Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1562442
MD5: 0694a17da60d94bc3309098b233aef78
SHA1: c5c79592819ea20caf0d2223b4404283fd32c702
SHA256: 881fb060bd03a238a1c2b9221d15d28df8705870680c17ac5070510ec6355e2d
Infos:

Detection

LummaC
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
LummaC encrypted strings found
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Setup.exe Avira: detected
Found malware configuration
Source: more.com.6596.6.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["p10tgrace.sbs", "3xp3cts1aim.sbs", "s1gn1fyh0se.cyou", "p3ar11fter.sbs", "processhol.sbs", "peepburry828.sbs"], "Build id": "Dvh8ui--111"}
Multi AV Scanner detection for submitted file
Source: Setup.exe ReversingLabs: Detection: 24%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: p3ar11fter.sbs
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: 3xp3cts1aim.sbs
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: peepburry828.sbs
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: p10tgrace.sbs
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: processhol.sbs
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: s1gn1fyh0se.cyou
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Screen Resoluton:
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: - Physical Installed Memory:
Source: 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String decryptor: Workgroup: -
Uses 32bit PE files
Source: Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Binary string: wntdll.pdbUGP source: Setup.exe, 00000000.00000002.1394975504.0000000006C1C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1399354158.00000000071C0000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2547493779.0000000004B15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2548312860.0000000005060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Setup.exe, 00000000.00000002.1394975504.0000000006C1C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1399354158.00000000071C0000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2547493779.0000000004B15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2548312860.0000000005060000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0059C0D2 FindFirstFileExW, 8_2_0059C0D2
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_005DA187
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_005CE180
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_005DA2E4
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DA66E FindFirstFileW,Sleep,FindNextFileW,FindClose, 8_2_005DA66E
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D686D FindFirstFileW,FindNextFileW,FindClose, 8_2_005D686D
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CE9BA GetFileAttributesW,FindFirstFileW,FindClose, 8_2_005CE9BA
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D74F0 FindFirstFileW,FindClose, 8_2_005D74F0
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 8_2_005D7591
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_005CDE32

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: p10tgrace.sbs
Source: Malware configuration extractor URLs: 3xp3cts1aim.sbs
Source: Malware configuration extractor URLs: s1gn1fyh0se.cyou
Source: Malware configuration extractor URLs: p3ar11fter.sbs
Source: Malware configuration extractor URLs: processhol.sbs
Source: Malware configuration extractor URLs: peepburry828.sbs
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DD935 InternetReadFile,SetEvent,GetLastError,SetEvent, 8_2_005DD935
Source: Setup.exe String found in binary or memory: http://%ipFTPftp://%ipPingcmd.exe/K
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: Setup.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com, 00000008.00000000.1398291303.0000000000635000.00000002.00000001.01000000.00000008.sdmp, Gosse.com.6.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Setup.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Setup.exe, 00000000.00000002.1401884047.0000000007432000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004E70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: Setup.exe String found in binary or memory: http://www.mylanviewer.com/myshowip.php
Source: Setup.exe String found in binary or memory: http://www.mylanviewer.com/myshowip.phpMyLanViewerhttp://www.mylanviewer.com/myshowip.php0
Source: Setup.exe String found in binary or memory: http://www.mylanviewer.com/showip.php
Source: Setup.exe String found in binary or memory: http://www.mylanviewer.com/showip.phpl
Source: Setup.exe String found in binary or memory: http://www.mylanviewer.com/version2.txt
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: Gosse.com.6.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp, Gosse.com.6.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: Setup.exe String found in binary or memory: https://www.mylanviewer.com/home.html
Source: Setup.exe String found in binary or memory: https://www.mylanviewer.com/home.htmlhttps://www.mylanviewer.com/home.htmlopeniexplore.exehttps://ww
Source: Setup.exe String found in binary or memory: https://www.mylanviewer.com/home.htmlopenhttps://www.mylanviewer.com/registers.htmlhttps://www.mylan
Source: Setup.exe String found in binary or memory: https://www.mylanviewer.com/registers.html
Source: Setup.exe String found in binary or memory: https://www.mylanviewer.com/registers.htmlArialRegistration
Source: Setup.exe String found in binary or memory: https://www.mylanviewer.com/registers.htmlhttps://www.mylanviewer.com/registers.htmlopeniexplore.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DF664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 8_2_005DF664
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DF8D3 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_005DF8D3
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DF664 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 8_2_005DF664
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CAA95 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 8_2_005CAA95
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005F9FB4 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 8_2_005F9FB4
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0040776F NtQuerySystemInformation, 0_2_0040776F
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CE3CB: CreateFileW,DeviceIoControl,CloseHandle, 8_2_005CE3CB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 8_2_005C230F
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CF76E ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 8_2_005CF76E
Detected potential crypto function
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0040A375 0_2_0040A375
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_0040B1FD 0_2_0040B1FD
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0059E32F 8_2_0059E32F
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005824CA 8_2_005824CA
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00596599 8_2_00596599
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005EC844 8_2_005EC844
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0058C9C0 8_2_0058C9C0
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005829E3 8_2_005829E3
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0057CBF0 8_2_0057CBF0
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00596C09 8_2_00596C09
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D2D81 8_2_005D2D81
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0056EE00 8_2_0056EE00
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0056CE20 8_2_0056CE20
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00582F23 8_2_00582F23
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00567070 8_2_00567070
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0057F0DA 8_2_0057F0DA
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C9168 8_2_005C9168
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005F525A 8_2_005F525A
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0057D37F 8_2_0057D37F
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00587746 8_2_00587746
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005697D0 8_2_005697D0
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00587975 8_2_00587975
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00581964 8_2_00581964
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00573AD9 8_2_00573AD9
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00587BD2 8_2_00587BD2
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0056DC70 8_2_0056DC70
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00599D1E 8_2_00599D1E
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00581FC1 8_2_00581FC1
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Gosse.com 1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: String function: 0056FA3B appears 33 times
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: String function: 0058014F appears 39 times
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: String function: 00581000 appears 41 times
One or more processes crash
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 340
PE / OLE file has an invalid certificate
Source: Setup.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Setup.exe, 00000000.00000002.1399354158.00000000072ED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Setup.exe
Source: Setup.exe, 00000000.00000002.1401884047.0000000007745000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeP vs Setup.exe
Source: Setup.exe, 00000000.00000002.1401884047.000000000760D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs Setup.exe
Source: Setup.exe, 00000000.00000000.1295268522.000000000192A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameLM_Support.exe8 vs Setup.exe
Source: Setup.exe, 00000000.00000002.1394975504.0000000006D3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Setup.exe
Source: Setup.exe, 00000000.00000002.1366545569.0000000006BE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLM_Support.exe8 vs Setup.exe
Source: Setup.exe Binary or memory string: OriginalFilenameLM_Support.exe8 vs Setup.exe
Uses 32bit PE files
Source: Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/9@0/0
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D4573 GetLastError,FormatMessageW, 8_2_005D4573
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C21C9 AdjustTokenPrivileges,CloseHandle, 8_2_005C21C9
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C27D9 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 8_2_005C27D9
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D5D7E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 8_2_005D5D7E
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CE2AB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CompareStringW,CloseHandle, 8_2_005CE2AB
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C8056 CoCreateInstance,SetErrorMode,GetProcAddress,SetErrorMode, 8_2_005C8056
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D3DBD CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 8_2_005D3DBD
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\MyLanViewer\ Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Mutant created: \Sessions\1\BaseNamedObjects\MyLanViewerMutex
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6596
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user~1\AppData\Local\Temp\7ee79492 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup.exe ReversingLabs: Detection: 24%
Source: Setup.exe String found in binary or memory: Your current external IP-address is %ip
Source: Setup.exe String found in binary or memory: Your new external IP-address is %ipnew
Source: Setup.exe String found in binary or memory: # To skip the line you need to put a symbol # in front of the line.ANYSounds\MessageRecv.wavSounds\MessageSent.wavSounds\FileRecv.wavSounds\FileComplete.wavsmtp.yourmaildomain.comuserMyLanViewer Notificationsuser@yourmaildomain.comuser@yourmaildomain.comMyLanViewer Notifications from ScannerMyLanViewer Notifications from HistoryMyLanViewer Notifications from FavoritesMyLanViewer Notifications from Subnet MonitoringYour current external IP-address is %ipYour current external IP-address is %ipYour new external IP-address is %ipnewYour new external IP-address is %ipnewData\Scanner\scanner.datNet.exesend Admin Scanning is finished at %tSounds\Finish.wavSounds\Finish.wavSounds\Join.wavSounds\Leave.wavSounds\New.wavSounds\Finish.wavSounds\Finish.wavSounds\Connect.wavSounds\Disconnect.wavNet.exesend Admin %ip is up at %tNet.exesend Admin %ip is down at %tNet.exesend Admin %ip is new at %tSounds\Join.wavSounds\Leave.wavSounds\New.wavNet.exesend Admin %mac is up at %tNet.exesend Admin %mac is down at %tNet.exesend Admin %mac is new at %t%mac - %ip - %hn is up at %t %d%mac - %ip - %hn is down at %t %d%mac - %ip - %hn is new at %t %d80,443*.mp3 ; *.wma ; *.wav192.168.0.1-254192.168.0-255.1-254 - Sample192.168.0-16,100-116,200-216.1-254 - Sample..-.-...192.168.0,10-20,30-40.1-254 - Samplecdn14.mylanviewer.comWindows Shares\\%ipWeb Browserhttp://%ipFTPftp://%ipPingcmd.exe/K ping %ip -n 10Trace routcmd.exe/K tracert %ipTelnetcmd.exe/K telnet %ipRebootcmd.exe/K shutdown -r -m \\%ipShutdowncmd.exe/K shutdown -s -m \\%ipUnknownIP AddressMAC AddressNIC VendorDNS NameFriendly NameRTTTTLHost NameWork GroupOS VersionTime of DaySystem LoadedTime ZoneLogged UsersShared ResourcesPorts\MyLanViewer\44
Source: Setup.exe String found in binary or memory: Use %ip as IP-address; %t as Time; %d as Date
Source: Setup.exe String found in binary or memory: Use %ip as IP-address; %hn as Host name; %mac as MAC-address;
Source: Setup.exe String found in binary or memory: Use %mac as MAC-address; %nic as NIC vendor; %fn as friendly name;
Source: Setup.exe String found in binary or memory: %ip as IP-address; %ip4 as IP4-address; %ip6 as IP6-address;
Source: Setup.exe String found in binary or memory: hOkCancelUse %sr as scann result; %asr as attached file with scann result; %t as Time; %d as DateUse %ip as IP-address; %t as Time; %d as DateUse %ip as IP-address; %hn as Host name; %mac as MAC-address;
Source: Setup.exe String found in binary or memory: %t as Time; %d as DateUse %mac as MAC-address; %nic as NIC vendor; %fn as friendly name;
Source: Setup.exe String found in binary or memory: Use %ip as current external IP-address;
Source: Setup.exe String found in binary or memory: Use %ipold as old external IP-address; %ipnew as new external IP-Address;
Source: Setup.exe String found in binary or memory: hOkCancelUse %ip as current external IP-address;
Source: Setup.exe String found in binary or memory: %t as Time; %d as DateUse %ipold as old external IP-address; %ipnew as new external IP-Address;
Source: Setup.exe String found in binary or memory: Use %ip as IP-address; %t as Time; %d as Date.
Source: Setup.exe String found in binary or memory: Use %mac as MAC-address; %ip4 as IP4-address; %ip6 as IP6-address; %t as Time; %d as Date.
Source: Setup.exe String found in binary or memory: ...OkCancelUse %fp as Path to the file result; %t as Time; %d as Date.Use %ip as IP-address; %t as Time; %d as Date.Use %mac as MAC-address; %ip4 as IP4-address; %ip6 as IP6-address; %t as Time; %d as Date.ArialExecute Applicationq
Source: Setup.exe String found in binary or memory: Use %mac as MAC-address; %nic as NIC vendor; %fn as friendly name; %ip as IP-address; %ip4 as IP4-address; %ip6 as IP6-address; %hn as Host name; %hn4 as Host name by IP4; %hn6 as host name by IP6; %t as Time; %d as Date.
Source: Setup.exe String found in binary or memory: aUse %ipold as old external IP-address; %ipnew as new external IP-Address; %t as Time; %d as Date.
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\Gosse.com C:\Users\user~1\AppData\Local\Temp\Gosse.com
Source: C:\Windows\SysWOW64\more.com Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6596 -s 340
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\Gosse.com C:\Users\user~1\AppData\Local\Temp\Gosse.com Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: shdocvw.dll Jump to behavior
Source: Setup.exe Static PE information: More than 322 > 100 exports found
Source: Setup.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Setup.exe Static file information: File size 17103832 > 1048576
Source: Setup.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2fd000
Source: Setup.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x110600
Source: Setup.exe Static PE information: Raw size of _RDATA0 is bigger than: 0x100000 < 0x426c00
Source: Setup.exe Static PE information: Raw size of _RDATA2 is bigger than: 0x100000 < 0x459800
Source: Setup.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x3b8800
Source: Binary string: wntdll.pdbUGP source: Setup.exe, 00000000.00000002.1394975504.0000000006C1C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1399354158.00000000071C0000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2547493779.0000000004B15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2548312860.0000000005060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Setup.exe, 00000000.00000002.1394975504.0000000006C1C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000002.1399354158.00000000071C0000.00000004.00000800.00020000.00000000.sdmp, more.com, 00000006.00000002.2547493779.0000000004B15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2548312860.0000000005060000.00000004.00001000.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005EC00E RegConnectRegistryW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCloseKey,LoadLibraryA,GetProcAddress,RegDeleteKeyW,FreeLibrary,RegCloseKey, 8_2_005EC00E
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: _RDATA2
PE file contains sections with non-standard names
Source: Setup.exe Static PE information: section name: _RDATA0
Source: Setup.exe Static PE information: section name: _RDATA1
Source: Setup.exe Static PE information: section name: _RDATA2
Source: xwharpgq.6.dr Static PE information: section name: xibp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00581046 push ecx; ret 8_2_00581059

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\Gosse.com Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\Gosse.com Jump to dropped file
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\xwharpgq Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\more.com File created: C:\Users\user\AppData\Local\Temp\xwharpgq Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005F2558 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 8_2_005F2558
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00575D03 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 8_2_00575D03
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Setup.exe API/Special instruction interceptor: Address: 1361D02
Source: C:\Users\user\Desktop\Setup.exe API/Special instruction interceptor: Address: 14FA8E8
Source: C:\Users\user\Desktop\Setup.exe API/Special instruction interceptor: Address: 156A906
Source: C:\Users\user\Desktop\Setup.exe API/Special instruction interceptor: Address: 117B469
Source: C:\Users\user\Desktop\Setup.exe API/Special instruction interceptor: Address: 769C7C44
Source: C:\Users\user\Desktop\Setup.exe API/Special instruction interceptor: Address: 769C7945
Source: C:\Windows\SysWOW64\more.com API/Special instruction interceptor: Address: 769C3B54
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Setup.exe RDTSC instruction interceptor: First address: 769CF3E1 second address: 769CF3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Setup.exe RDTSC instruction interceptor: First address: 769CF3FD second address: 769CF3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007FAC35238205h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007FAC35238290h 0x00000031 rdtsc
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\more.com Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xwharpgq Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0059C0D2 FindFirstFileExW, 8_2_0059C0D2
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DA187 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_005DA187
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CE180 GetFileAttributesW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_005CE180
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DA2E4 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_005DA2E4
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DA66E FindFirstFileW,Sleep,FindNextFileW,FindClose, 8_2_005DA66E
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D686D FindFirstFileW,FindNextFileW,FindClose, 8_2_005D686D
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CE9BA GetFileAttributesW,FindFirstFileW,FindClose, 8_2_005CE9BA
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D74F0 FindFirstFileW,FindClose, 8_2_005D74F0
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D7591 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime, 8_2_005D7591
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CDE32 GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,DeleteFileW,CompareStringW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_005CDE32
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0057310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemInfo,GetSystemInfo, 8_2_0057310D
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: Amcache.hve.11.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Setup.exe, 00000000.00000002.1363731118.0000000001CC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.11.dr Binary or memory string: vmci.sys
Source: more.com, 00000006.00000002.2547875820.0000000004EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.11.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\Setup.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\more.com Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process queried: DebugPort Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005DF607 BlockInput, 8_2_005DF607
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00592446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00592446
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005EC00E RegConnectRegistryW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCloseKey,LoadLibraryA,GetProcAddress,RegDeleteKeyW,FreeLibrary,RegCloseKey, 8_2_005EC00E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Setup.exe Code function: 0_2_00407E3F mov eax, dword ptr fs:[00000030h] 0_2_00407E3F
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00584BF4 mov eax, dword ptr fs:[00000030h] 8_2_00584BF4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C20BE GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation, 8_2_005C20BE
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00592446 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00592446
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00580E4D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00580E4D
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00580F9F SetUnhandledExceptionFilter, 8_2_00580F9F
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005811EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_005811EE

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\Setup.exe NtProtectVirtualMemory: Direct from: 0x6D452AF4 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe NtSetInformationThread: Direct from: 0x408AE0 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe NtQuerySystemInformation: Direct from: 0x6F81FF Jump to behavior
LummaC encrypted strings found
Source: more.com, 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: p3ar11fter.sbs
Source: more.com, 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 3xp3cts1aim.sbs
Source: more.com, 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: peepburry828.sbs
Source: more.com, 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: p10tgrace.sbs
Source: more.com, 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: processhol.sbs
Source: more.com, 00000006.00000002.2547321084.0000000003290000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: s1gn1fyh0se.cyou
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Setup.exe Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C230F LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 8_2_005C230F
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00572D33 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 8_2_00572D33
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005CC078 SendInput,keybd_event, 8_2_005CC078
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005E2E89 GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 8_2_005E2E89
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com Jump to behavior
Source: C:\Windows\SysWOW64\more.com Process created: C:\Users\user\AppData\Local\Temp\Gosse.com C:\Users\user~1\AppData\Local\Temp\Gosse.com Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C1C68 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 8_2_005C1C68
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005C2777 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 8_2_005C2777
Source: Setup.exe, 00000000.00000002.1401884047.0000000007737000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000006.00000002.2547875820.0000000004FE2000.00000004.00000800.00020000.00000000.sdmp, Gosse.com, 00000008.00000000.1398108112.0000000000621000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Gosse.com Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_00580CA4 cpuid 8_2_00580CA4
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7ee79492 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005D8C58 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 8_2_005D8C58
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_005A59C7 GetUserNameW, 8_2_005A59C7
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0059B782 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 8_2_0059B782
Source: C:\Users\user\AppData\Local\Temp\Gosse.com Code function: 8_2_0057310D GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemInfo,GetSystemInfo, 8_2_0057310D
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: Gosse.com Binary or memory string: WIN_81
Source: Gosse.com Binary or memory string: WIN_XP
Source: Gosse.com Binary or memory string: WIN_XPe
Source: Gosse.com Binary or memory string: WIN_VISTA
Source: Gosse.com.6.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 15, 1USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Gosse.com Binary or memory string: WIN_7
Source: Gosse.com Binary or memory string: WIN_8

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562442 Sample: Setup.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 4 other signatures 2->30 7 Setup.exe 3 2->7         started        process3 signatures4 32 Maps a DLL or memory area into another process 7->32 34 Tries to detect virtualization through RDTSC time measurements 7->34 36 Switches to a custom stack to bypass stack traces 7->36 38 Found direct / indirect Syscall (likely to bypass EDR) 7->38 10 more.com 2 7->10         started        process5 file6 20 C:\Users\user\AppData\Local\Tempbehaviorgraphosse.com, PE32 10->20 dropped 22 C:\Users\user\AppData\Local\Temp\xwharpgq, PE32 10->22 dropped 40 Drops PE files with a suspicious file extension 10->40 42 Switches to a custom stack to bypass stack traces 10->42 44 LummaC encrypted strings found 10->44 14 WerFault.exe 16 10->14         started        16 conhost.exe 10->16         started        18 Gosse.com 10->18         started        signatures7 process8
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
p10tgrace.sbs false
    		high
    s1gn1fyh0se.cyou true
    • Avira URL Cloud: safe
    		 unknown
    p3ar11fter.sbs false
      		high
      peepburry828.sbs false
        		high
        processhol.sbs false
          		high