Windows Analysis Report
Setup_DigiSignerOne_x86.exe

Overview

General Information

Sample name: Setup_DigiSignerOne_x86.exe
Analysis ID: 1544225
MD5: f719502fa0580f2cfa1a6b799c4bd28d
SHA1: 63449f28a29129c23b16c7496c5748b2c1c1eb3f
SHA256: 4a6f4f683ba2d306c83c8690488332ef95f9682b1f129aed07d3512131a76dc9
Infos:

Detection

Havoc
Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Havoc
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Havoc First released in October 2022, the Havoc C2 Framework is a flexible post-exploitation framework written in Golang, C++, and Qt, with agents called 'Demons' written in C and ASM, created by @C5pider. Designed to support red team engagements and adversary emulation, it offers a robust set of capabilities tailored for offensive security operations. The framework, which is under active development, utilizes HTTP(s) and SMB as communication protocols for its implants. Havoc can generate implants, known as Demons, in several formats including EXE, DLL, and Shellcode. A notable feature of Havoc is its ability to bypass EDR by employing advanced evasion techniques such as sleep obfuscation, return address stack spoofing, and indirect syscalls. This capability enhances its effectiveness in evading detection and circumventing security measures. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.havoc
Uses 32bit PE files
Source: Setup_DigiSignerOne_x86.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Setup_DigiSignerOne_x86.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\ansi\idp.pdb source: Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380227053.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmp, idp.dll.2.dr
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00453238 FindFirstFileA,GetLastError, 2_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00476F44 FindFirstFileA,FindNextFileA,FindClose, 2_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 2_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00463B44 FindFirstFileA,FindNextFileA,FindClose, 2_2_00463B44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10003AF0 FtpSetCurrentDirectoryA,FtpFindFirstFileA,InternetFindNextFileA,InternetFindNextFileA,InternetCloseHandle, 2_2_10003AF0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10002AA0 GetTickCount,GetTickCount,GetTickCount,InternetReadFile,_fwrite,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount, 2_2_10002AA0
Source: Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmp, idp.dll.2.dr String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380227053.000000000018F000.00000004.00000010.00020000.00000000.sdmp, idp.dll.2.dr String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup_DigiSignerOne_x86.tmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: Setup_DigiSignerOne_x86.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Setup_DigiSignerOne_x86.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr String found in binary or memory: http://www.remobjects.com/psU
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00424014 NtdllDefWindowProc_A, 2_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00412A68 NtdllDefWindowProc_A, 2_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0047AC34 NtdllDefWindowProc_A, 2_2_0047AC34
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0042FA00 NtdllDefWindowProc_A, 2_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A, 2_2_00457E24
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError, 2_2_0042EDC4
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_00455E14
Detected potential crypto function
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_004088C0 0_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00490830 2_2_00490830
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004688B8 2_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00482CD8 2_2_00482CD8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004357B8 2_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00472090 2_2_00472090
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00452194 2_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0043E240 2_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0043083C 2_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0046A974 2_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004449B8 2_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00434AB4 2_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00444F60 2_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0048908C 2_2_0048908C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004313C8 2_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00445658 2_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0045F954 2_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00445A64 2_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0045BA04 2_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00489FEC 2_2_00489FEC
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001B312 2_2_1001B312
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10025393 2_2_10025393
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001D3C6 2_2_1001D3C6
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_100195AB 2_2_100195AB
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001D899 2_2_1001D899
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_100258D5 2_2_100258D5
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001DC6D 2_2_1001DC6D
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10025F99 2_2_10025F99
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001E079 2_2_1001E079
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001A0D2 2_2_1001A0D2
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001E499 2_2_1001E499
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10018980 2_2_10018980
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10002AA0 2_2_10002AA0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10026C92 2_2_10026C92
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10024E51 2_2_10024E51
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 10005410 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 10018920 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 00407D84 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 004587AC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 004585A0 appears 124 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: String function: 00403684 appears 233 times
PE / OLE file has an invalid certificate
Source: Setup_DigiSignerOne_x86.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: Setup_DigiSignerOne_x86.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup_DigiSignerOne_x86.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Setup_DigiSignerOne_x86.tmp.0.dr Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Sample file is different than original file name gathered from version info
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup_DigiSignerOne_x86.exe
Source: Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup_DigiSignerOne_x86.exe
Uses 32bit PE files
Source: Setup_DigiSignerOne_x86.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal48.troj.winEXE@3/4@0/0
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 0_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx, 2_2_00455E14
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA, 2_2_0045663C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00456E68 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString, 2_2_00456E68
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource, 0_2_0040A10C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe File created: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp Jump to behavior
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: Setup_DigiSignerOne_x86.exe String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: Setup_DigiSignerOne_x86.exe String found in binary or memory: /LOADINF="filename"
Source: Setup_DigiSignerOne_x86.exe String found in binary or memory: q-aDD
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe File read: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe "C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Process created: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp "C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp" /SL5="$203D4,33657605,58368,C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Process created: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp "C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp" /SL5="$203D4,33657605,58368,C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe" Jump to behavior
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Setup_DigiSignerOne_x86.exe Static file information: File size 33922936 > 1048576
Source: Setup_DigiSignerOne_x86.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\ansi\idp.pdb source: Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380227053.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381067522.0000000010029000.00000002.00000001.01000000.00000007.sdmp, idp.dll.2.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00450A28
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_00406A50 push 00406A8Dh; ret 0_2_00406A85
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_004040B5 push eax; ret 0_2_004040F1
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_00404185 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_00404206 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_00404283 push 00404391h; ret 0_2_00404389
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_004093EC push 0040941Fh; ret 0_2_00409417
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_004085B8 push ecx; mov dword ptr [esp], eax 0_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00409DDC push 00409E19h; ret 2_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0041A0B8 push ecx; mov dword ptr [esp], ecx 2_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00452194 push ecx; mov dword ptr [esp], eax 2_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004062CC push ecx; mov dword ptr [esp], eax 2_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0040A2DF push ds; ret 2_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004605AC push ecx; mov dword ptr [esp], ecx 2_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00458848 push 00458880h; ret 2_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00410970 push ecx; mov dword ptr [esp], edx 2_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00412DB8 push 00412E1Bh; ret 2_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0040D2C8 push ecx; mov dword ptr [esp], edx 2_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0040546D push eax; ret 2_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0040553D push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004055BE push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0040563B push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0040F828 push ecx; mov dword ptr [esp], edx 2_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00443930 push ecx; mov dword ptr [esp], ecx 2_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00487AF0 push ecx; mov dword ptr [esp], ecx 2_2_00487AF5
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00459B60 push 00459BA4h; ret 2_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00497B18 push ecx; mov dword ptr [esp], ecx 2_2_00497B1D
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00479C7C push ecx; mov dword ptr [esp], edx 2_2_00479C7D
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00451FD0 push 00452003h; ret 2_2_00451FFB
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10016695 push ecx; ret 2_2_100166A8
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp File created: C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe File created: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp File created: C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 2_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 2_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 2_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0041815E IsIconic,SetWindowPos, 2_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 2_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0042466C IsIconic,SetActiveWindow,SetFocus, 2_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00424624 IsIconic,SetActiveWindow, 2_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 2_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow, 2_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00417A28 IsIconic,GetCapture, 2_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow, 2_2_00485CFC
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 2_2_0041F5A8
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Evasive API call chain: GetSystemTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00453238 FindFirstFileA,GetLastError, 2_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00476F44 FindFirstFileA,FindNextFileA,FindClose, 2_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose, 2_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode, 2_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00463B44 FindFirstFileA,FindNextFileA,FindClose, 2_2_00463B44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10003AF0 FtpSetCurrentDirectoryA,FtpFindFirstFileA,InternetFindNextFileA,InternetFindNextFileA,InternetCloseHandle, 2_2_10003AF0
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery, 0_2_0040A050
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_100140F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100140F3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00450A28
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001F23F GetProcessHeap,___initmbctable,GetModuleFileNameA,_parse_cmdline,__malloc_crt,_parse_cmdline, 2_2_1001F23F
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10017458 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_10017458
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001F575 SetUnhandledExceptionFilter,__encode_pointer, 2_2_1001F575
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001F597 __decode_pointer,SetUnhandledExceptionFilter, 2_2_1001F597
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_100140F3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_100140F3
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_1001449E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001449E
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0047A678 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle, 2_2_0047A678
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA, 2_2_0042F294
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid, 2_2_0042E52C
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_10023C59 cpuid 2_2_10023C59
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: GetLocaleInfoA, 0_2_00405694
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: GetLocaleInfoA, 0_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoA, 2_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoA, 2_2_00408A44
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 2_2_1001D1E3
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoA, 2_2_1001CCC9
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_1001D083
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_1001D142
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_1001D1A7
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 2_2_10023622
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoA,_xtoa_s@20, 2_2_10023849
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea, 2_2_1002391B
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat, 2_2_10023A56
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 2_2_10023A91
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_10023BCE
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_1001BF7D
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoA, 2_2_1002032C
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 2_2_1001C5D9
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA, 2_2_10020612
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 2_2_1001C82A
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 2_2_10016C3A
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: _LcidFromHexString,GetLocaleInfoA, 2_2_1001CDAB
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 2_2_1001CE41
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 2_2_1001CEB3
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle, 2_2_00458E58
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_004026C4 GetSystemTime, 0_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp Code function: 2_2_00455DCC GetUserNameA, 2_2_00455DCC
Source: C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe Code function: 0_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy, 0_2_00404654

Stealing of Sensitive Information
barindex
Yara detected Havoc
Source: Yara match File source: Setup_DigiSignerOne_x86.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected Havoc
Source: Yara match File source: Setup_DigiSignerOne_x86.exe, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544225 Sample: Setup_DigiSignerOne_x86.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 48 18 Yara detected Havoc 2->18 6 Setup_DigiSignerOne_x86.exe 2 2->6         started        process3 file4 12 C:\Users\user\...\Setup_DigiSignerOne_x86.tmp, PE32 6->12 dropped 9 Setup_DigiSignerOne_x86.tmp 3 12 6->9         started        process5 file6 14 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 9->14 dropped 16 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 9->16 dropped
No contacted IP infos