Edit tour
Windows
Analysis Report
2024_04_Setup-S4-View-V4.20.13.exe
Overview
General Information
| Sample name: | 2024_04_Setup-S4-View-V4.20.13.exe |
| Analysis ID: | 1533008 |
| MD5: | cff2c405dcf893d747b92c600d4dc26a |
| SHA1: | 95425a08cbcb8c9ed1f085b62f5c69937d253347 |
| SHA256: | d34011319c9faf5400cfb72ccfd04e445b80515bbfade3f9164d08f91b8b63d0 |
| Infos: | |
 | |
Detection
| Score: | 3 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 20% |
Signatures
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Classification
- System is w10x64
2024_04_Setup-S4-View-V4.20.13.exe (PID: 1048 cmdline: "C:\Users\ user\Deskt op\2024_04 _Setup-S4- View-V4.20 .13.exe" MD5: CFF2C405DCF893D747B92C600D4DC26A) - 2024_04_Setup-S4-View-V4.20.13.tmp (PID: 1460 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-7IL SV.tmp\202 4_04_Setup -S4-View-V 4.20.13.tm p" /SL5="$ 103CC,1544 9307,57856 ,C:\Users\ user\Deskt op\2024_04 _Setup-S4- View-V4.20 .13.exe" MD5: 832DAB307E54AA08F4B6CDD9B9720361) - Setup-S4-View.exe (PID: 5804 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-AGO 5O.tmp\Set up-S4-View .exe" /SIL ENT /LANG= en "/DIR=e xpand:C:\P rogram Fil es\LACROIX Sofrel\S4 -View\" MD5: 6E1FA307C84ABA5C57F5C32F237DBB3B) - Setup-S4-View.tmp (PID: 1096 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-S15 6G.tmp\Set up-S4-View .tmp" /SL5 ="$10444,1 5151522,57 856,C:\Use rs\user\Ap pData\Loca l\Temp\is- AGO5O.tmp\ Setup-S4-V iew.exe" / SILENT /LA NG=en "/DI R=expand:C :\Program Files\LACR OIX Sofrel \S4-View\" MD5: 832DAB307E54AA08F4B6CDD9B9720361) 
_setup64.tmp (PID: 3184 cmdline: helper 105 0x404 MD5: E4211D6D009757C078A9FAC7FF4F03D4) 
conhost.exe (PID: 3656 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - SNTOperationTrustZoneMigrate.exe (PID: 3632 cmdline:
"C:\Progra m Files\LA CROIX Sofr el\S4-View \TrustZone Migrate\SN TOperation TrustZoneM igrate.exe " MD5: DD9DD242A4F7AA3083435FCE216BCB25) - conhost.exe (PID: 2552 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Window detected: | ||