Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Setup.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.4358614247609465
Filename:	Setup.exe
Filesize:	391376
MD5:	08aba4235f18775205a1705d89676705
SHA1:	d25fc234125ed0cb49608309a842043b7acc2e86
SHA256:	f8c59bf2647bc5ad0b69428864ac9b02cf4695a20130a6b171701285195c3c9f
SHA512:	005f8c085a1104fe3eaaf63880ca97b74b32dbb64d89aa08924ae74cb3c2f246ffa9c3272f3a14f63a57c72df76bf8da6c9504c9f35f06660beebc5fea0f0dd8
SSDEEP:	6144:i8kiSrhTFpBoiB6VTquOmQ7YpAOMJjwvDW70PFn0wccccccccYwP+Tr:GiYTF5B6Veum6WnrTr
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i....q...q...q.3.....q.3.....q.3.....q..Vr...q..Vt...q..Vu...q.bQt...q.Z.....q...p.".q..Vx...q..V....q.......q..Vs...q.Rich..q

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Information Discovery System Shutdown/Reboot
Contains functionality to read the PEB	Anti Debugging	Access Token Manipulation Security Software Discovery
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Detected potential crypto function	System Summary	Access Token Manipulation Process Discovery Archive Collected Data Encrypted Channel
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection	Security Software Discovery
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API Access Token Manipulation
Found large amount of non-executed APIs	Malware Analysis System Evasion	Access Token Manipulation
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information Security Software Discovery
Contains functionality for error logging	System Summary	Access Token Manipulation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to enum processes or threads	System Summary	Access Token Manipulation Process Discovery
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary	Access Token Manipulation Security Software Discovery
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query windows version	Language, Device and Operating System Detection
Contains functionality to read ini properties file for application configuration	Persistence and Installation Behavior
Contains functionality to register its own exception handler	Anti Debugging	Security Software Discovery
Creates temporary files	System Summary	Security Software Discovery
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample might require command line arguments	System Summary	Command and Scripting Interpreter Access Token Manipulation Security Software Discovery
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
PE file contains a valid data directory to section mapping	System Summary	Security Software Discovery
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary	Security Software Discovery
PE file contains a mix of data directories often seen in goodware	System Summary
Creates install or setup log file	Compliance, Persistence and Installation Behavior
PE / OLE file has a valid certificate	Compliance, System Summary

C:\Users\user\AppData\Local\Temp\PatchInstaller.Log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\PatchInstaller.Log
Category:	dropped
Dump:	PatchInstaller.Log.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Setup.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.872585858230478
Encrypted:	false
Ssdeep:	6:MKUlC6ME1wvovLMC4EXfewvOqC4KMKZblOCqUGwvoBMmJ1tCk8b:MP867mwvL14EXfZ2PDZNtwT1kk8b
Size:	261
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary
Creates install or setup log file	Compliance, Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Setup.exe

"C:\Users\user\Desktop\Setup.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7508
Target ID:	0
Parent PID:	2580
Name:	Setup.exe
Path:	C:\Users\user\Desktop\Setup.exe
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Size:	391376
MD5:	08ABA4235F18775205A1705D89676705
Time:	10:59:00
Date:	13/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xe10000
Modulesize:	401408
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking
PE file contains a valid data directory to section mapping	System Summary
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary
PE / OLE file has a valid certificate	Compliance, System Summary

Memdumps

Base Address

Regiontype

Protect

Malicious

908000

heap

page read and write

E5D000

unkown

page read and write

755000

heap

page read and write

2F5E000

stack

page read and write

8B0000

heap

page read and write

908000

heap

page read and write

2540000

heap

page read and write

E10000

unkown

page readonly

26E4000

trusted library allocation

page read and write

8F3000

heap

page read and write

D80000

heap

page read and write

E61000

unkown

page readonly

D60000

heap

page read and write

DE0000

heap

page read and write

245E000

stack

page read and write

E46000

unkown

page readonly

90B000

heap

page read and write

B00000

heap

page read and write

26E0000

trusted library allocation

page read and write

904000

heap

page read and write

3DE000

stack

page read and write

8BA000

heap

page read and write

928000

heap

page read and write

8DB000

heap

page read and write

E10000

unkown

page readonly

9EE000

stack

page read and write

D90000

heap

page read and write

2D9000

stack

page read and write

26D0000

heap

page read and write

89E000

stack

page read and write

8F3000

heap

page read and write

B2B000

heap

page read and write

720000

heap

page read and write

2490000

heap

page read and write

D96000

heap

page read and write

E46000

unkown

page readonly

904000

heap

page read and write

904000

heap

page read and write

E5F000

unkown

page readonly

904000

heap

page read and write

3CF000

stack

page read and write

8FE000

heap

page read and write

2F9E000

stack

page read and write

B20000

heap

page read and write

2460000

heap

page read and write

3C0000

stack

page read and write

2E5E000

stack

page read and write

E11000

unkown

page execute read

8E3000

heap

page read and write

920000

heap

page read and write

8D9000

heap

page read and write

476F000

stack

page read and write

26E3000

trusted library allocation

page read and write

8DA000

heap

page read and write

E11000

unkown

page execute read

928000

heap

page read and write

B04000

heap

page read and write

908000

heap

page read and write

79E000

stack

page read and write

AEF000

stack

page read and write

26E1000

trusted library allocation

page read and write

26E2000

trusted library allocation

page read and write

750000

heap

page read and write

26E5000

trusted library allocation

page read and write

640000

heap

page read and write

908000

heap

page read and write

E00000

heap

page read and write

8FE000

heap

page read and write

901000

heap

page read and write

E61000

unkown

page readonly

E5F000

unkown

page readonly

8F8000

heap

page read and write

8FE000

heap

page read and write

8F3000

heap

page read and write

4770000

trusted library allocation

page read and write

8FA000

heap

page read and write

309F000

stack

page read and write

8E3000

heap

page read and write

E5D000

unkown

page write copy

8FE000

heap

page read and write

8E5000

heap

page read and write

DA0000

heap

page read and write

904000

heap

page read and write

B26000

heap

page read and write

There are 74 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Setup.exe

Files

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSetup.exe

Files

Processes

Memdumps

IOC Report
Setup.exe