Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Setup_DigiSignerOne_x86.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.99992284931637
Filename:	Setup_DigiSignerOne_x86.exe
Filesize:	33922936
MD5:	f719502fa0580f2cfa1a6b799c4bd28d
SHA1:	63449f28a29129c23b16c7496c5748b2c1c1eb3f
SHA256:	4a6f4f683ba2d306c83c8690488332ef95f9682b1f129aed07d3512131a76dc9
SHA512:	8f99bf1c2c942fc9f4d0a3e8d46f34e5c6227e8a704ccadf1a108a6a55906ec7303a8c9a093efa09d85802eb50f1a28b6d3cd752ab589e65f80aeb6607b9280c
SSDEEP:	786432:E2eyVvYtzISiojT5PgcZQU059nXLAh7WRinvhyMQA9ieYDkVd:947imQU055XEh7KgQs/YQVd
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	Access Token Manipulation System Shutdown/Reboot
Contains functionality to shutdown / reboot the system	System Summary	Access Token Manipulation System Shutdown/Reboot
Detected potential crypto function	System Summary	Access Token Manipulation Archive Collected Data Encrypted Channel
Found evasive API chain (date check)	Malware Analysis System Evasion	Access Token Manipulation
PE / OLE file has an invalid certificate	System Summary	File and Directory Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation System Shutdown/Reboot
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Contains functionality to load and extract PE file embedded resources	System Summary
Contains functionality to query local / system time	Language, Device and Operating System Detection	Access Token Manipulation System Time Discovery
Contains functionality to query system information	Malware Analysis System Evasion
Contains functionality to query windows version	Language, Device and Operating System Detection	System Information Discovery
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Reads software policies	System Summary	Access Token Manipulation
Sample might require command line arguments	System Summary	Access Token Manipulation Security Software Discovery
Sample reads its own file content	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp

PE32+ executable (console) x86-64, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\_isetup\_setup64.tmp
Category:	dropped
Dump:	_setup64.tmp.2.dr
ID:	dr_1
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
Type:	PE32+ executable (console) x86-64, for MS Windows
Entropy:	4.720366600008286
Encrypted:	false
Ssdeep:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
Size:	6144
Whitelisted:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\idp.dll
Category:	dropped
Dump:	idp.dll.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.433227377923997
Encrypted:	false
Ssdeep:	3072:3kdYM0KYqpvmSM0IKNDe/zmNDNRpGFRMlCP7mYYY5Qt1reJbTg/knAD:UsKFrM7CNocNNreJb0/F
Size:	221184
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion

C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\logo_digisign_nou.bmp

PC bitmap, Windows 3.x format, 40 x 33 x 24, image size 3962, resolution 11811 x 11811 px/m, cbSize 4016, bits offset 54

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-98MUO.tmp\logo_digisign_nou.bmp
Category:	dropped
Dump:	logo_digisign_nou.bmp.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
Type:	PC bitmap, Windows 3.x format, 40 x 33 x 24, image size 3962, resolution 11811 x 11811 px/m, cbSize 4016, bits offset 54
Entropy:	4.162987726623242
Encrypted:	false
Ssdeep:	48:XOjDD6IQs0ganRAwa5dDkKEUSs+Daymn51rOXxYSziPk6QBn:ejrQjgaRfidDkKAs+DaymvrOXGQBn
Size:	4016
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
Category:	dropped
Dump:	Setup_DigiSignerOne_x86.tmp.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	6.530436054106211
Encrypted:	false
Ssdeep:	12288:kqIRz+f+ui8TrPO37fzH4A63RRwDFtuXUZERmhrNh4dT9TaC+IGNbDtQPuFyxyRB:JIZg+uiirPO37fzH4A6haDbcUZEbdT9A
Size:	723944
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging	Security Software Discovery
Contains functionality to check if a window is minimized (may be used to check if an application is visible)	Hooking and other Techniques for Hiding and Protection	Application Window Discovery
Contains functionality to communicate with device drivers	System Summary
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging	Native API
Contains functionality to launch a program with higher privileges	HIPS / PFW / Operating System Protection Evasion	Exploitation for Privilege Escalation
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging	Security Software Discovery
Drops PE files	Persistence and Installation Behavior
Extensive use of GetProcAddress (often used to hide API calls)	Hooking and other Techniques for Hiding and Protection
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Contains functionality to add an ACL to a security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to check free disk space	System Summary	System Information Discovery
Contains functionality to create a new security descriptor	HIPS / PFW / Operating System Protection Evasion
Contains functionality to create pipes for IPC	Language, Device and Operating System Detection	Process Injection
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to instantiate COM classes	System Summary
Contains functionality to query the account / user name	Language, Device and Operating System Detection	Account Discovery System Owner/User Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates files inside the user directory	System Summary	Masquerading
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
Program exit points	Malware Analysis System Evasion
Reads the Windows registered organization settings	System Summary	System Owner/User Discovery
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Executable creates window controls seldom found in malware	System Summary
Reads the Windows registered owner settings	System Summary	System Owner/User Discovery

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe

"C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"

Details

Is windows:	false
Is dropped:	false
PID:	3852
Target ID:	0
Parent PID:	4004
Name:	Setup_DigiSignerOne_x86.exe
Path:	C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe
Commandline:	"C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"
Size:	33922936
MD5:	F719502FA0580F2CFA1A6B799C4BD28D
Time:	23:12:27
Date:	28/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	86016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Havoc	Stealing of Sensitive Information, Remote Access Functionality
PE / OLE file has an invalid certificate	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp

"C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp" /SL5="$203D4,33657605,58368,C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"

Details

Is windows:	false
Is dropped:	true
PID:	5252
Target ID:	2
Parent PID:	3852
Name:	Setup_DigiSignerOne_x86.tmp
Path:	C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp
Commandline:	"C:\Users\user\AppData\Local\Temp\is-EFV01.tmp\Setup_DigiSignerOne_x86.tmp" /SL5="$203D4,33657605,58368,C:\Users\user\Desktop\Setup_DigiSignerOne_x86.exe"
Size:	723944
MD5:	B94E2647AD7D4E5AC3FEA70870F1DD05
Time:	23:12:28
Date:	28/10/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	782336
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

URLs

Name

Malicious

http://www.innosetup.com/

unknown

http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline

unknown

http://www.remobjects.com/psU

unknown

Details

Name:	http://www.remobjects.com/psU
TargetID:	-1
From Memory:	true
Source:	Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://bitbucket.org/mitrich_k/inno-download-plugin

unknown

http://www.remobjects.com/ps

unknown

Details

Name:	http://www.remobjects.com/ps
TargetID:	-1
From Memory:	true
Source:	Setup_DigiSignerOne_x86.exe, 00000000.00000003.2123662923.0000000002390000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.exe, 00000000.00000003.2124145029.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000000.2124626293.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup_DigiSignerOne_x86.tmp.0.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU

unknown

http://mitrichsoftware.wordpress.comB

unknown

Details

Name:	http://mitrichsoftware.wordpress.comB
TargetID:	-1
From Memory:	true
Source:	Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380817518.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3381093281.0000000010034000.00000002.00000001.01000000.00000007.sdmp, Setup_DigiSignerOne_x86.tmp, 00000002.00000002.3380227053.000000000018F000.00000004.00000010.00020000.00000000.sdmp, idp.dll.2.dr

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

Memdumps

Base Address

Regiontype

Protect

Malicious

2290000

heap

page read and write

428000

heap

page read and write

91000

stack

page read and write

49C0000

direct allocation

page read and write

19D000

stack

page read and write

353E000

stack

page read and write

3230000

direct allocation

page read and write

7C8000

heap

page read and write

2390000

direct allocation

page read and write

33FE000

stack

page read and write

2070000

direct allocation

page read and write

10034000

unkown

page readonly

650000

heap

page read and write

22E0000

heap

page read and write

4C0000

heap

page read and write

49D000

unkown

page write copy

2081000

direct allocation

page read and write

18F000

stack

page read and write

2081000

direct allocation

page read and write

3220000

direct allocation

page read and write

10030000

unkown

page read and write

412000

unkown

page readonly

2260000

direct allocation

page execute and read and write

3220000

direct allocation

page read and write

22D4000

heap

page read and write

10000000

unkown

page readonly

9B000

stack

page read and write

7AF000

heap

page read and write

2308000

direct allocation

page read and write

3240000

heap

page read and write

2390000

direct allocation

page read and write

760000

heap

page read and write

2090000

direct allocation

page read and write

2240000

heap

page read and write

7A6000

heap

page read and write

600000

heap

page read and write

400000

unkown

page readonly

401000

unkown

page execute read

401000

unkown

page execute read

768000

heap

page read and write

4AE000

unkown

page readonly

2308000

direct allocation

page read and write

4A0000

unkown

page write copy

2144000

direct allocation

page read and write

3220000

direct allocation

page read and write

40E000

unkown

page write copy

10029000

unkown

page readonly

22A0000

heap

page read and write

400000

unkown

page readonly

400000

unkown

page readonly

2880000

heap

page read and write

7CB000

heap

page read and write

2074000

direct allocation

page read and write

22F8000

direct allocation

page read and write

22E5000

heap

page read and write

401000

unkown

page execute read

22E9000

heap

page read and write

620000

heap

page read and write

3275000

heap

page read and write

22F0000

direct allocation

page read and write

7E3000

heap

page read and write

4AE000

unkown

page readonly

750000

heap

page read and write

22FC000

direct allocation

page read and write

28A0000

trusted library allocation

page read and write

401000

unkown

page execute read

34FF000

stack

page read and write

7BF000

heap

page read and write

22F7000

direct allocation

page read and write

7B1000

heap

page read and write

49E000

unkown

page read and write

232C000

direct allocation

page read and write

3230000

direct allocation

page read and write

3270000

heap

page read and write

412000

unkown

page readonly

400000

unkown

page readonly

7AC000

heap

page read and write

420000

heap

page read and write

49C000

unkown

page write copy

232D000

direct allocation

page read and write

22D0000

heap

page read and write

40C000

unkown

page read and write

10001000

unkown

page execute read

520000

heap

page read and write

363F000

stack

page read and write

49C000

unkown

page read and write

40C000

unkown

page write copy

There are 77 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Setup_DigiSignerOne_x86.exe

Files

Processes

URLs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSetup_DigiSignerOne_x86.exe

Files

Processes

URLs

Registry

Memdumps

IOC Report
Setup_DigiSignerOne_x86.exe