dd113260
SHA256:	7052d75548d0f34e290baf29aa7281b44b4eb38327a9078354e15a3dc8749da4
SHA512:	42b895b8ca244d4a5dc3b662f6379073c8ee893a3a56b0e77b9eca3be4c3242bcbc9f97a2cf2432109c13fdfa842e2d73f14c7d1b328b4f6a000202af8215562
SSDEEP:	3072:WARAEzUI3AOGfte0D9P9HjT0rIm7f1dZJZgJIK/J:WARdb3NGfYm9VTwImJdEX/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 5..A[..A[..A[.hG]..A[..A[..@[.Rich.A[.................PE..L...f}.8............................`0............@................

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Creates files inside the system directory	System Summary	Masquerading
Detected potential crypto function	System Summary	Access Token Manipulation System Time Discovery Archive Collected Data Encrypted Channel
Found evasive API chain (date check)	Malware Analysis System Evasion	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation
Contains functionality to query time zone information	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample requires command line parameters (based on API chain)	System Summary	Command and Scripting Interpreter Native API
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Windows\ST6UNST.000

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Windows\ST6UNST.000
Category:	dropped
Dump:	ST6UNST.000.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\setup.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.678844719486963
Encrypted:	false
Ssdeep:	6:sENVGgA0dO/MKYiRgKRLGiFxl0AA8HLPs/QhOL+xgqNhkE+In:scsgA0dOjYiX4i7eA/0EcrIEI
Size:	303
Whitelisted:	false
Reputation:	moderate

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\setup.exe

"C:\Users\user\Desktop\setup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	2100
Target ID:	0
Parent PID:	4004
Name:	setup.exe
Path:	C:\Users\user\Desktop\setup.exe
Commandline:	"C:\Users\user\Desktop\setup.exe"
Size:	139776
MD5:	CA4D56ABBA85C97023F2E236DC82C4AA
Time:	09:37:05
Date:	10/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	180224
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses 32bit PE files	Compliance, System Summary
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

401000

unkown

page execute read

41E000

unkown

page read and write

780000

heap

page read and write

7CE000

stack

page read and write

5D1000

heap

page read and write

59E000

heap

page read and write

21D0000

heap

page read and write

1D0000

heap

page read and write

98000

stack

page read and write

2130000

heap

page read and write

5F2000

heap

page read and write

5CC000

heap

page read and write

5CC000

heap

page read and write

19A000

stack

page read and write

41A000

unkown

page readonly

805000

heap

page read and write

80A000

heap

page read and write

601000

heap

page read and write

5C9000

heap

page read and write

5D7000

heap

page read and write

20AF000

stack

page read and write

41E000

unkown

page write copy

428000

unkown

page readonly

428000

unkown

page readonly

784000

heap

page read and write

5D9000

heap

page read and write

41A000

unkown

page readonly

5DA000

heap

page read and write

41C000

unkown

page write copy

2AF0000

trusted library allocation

page read and write

5DD000

heap

page read and write

5DC000

heap

page read and write

58B000

heap

page read and write

21E0000

direct allocation

page read and write

510000

heap

page read and write

77F000

stack

page read and write

401000

unkown

page execute read

5DD000

heap

page read and write

400000

unkown

page readonly

423000

unkown

page read and write

5D9000

heap

page read and write

7F0000

heap

page read and write

800000

heap

page read and write

5DC000

heap

page read and write

56E000

stack

page read and write

580000

heap

page read and write

5E0000

heap

page read and write

2170000

heap

page read and write

400000

unkown

page readonly

5DD000

heap

page read and write

2150000

heap

page read and write

5DC000

heap

page read and write

430000

heap

page read and write

41C000

unkown

page read and write

1D5000

heap

page read and write

5FA000

heap

page read and write

There are 46 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
setup.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportsetup.exe

Files

Processes

Memdumps

IOC Report
setup.exe