Edit tour
Windows
Analysis Report
BundleSweetIMSetup.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 50 |
Range: | 0 - 100 |
Signatures
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Found suspicious ZIP file
Overwrites Mozilla Firefox settings
Tries to harvest and steal browser information (history, passwords, etc)
Changes the start page of internet explorer
Checks for available system drives (often done to infect USB drives)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Internet Explorer Autorun Keys Modification
Sigma detected: Suspicious Execution From GUID Like Folder Names
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- BundleSweetIMSetup.exe (PID: 6936 cmdline:
"C:\Users\ user\Deskt op\BundleS weetIMSetu p.exe" MD5: BCC96659D6A46536DBDE959FB9D60F67) - SweetIMSetup.exe (PID: 7004 cmdline:
/s /w /v" /qn SIMHP =0 SIMSP=0 " MD5: CED6A16415E6AE2243ACC2B776B9D965) - msiexec.exe (PID: 6608 cmdline:
MSIEXEC.EX E /i "C:\U sers\user\ AppData\Lo cal\Temp\{ 8929CE83-1 43A-4A6A-A 32A-AA9D4E 2B602B}\Sw eetIMSetup .msi" /qn SIMHP=0 SI MSP=0 SETU PEXEDIR="C :\Users\us er\AppData \Local\Tem p" MD5: 9D09DC1EDA745A5F87553048E57620CF) - SweetIESetup.exe (PID: 7592 cmdline:
/s /w /v" /qn SIMOB =0 SIMADDR EGIE={User SelectedHP =1,UserSel ectedDS=1} " MD5: 4E3FCE1D8BE37088E4E40B829DA24091) - msiexec.exe (PID: 7628 cmdline:
MSIEXEC.EX E /i "C:\U sers\user\ AppData\Lo cal\Temp\{ B3CA5B4C-F 637-458C-8 1D6-CD8DAD BE9841}\Sw eetIESetup .msi" /qn SIMOB=0 SI MADDREGIE= {UserSelec tedHP=1,Us erSelected DS=1} SETU PEXEDIR="C :\Users\us er\AppData \Local\Tem p" MD5: 9D09DC1EDA745A5F87553048E57620CF) - chrome.exe (PID: 7992 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://w ww.sweetim .com/insta llbar.asp? barid={C59 8706C-038F -11EF-8C2C -ECF4BBEA1 588} MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 4020 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2156 --fi eld-trial- handle=196 0,i,745970 1528248846 225,136268 6430815987 9949,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- msiexec.exe (PID: 6888 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 7204 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng A265C8E 8A3BB4B1A1 0A4D9F720E 583B6 MD5: 9D09DC1EDA745A5F87553048E57620CF) - VistaCookiesCollector.exe (PID: 7288 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\{A81A97 4F-8A22-43 E6-9243-51 98FF758DA1 }\VistaCoo kiesCollec tor.exe ht tp://sweet im.com,C:\ Users\user \AppData\L ocalLow\si mcookies.d at MD5: 8E11C6FCF30B1DC4C7069144B80C2709) - SweetIM.exe (PID: 7388 cmdline:
"C:\Progra m Files (x 86)\SweetI M\Messenge r\SweetIM. exe" -Auto StartIM MD5: 15A4D1A8C15CB3C0C13C3F36899475E6) - msiexec.exe (PID: 7684 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng F0CC6D3 E1A3C8837D 5C7D007B45 C879F MD5: 9D09DC1EDA745A5F87553048E57620CF)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | HTTP Parser: |
Compliance |
---|
Source: | Static PE information: |
Source: | Window detected: |