Windows
Analysis Report
SetupPSRCloud_5.0.2.exe
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 80% |
Signatures
Classification
- System is w10x64_ra
- SetupPSRCloud_5.0.2.exe (PID: 7012 cmdline:
"C:\Users\ user\Deskt op\SetupPS RCloud_5.0 .2.exe" MD5: 3F0AA516242D152F76D1151B6524C9C6) - SetupPSRCloud_5.0.2.tmp (PID: 4248 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-SE4 0O.tmp\Set upPSRCloud _5.0.2.tmp " /SL5="$6 03B2,23154 778,874496 ,C:\Users\ user\Deskt op\SetupPS RCloud_5.0 .2.exe" MD5: 5D664AEC526669352BA36F80A5C8843B)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | File created: |
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: | ||
Source: | Key opened: |
Source: | Key opened: |
Source: | File read: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Window found: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1427669 |
Start date and time: | 2024-04-17 23:12:27 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Sample name: | SetupPSRCloud_5.0.2.exe |
Detection: | CLEAN |
Classification: | clean1.winEXE@3/1@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
- Excluded domains from analysis (whitelisted): fs.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- VT rate limit hit for: SetupPSRCloud_5.0.2.exe
Process: | C:\Users\user\Desktop\SetupPSRCloud_5.0.2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3230272 |
Entropy (8bit): | 6.395805168562771 |
Encrypted: | false |
SSDEEP: | |
MD5: | 5D664AEC526669352BA36F80A5C8843B |
SHA1: | E5A1857D2949EE6FC6690F57E63E710B6AF5215C |
SHA-256: | 13743F9FBBD84C21D186059949FDF3FD6A7BA57908A888BABAE4101A891594D7 |
SHA-512: | 3BE1124FF9BAF5218B6153A84C494D7FAD66F19147F0469E341A731106E2539BC7E80817353B2341A67A3A3DAD7E5E501BA106B5B396A7DC82DD10FD4E2D51D2 |
Malicious: | false |
Antivirus: |
|
Reputation: | unknown |
Preview: |
File type: | |
Entropy (8bit): | 7.992226810369233 |
TrID: |
|
File name: | SetupPSRCloud_5.0.2.exe |
File size: | 24'045'024 bytes |
MD5: | 3f0aa516242d152f76d1151b6524c9c6 |
SHA1: | e7974e9135d24357764c6f578a726e0ae145f3c2 |
SHA256: | a0fa184a9104b4488e40de447615e464ebbf79bd8b6fd916c34a610eb0c8bfdb |
SHA512: | 1ebc736ddc094d4f453b42cb6f21ad84876764e09849d4d399f792a7d4e56328718c61efbc988b2e4a9e86776b86bfc8566847795f02f0080a621dce6edffe5c |
SSDEEP: | 393216:T/DoJAghMA29qscUkpFzqFVxHbRUadxPxV8CMKNt/+pAHExcI4hsMiHn17zq6K2l:oJAlA29qZT+dbRUpZKNc9tzqy |
TLSH: | FC37332FB2A8A53EC55E0B31987382509973BE61F41A8C4F13F4B90DEFB74601E7A615 |
File Content Preview: | MZP.....................@...............................................!..L.!..This program must be run under Win32..$7....................................................................................................................................... |
Icon Hash: | 159111c1e5dc521f |
Entrypoint: | 0x4b5eec |
Entrypoint Section: | .itext |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | e569e6f445d32ba23766ad67d1e3787f |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | B014B8F3BC6C9B9DD7335E70ED39364D |
Thumbprint SHA-1: | FB42F027D18652D93D49983DC5A9D1C4C35DC487 |
Thumbprint SHA-256: | 5109F8DD3AC39B5950F0640606BFAC7895E4A23EB097A4A119DD35DD28F78542 |
Serial: | 043069749EF322A9B2EB3F53A625F92C |
Instruction |
---|
push ebp |
mov ebp, esp |
add esp, FFFFFFA4h |
push ebx |
push esi |
push edi |
xor eax, eax |
mov dword ptr [ebp-3Ch], eax |
mov dword ptr [ebp-40h], eax |
mov dword ptr [ebp-5Ch], eax |
mov dword ptr [ebp-30h], eax |
mov dword ptr [ebp-38h], eax |
mov dword ptr [ebp-34h], eax |
mov dword ptr [ebp-2Ch], eax |
mov dword ptr [ebp-28h], eax |
mov dword ptr [ebp-14h], eax |
mov eax, 004B14B8h |
call 00007FD0C86F9E15h |
xor eax, eax |
push ebp |
push 004B65E2h |
push dword ptr fs:[eax] |
mov dword ptr fs:[eax], esp |
xor edx, edx |
push ebp |
push 004B659Eh |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
mov eax, dword ptr [004BE634h] |
call 00007FD0C879C907h |
call 00007FD0C879C45Ah |
lea edx, dword ptr [ebp-14h] |
xor eax, eax |
call 00007FD0C870F8B4h |
mov edx, dword ptr [ebp-14h] |
mov eax, 004C1D84h |
call 00007FD0C86F4A07h |
push 00000002h |
push 00000000h |
push 00000001h |
mov ecx, dword ptr [004C1D84h] |
mov dl, 01h |
mov eax, dword ptr [004238ECh] |
call 00007FD0C8710A37h |
mov dword ptr [004C1D88h], eax |
xor edx, edx |
push ebp |
push 004B654Ah |
push dword ptr fs:[edx] |
mov dword ptr fs:[edx], esp |
call 00007FD0C879C98Fh |
mov dword ptr [004C1D90h], eax |
mov eax, dword ptr [004C1D90h] |
cmp dword ptr [eax+0Ch], 01h |
jne 00007FD0C87A2BAAh |
mov eax, dword ptr [004C1D90h] |
mov edx, 00000028h |
call 00007FD0C871132Ch |
mov edx, dword ptr [004C1D90h] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0xc4000 | 0x9a | .edata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xc2000 | 0xfdc | .idata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc7000 | 0x1b310 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x16e99a0 | 0x4c40 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0xc6000 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xc22f4 | 0x254 | .idata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0xc3000 | 0x1a4 | .didata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb39e4 | 0xb3a00 | 43af0a9476ca224d8e8461f1e22c94da | False | 0.34525867693110646 | data | 6.357635049994181 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.itext | 0xb5000 | 0x1688 | 0x1800 | 185e04b9a1f554e31f7f848515dc890c | False | 0.54443359375 | data | 5.971425428435973 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.data | 0xb7000 | 0x37a4 | 0x3800 | cab2107c933b696aa5cf0cc6c3fd3980 | False | 0.36097935267857145 | data | 5.048648594372454 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.bss | 0xbb000 | 0x6de8 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.idata | 0xc2000 | 0xfdc | 0x1000 | e7d1635e2624b124cfdce6c360ac21cd | False | 0.3798828125 | data | 5.029087481102678 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didata | 0xc3000 | 0x1a4 | 0x200 | 8ced971d8a7705c98b173e255d8c9aa7 | False | 0.345703125 | data | 2.7509822285969876 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.edata | 0xc4000 | 0x9a | 0x200 | 8d4e1e508031afe235bf121c80fd7d5f | False | 0.2578125 | data | 1.877162954504408 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.tls | 0xc5000 | 0x18 | 0x0 | d41d8cd98f00b204e9800998ecf8427e | False | 0 | empty | 0.0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rdata | 0xc6000 | 0x5d | 0x200 | 8f2f090acd9622c88a6a852e72f94e96 | False | 0.189453125 | data | 1.3838943752217987 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0xc7000 | 0x1b310 | 0x1b400 | 98e1ed6bccc084d61f65f9f20b683e90 | False | 0.3785210005733945 | data | 5.609956067310018 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_ICON | 0xc7678 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 0 | English | United States | 0.26951219512195124 |
RT_ICON | 0xc7ce0 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 0 | English | United States | 0.37768817204301075 |
RT_ICON | 0xc7fc8 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 0 | English | United States | 0.44672131147540983 |
RT_ICON | 0xc81b0 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 0 | English | United States | 0.5067567567567568 |
RT_ICON | 0xc82d8 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 0 | English | United States | 0.5900852878464818 |
RT_ICON | 0xc9180 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 0 | English | United States | 0.7608303249097473 |
RT_ICON | 0xc9a28 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 0 | English | United States | 0.7914746543778802 |
RT_ICON | 0xca0f0 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 0 | English | United States | 0.6726878612716763 |
RT_ICON | 0xca658 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 0 | English | United States | 0.3201673961907015 |
RT_ICON | 0xdae80 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 0 | English | United States | 0.4534232365145228 |
RT_ICON | 0xdd428 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 0 | English | United States | 0.525328330206379 |
RT_ICON | 0xde4d0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 0 | English | United States | 0.5885245901639344 |
RT_ICON | 0xdee58 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 0 | English | United States | 0.7136524822695035 |
RT_STRING | 0xdf2c0 | 0x360 | data | 0.34375 | ||
RT_STRING | 0xdf620 | 0x260 | data | 0.3256578947368421 | ||
RT_STRING | 0xdf880 | 0x45c | data | 0.4068100358422939 | ||
RT_STRING | 0xdfcdc | 0x40c | data | 0.3754826254826255 | ||
RT_STRING | 0xe00e8 | 0x2d4 | data | 0.39226519337016574 | ||
RT_STRING | 0xe03bc | 0xb8 | data | 0.6467391304347826 | ||
RT_STRING | 0xe0474 | 0x9c | data | 0.6410256410256411 | ||
RT_STRING | 0xe0510 | 0x374 | data | 0.4230769230769231 | ||
RT_STRING | 0xe0884 | 0x398 | data | 0.3358695652173913 | ||
RT_STRING | 0xe0c1c | 0x368 | data | 0.3795871559633027 | ||
RT_STRING | 0xe0f84 | 0x2a4 | data | 0.4275147928994083 | ||
RT_RCDATA | 0xe1228 | 0x10 | data | 1.5 | ||
RT_RCDATA | 0xe1238 | 0x2c4 | data | 0.6384180790960452 | ||
RT_RCDATA | 0xe14fc | 0x2c | data | 1.2045454545454546 | ||
RT_GROUP_ICON | 0xe1528 | 0xbc | data | English | United States | 0.6276595744680851 |
RT_VERSION | 0xe15e4 | 0x584 | data | English | United States | 0.2556657223796034 |
RT_MANIFEST | 0xe1b68 | 0x7a8 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.3377551020408163 |
DLL | Import |
---|---|
kernel32.dll | GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale |
comctl32.dll | InitCommonControls |
version.dll | GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW |
user32.dll | CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW |
oleaut32.dll | SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate |
netapi32.dll | NetWkstaGetInfo, NetApiBufferFree |
advapi32.dll | ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW |
Name | Ordinal | Address |
---|---|---|
TMethodImplementationIntercept | 3 | 0x4541a8 |
__dbk_fcall_wrapper | 2 | 0x40d0a0 |
dbkFCallWrapperAddr | 1 | 0x4be63c |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |