Windows Analysis Report
dotNetFx35setup.exe

Overview

General Information

Sample name: dotNetFx35setup.exe
Analysis ID: 1426591
MD5: 269f314b87e6222a20e5f745b6b89783
SHA1: b0ca05c12ebb9a3610206bad7f219e02b7873cbd
SHA256: c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257

Detection

Score: 0
Range: 0 - 100
Whitelisted: true
Confidence: 100%

Signatures

Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004BAD InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,CloseHandle,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,CreateFileA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,CreateFileA,CreateFileA,InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateFileA,CreateEventA,CreateThread,CreateFileA,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess, 0_2_01004BAD
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004BAD InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,CloseHandle,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,CreateFileA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,CreateFileA,CreateFileA,InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateFileA,CreateEventA,CreateThread,CreateFileA,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess, 0_2_01004BAD
Source: Binary string: sfxcab.pdb source: dotNetFx35setup.exe
Source: Binary string: sfxcab.pdbU source: dotNetFx35setup.exe
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004373 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA, 0_2_01004373
Contains functionality to call native functions
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01003341 NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose, 0_2_01003341
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_010032B1 NtOpenProcessToken,NtAdjustPrivilegesToken,NtClose,NtClose, 0_2_010032B1
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_010036BA OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,_snprintf,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary, 0_2_010036BA
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_010074CA NtClose, 0_2_010074CA
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01002975: GetDriveTypeA,CreateFileA,DeviceIoControl,CloseHandle, 0_2_01002975
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_010036BA OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,_snprintf,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary, 0_2_010036BA
Detected potential crypto function
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_0100790C 0_2_0100790C
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01007C1C 0_2_01007C1C
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01008B2D 0_2_01008B2D
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_0100832F 0_2_0100832F
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01008772 0_2_01008772
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01007F77 0_2_01007F77
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004BAD 0_2_01004BAD
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004BAD 0_2_01004BAD
Sample file is different than original file name gathered from version info
Source: dotNetFx35setup.exe, 00000000.00000000.1990390799.000000000101C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesfxcab.exe0 vs dotNetFx35setup.exe
Source: dotNetFx35setup.exe Binary or memory string: OriginalFilenamesfxcab.exe0 vs dotNetFx35setup.exe
Source: classification engine Classification label: clean4.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004BAD InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,CloseHandle,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,CreateFileA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,CreateFileA,CreateFileA,InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateFileA,CreateEventA,CreateThread,CreateFileA,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess, 0_2_01004BAD
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Section loaded: netutils.dll Jump to behavior
Source: dotNetFx35setup.exe Static file information: File size 2869264 > 1048576
Source: Binary string: sfxcab.pdb source: dotNetFx35setup.exe
Source: Binary string: sfxcab.pdbU source: dotNetFx35setup.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01002858 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_01002858
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004373 SendDlgItemMessageA,strstr,SetFileAttributesA,GetLastError,CopyFileA,SendDlgItemMessageA,strstr,SetFileAttributesA,CopyFileA,GetLastError,CopyFileA,SetFileAttributesA,SendDlgItemMessageA,_strlwr,GetLastError,MoveFileA,MoveFileA,_strlwr,strstr,FindFirstFileA,strrchr,SendDlgItemMessageA,DeleteFileA,Sleep,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,strchr,strrchr,SendDlgItemMessageA, 0_2_01004373
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01002858 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_01002858
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004BAD InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,CloseHandle,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,CreateFileA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,CreateFileA,CreateFileA,InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateFileA,CreateEventA,CreateThread,CreateFileA,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess, 0_2_01004BAD
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01005D91 SetUnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_01005D91
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01004BAD InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetCurrentDirectoryA,GetSystemDirectoryA,QueryDosDeviceA,_strlwr,strstr,strstr,strstr,GetDiskFreeSpaceA,CryptAcquireContextA,sprintf,CryptGenRandom,sprintf,sprintf,CryptReleaseContext,GetSystemTime,SystemTimeToFileTime,DialogBoxParamA,DosDateTimeToFileTime,LocalFileTimeToFileTime,SetFileTime,CloseHandle,SendDlgItemMessageA,MoveFileExA,strstr,_stricmp,SendDlgItemMessageA,CreateFileA,GetLastError,CreateFileA,SetFilePointer,SetFilePointer,SetEndOfFile,SetFilePointer,CreateFileA,CreateFileA,InitializeCriticalSectionAndSpinCount,#17,GetProcessHeap,CreateEventA,CreateEventA,CreateFileA,CreateEventA,CreateThread,CreateFileA,WaitForSingleObject,SendDlgItemMessageA,Sleep,ShowWindow,SetParent,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,LoadStringA,LoadStringA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,SendDlgItemMessageA,ShowWindow,CreateFileA,GetFileSize,ReadFile,CloseHandle,DeleteFileA,SendDlgItemMessageA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,ExpandEnvironmentStringsA,CreateProcessA,ShowWindow,WaitForSingleObject,GetExitCodeProcess,CloseHandle,ShowWindow,LoadStringA,MessageBoxA,DeleteCriticalSection,ExitProcess, 0_2_01004BAD
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01003A05 AllocateAndInitializeSid,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLengthSid,GetTokenInformation,GetLengthSid, 0_2_01003A05
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_01005D0B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,GetModuleHandleA,GetProcAddress, 0_2_01005D0B
Source: C:\Users\user\Desktop\dotNetFx35setup.exe Code function: 0_2_010036BA OpenEventA,WaitForSingleObject,CloseHandle,Sleep,LoadLibraryA,GetProcAddress,WaitForSingleObject,GetLastError,InitiateSystemShutdownA,GetLastError,WaitForSingleObject,GetLastError,_snprintf,GetVersionExA,GetVersionExA,GetVersionExA,GetSystemDirectoryA,strchr,CreateFileA,FlushFileBuffers,CloseHandle,NtShutdownSystem,FreeLibrary, 0_2_010036BA
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1426591 Sample: dotNetFx35setup.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 0 4 dotNetFx35setup.exe 2->4         started       
No contacted IP infos