PoP8Setup.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
|
|
|
Filetype: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.992330851937082
|
Filename: |
PoP8Setup.exe
|
Filesize: |
2775616
|
MD5: |
31bbc34f3ce51ab1c28a63202db9860d
|
SHA1: |
1ed7495f56baab6a0c7e829be2598f3b10ceadf5
|
SHA256: |
2e76e7677972cd02596456b95cb05964c30890a85a220753b68cbc64643bf7bb
|
SHA512: |
1fd2c41b56490ebfdc148344e1370b7e3f3eb50ad2b14d98f02373124b4ba9e3374bcab3545a2b0c0c4ca926d818fd3d1661b9d91a832aca198882623c34878e
|
SSDEEP: |
49152://Guw1I73YzKvLuZxukx+3ylqWP1ZrCNaz+ZNwt1hlvRWcTV+qQqZnzbh6:/OuwOrYzKSZUSkWP1ZrCfZujXJdTc4nE
|
Preview: |
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.o.9...9...9...0...;.......:...9........#l.:....#}.8...9...8....#y.8...Rich9...................PE..L...A..e.................
.
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
PE file contains sections with non-standard names |
Data Obfuscation |
|
Queries the volume information (name, serial number etc) of a device |
Language, Device and Operating System Detection |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
Uses 32bit PE files |
Compliance, System Summary |
|
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) |
System Summary |
|
Checks the free space of harddrives |
Malware Analysis System Evasion |
|
Creates files inside the program directory |
System Summary |
|
Creates mutexes |
System Summary |
|
Creates temporary files |
System Summary |
|
Disables application error messsages (SetErrorMode) |
Hooking and other Techniques for Hiding and Protection |
|
PE file has an executable .text section and no other executable section |
System Summary |
|
Reads ini files |
System Summary |
File and Directory Discovery
|
Reads software policies |
System Summary |
|
Sample reads its own file content |
System Summary |
|
Tries to load missing DLLs |
System Summary |
|
Uses an in-process (OLE) Automation server |
System Summary |
|
PE file contains a debug data directory |
System Summary |
|
Contains modern PE file flags such as dynamic base (ASLR) or NX |
Compliance, System Summary |
|
PE file has a big raw section |
System Summary |
|
Checks if Microsoft Office is installed |
System Summary |
System Information Discovery
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
Creates a software uninstall entry |
Compliance, System Summary |
|
Creates install or setup log file |
Compliance, Persistence and Installation Behavior |
|
Creates license or readme file |
Compliance, Persistence and Installation Behavior |
|
PE / OLE file has a valid certificate |
Compliance, System Summary |
|
Submission file is bigger than most known malware samples |
System Summary |
|
Uses Rich Edit Controls |
System Summary |
|
|
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x86\regsvr32.exe
|
Category: |
dropped
|
Dump: |
regsvr32.exe.0.dr
|
ID: |
dr_6
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
7.279485169544364
|
Encrypted: |
false
|
Size: |
29696
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Sigma detected: Files With System Process Name In Unsuspected Locations |
System Summary |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll (copy)
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll (copy)
|
Category: |
dropped
|
Dump: |
WebView2Loader.dll._tm.0.dr
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
|
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._rb (copy)
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._rb (copy)
|
Category: |
dropped
|
Dump: |
WebView2Loader.dll._tm.0.dr
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
|
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\WebView2Loader.dll._tm
|
Category: |
dropped
|
Dump: |
WebView2Loader.dll._tm.0.dr
|
ID: |
dr_9
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
Entropy: |
6.175093839791051
|
Encrypted: |
false
|
Size: |
158648
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe (copy)
|
PE32+ executable (console) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe (copy)
|
Category: |
dropped
|
Dump: |
pop8query.exe._tm.0.dr
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32+ executable (console) x86-64, for MS Windows
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
|
C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm
|
PE32+ executable (console) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\pop8query.exe._tm
|
Category: |
dropped
|
Dump: |
pop8query.exe._tm.0.dr
|
ID: |
dr_11
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32+ executable (console) x86-64, for MS Windows
|
Entropy: |
6.201339073050438
|
Encrypted: |
false
|
Size: |
1326104
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe (copy)
|
PE32+ executable (GUI) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe (copy)
|
Category: |
dropped
|
Dump: |
pop8win.exe._tm.0.dr
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32+ executable (GUI) x86-64, for MS Windows
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Configures the Internet Explorer emulation mode (likely to run Javascript) |
Bitcoin Miner |
|
Creates files inside the user directory |
System Summary |
|
Modifies the internet feature controls of the internet explorer |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Tries to load missing DLLs |
System Summary |
|
|
C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm
|
PE32+ executable (GUI) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\pop8win.exe._tm
|
Category: |
dropped
|
Dump: |
pop8win.exe._tm.0.dr
|
ID: |
dr_10
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32+ executable (GUI) x86-64, for MS Windows
|
Entropy: |
6.386725544082248
|
Encrypted: |
false
|
Size: |
4117528
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Configures the Internet Explorer emulation mode (likely to run Javascript) |
Bitcoin Miner |
|
Creates files inside the user directory |
System Summary |
|
Modifies the internet feature controls of the internet explorer |
Lowering of HIPS / PFW / Operating System Security Settings |
|
Tries to load missing DLLs |
System Summary |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\Program Files\Harzing's Publish or Perish 8\twux.exe (copy)
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\twux.exe (copy)
|
Category: |
dropped
|
Dump: |
twux.exe._tm.0.dr
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
|
C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Program Files\Harzing's Publish or Perish 8\twux.exe._tm
|
Category: |
dropped
|
Dump: |
twux.exe._tm.0.dr
|
ID: |
dr_8
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.673453344725802
|
Encrypted: |
false
|
Size: |
142240
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops files with a non-matching file extension (content does not match file extension) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates a directory in C:\Program Files |
Compliance, System Summary |
|
|
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publish or Perish 8.lnk
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Normal,
ctime=Thu Apr 25 17:01:02 2024, mtime=Thu Apr 25 17:01:02 2024, atime=Tue Mar 12 12:28:00 2024, length=4117528, window=hide
|
dropped
|
|
|
|
File: |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publish or Perish 8.lnk
|
Category: |
dropped
|
Dump: |
Publish or Perish 8.lnk.0.dr
|
ID: |
dr_12
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Normal,
ctime=Thu Apr 25 17:01:02 2024, mtime=Thu Apr 25 17:01:02 2024, atime=Tue Mar 12 12:28:00 2024, length=4117528, window=hide
|
Entropy: |
4.596269057571052
|
Encrypted: |
false
|
Size: |
1005
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Stores files to the Windows start menu directory |
Boot Survival |
Registry Run Keys / Startup Folder
|
|
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Setup.dat
|
data
|
dropped
|
|
|
|
File: |
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Setup.dat
|
Category: |
dropped
|
Dump: |
Setup.dat.0.dr
|
ID: |
dr_13
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
data
|
Entropy: |
5.090017662327696
|
Encrypted: |
false
|
Size: |
87058
|
Whitelisted: |
false
|
|
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Tsu.dll (copy)
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\Tsu.dll (copy)
|
Category: |
dropped
|
Dump: |
_Setup.dll.0.dr
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
|
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe
|
PE32+ executable (GUI) x86-64, for MS Windows
|
dropped
|
|
|
|
File: |
C:\ProgramData\Uninstall\{D7808C1C-93A9-4369-8385-A789888ED9D7}\x64\regsvr32.exe
|
Category: |
dropped
|
Dump: |
regsvr32.exe0.0.dr
|
ID: |
dr_7
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32+ executable (GUI) x86-64, for MS Windows
|
Entropy: |
7.256539950295231
|
Encrypted: |
false
|
Size: |
30208
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Drops PE files to the application program directory (C:\ProgramData) |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\36071EAE.dat
|
data
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\36071EAE.dat
|
Category: |
dropped
|
Dump: |
36071EAE.dat.0.dr
|
ID: |
dr_1
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
data
|
Entropy: |
4.925607845134666
|
Encrypted: |
false
|
Size: |
79371
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\36071EAE\Readme.txt
|
Category: |
dropped
|
Dump: |
Readme.txt.0.dr
|
ID: |
dr_4
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
Entropy: |
5.143237629684
|
Encrypted: |
false
|
Size: |
1753
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates license or readme file |
Compliance, Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\36071EAE\Setup.exe
|
Category: |
dropped
|
Dump: |
Setup.exe.0.dr
|
ID: |
dr_5
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32 executable (GUI) Intel 80386, for MS Windows
|
Entropy: |
5.84108445959513
|
Encrypted: |
false
|
Size: |
58944
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\36071EAE\Setup.ico
|
MS Windows icon resource - 8 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\36071EAE\Setup.ico
|
Category: |
dropped
|
Dump: |
Setup.ico.0.dr
|
ID: |
dr_3
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
MS Windows icon resource - 8 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
|
Entropy: |
3.4538759440211932
|
Encrypted: |
false
|
Size: |
23558
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\36071EAE\_Setup.dll
|
Category: |
dropped
|
Dump: |
_Setup.dll.0.dr
|
ID: |
dr_2
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
4.284946210439144
|
Encrypted: |
false
|
Size: |
253952
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
|
C:\Users\user\AppData\Local\Temp\PoP8Setup-20240425T200106-Install.log (copy)
|
Unicode text, UTF-8 (with BOM) text
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\PoP8Setup-20240425T200106-Install.log (copy)
|
Category: |
dropped
|
Dump: |
PoP8SetupEC18E846.log.0.dr
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
Unicode text, UTF-8 (with BOM) text
|
Entropy: |
0.0
|
Encrypted: |
false
|
Size: |
0
|
Whitelisted: |
false
|
|
C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log
|
Unicode text, UTF-8 (with BOM) text
|
modified
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\PoP8SetupEC18E846.log
|
Category: |
modified
|
Dump: |
PoP8SetupEC18E846.log.0.dr
|
ID: |
dr_14
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
Unicode text, UTF-8 (with BOM) text
|
Entropy: |
5.3492678812077115
|
Encrypted: |
false
|
Size: |
156280
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Creates install or setup log file |
Compliance, Persistence and Installation Behavior |
|
|
C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
File: |
C:\Users\user\AppData\Local\Temp\Tsu8BBD8215.dll
|
Category: |
dropped
|
Dump: |
Tsu8BBD8215.dll.0.dr
|
ID: |
dr_0
|
Target ID: |
0
|
Process: |
C:\Users\user\Desktop\PoP8Setup.exe
|
Type: |
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
Entropy: |
6.026003927739149
|
Encrypted: |
false
|
Size: |
545272
|
Whitelisted: |
false
|
Signature Hits |
Behavior Group |
Mitre Attack |
|
Drops PE files |
Persistence and Installation Behavior |
|
Found dropped PE file which has not been started or loaded |
Malware Analysis System Evasion |
|
Creates temporary files |
System Summary |
|
|