Edit tour
Windows
Analysis Report
TreeSize-Setup.exe
Overview
General Information
Detection
Score: | 28 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Signatures
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Reads the Security eventlog
Reads the System eventlog
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Creates or modifies windows services
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64
- TreeSize-Setup.exe (PID: 3784 cmdline:
"C:\Users\ user\Deskt op\TreeSiz e-Setup.ex e" MD5: B2B00FA27FDE68996228CF16B68C682C) - TreeSize-Setup.tmp (PID: 7064 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-JKD 41.tmp\Tre eSize-Setu p.tmp" /SL 5="$203D4, 36275776,8 57088,C:\U sers\user\ Desktop\Tr eeSize-Set up.exe" MD5: 3193E0550820FA622974D28A99617E8C) - LicenseManager.exe (PID: 2832 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-7N7 OJ.tmp\Lic enseManage r.exe" /re gister /la nguage en /product T reeSize /v ersion 9.1 .3 /title ' Setup - TreeSize V 9.1.3' /pa rentHandle 328676 MD5: 7CB08BDE1C788E306D481AF58C3143B0) - LicenseManager.exe (PID: 964 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-7N7 OJ.tmp\Lic enseManage r.exe" /Ge tLicenseTy pe MD5: 7CB08BDE1C788E306D481AF58C3143B0) - LicenseManager.exe (PID: 5648 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-7N7 OJ.tmp\Lic enseManage r.exe" /ad dFirewallR ule /produ ct TreeSiz e /executa ble 'C:\Pr ogram File s\JAM Soft ware\TreeS ize\TreeSi ze.exe' MD5: 7CB08BDE1C788E306D481AF58C3143B0) - TreeSize.exe (PID: 6568 cmdline:
"C:\Progra m Files\JA M Software \TreeSize\ TreeSize.e xe" /nogui /installc ertificate MD5: DECFC2E2970FD5D17917980F05767EDC) - TreeSize.exe (PID: 5320 cmdline:
"C:\Progra m Files\JA M Software \TreeSize\ TreeSize.e xe" /NOGUI /SETADMIN FLAG "C:\P rogramData \Microsoft \Windows\S tart Menu\ Programs\T reeSize\Tr eeSize (Ad ministrato r).LNK" /S ETADMINFLA G "C:\Prog ramData\Mi crosoft\Wi ndows\Star t Menu\Pro grams\Tree Size\TreeS ize File S earch (Adm inistrator ).LNK" /SE TADMINFLAG "C:\Progr amData\Mic rosoft\Win dows\Start Menu\Prog rams\TreeS ize\TreeSi ze Duplica te File Se arch (Admi nistrator) .LNK" /Lan guage "en" MD5: DECFC2E2970FD5D17917980F05767EDC) - TreeSize.exe (PID: 4016 cmdline:
"C:\Progra m Files\JA M Software \TreeSize\ TreeSize.e xe" /NOGUI /ContextM enuEntries 6 /INSTAL L /SAVESET TINGS /REG ISTERPACKA GE /Langua ge "en" MD5: DECFC2E2970FD5D17917980F05767EDC)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | Code function: | 3_2_00007FFD346A1D10 | |
Source: | Code function: | 3_2_00007FFD346A3109 | |
Source: | Code function: | 3_2_00007FFD346A1C6D | |
Source: | Code function: | 3_2_00007FFD346A6D6D | |
Source: | Code function: | 3_2_00007FFD346A314D | |
Source: | Code function: | 8_2_00007FFD3468AE45 | |
Source: | Code function: | 8_2_00007FFD3468BA4E | |
Source: | Code function: | 8_2_00007FFD3468BABD | |
Source: | Code function: | 8_2_00007FFD3468F2FD | |
Source: | Code function: | 10_2_00007FFD3466C038 | |
Source: | Code function: | 10_2_00007FFD3467015A | |
Source: | Code function: | 10_2_00007FFD3466C78D | |
Source: | Code function: | 10_2_00007FFD3466C7FD |
Source: | Static PE information: |
Source: | Window detected: |