Loading ...

Play interactive tourEdit tour

Analysis Report setup.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:151578
Start date:12.07.2019
Start time:11:24:44
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:setup.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus36.evad.winEXE@8/13@0/0
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 23.8% (good quality ratio 23.3%)
  • Quality average: 79.8%
  • Quality standard deviation: 22.3%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold360 - 100falsesuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold20 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media1Execution through API1Winlogon Helper DLLAccess Token Manipulation1Software Packing1Credential DumpingSystem Time Discovery1Replication Through Removable Media1Data from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection21Access Token Manipulation1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection21Input CapturePeripheral Device Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesSecurity Software Discovery3Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Information Discovery44Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.1.setup.exe.12c0000.0.unpackJoe Sandbox ML: detected
Source: 2.1.setup.exe.390000.0.unpackJoe Sandbox ML: detected

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile opened: a:Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012EA5EF __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,0_2_012EA5EF
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003BA5EF __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,2_2_003BA5EF

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: MSIF812.tmp.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: MSIF812.tmp.5.drString found in binary or memory: http://ocsp.thawte.com0
Source: MSIF812.tmp.5.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: MSIF812.tmp.5.drString found in binary or memory: http://s2.symcb.com0
Source: MSIF812.tmp.5.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: MSIF812.tmp.5.drString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: MSIF812.tmp.5.drString found in binary or memory: http://sv.symcd.com0&
Source: MSIF812.tmp.5.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: MSIF812.tmp.5.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: MSIF812.tmp.5.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: MSIF812.tmp.5.drString found in binary or memory: http://www.flexerasoftware.com0
Source: setup.exeString found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: MSIF812.tmp.5.drString found in binary or memory: http://www.symauth.com/cps0(
Source: MSIF812.tmp.5.drString found in binary or memory: http://www.symauth.com/rpa00
Source: MSIF812.tmp.5.drString found in binary or memory: https://d.symcb.com/cps0%
Source: MSIF812.tmp.5.drString found in binary or memory: https://d.symcb.com/rpa0

System Summary:

barindex
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0131895B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_0131895B
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003E895B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_003E895B
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012C91400_2_012C9140
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0131015C0_2_0131015C
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0130E1E60_2_0130E1E6
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012C95800_2_012C9580
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012E27510_2_012E2751
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012C98700_2_012C9870
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012C6A400_2_012C6A40
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0130AD9A0_2_0130AD9A
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01310C3C0_2_01310C3C
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003D5BD32_2_003D5BD3
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003B27512_2_003B2751
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003CACD12_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003DB6B42_2_003DB6B4
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003E015C2_2_003E015C
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003E06CC2_2_003E06CC
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003E0C3C2_2_003E0C3C
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003991402_2_00399140
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003995802_2_00399580
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003998702_2_00399870
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003E1A3C2_2_003E1A3C
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003F1A302_2_003F1A30
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003E21B82_2_003E21B8
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003DE1E62_2_003DE1E6
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_00396A402_2_00396A40
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003DAD9A2_2_003DAD9A
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003971622_2_00397162
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003973B52_2_003973B5
Enables security privilegesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: SecurityJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: String function: 012C25E0 appears 155 times
Source: C:\Users\user\Desktop\setup.exeCode function: String function: 012CC6E1 appears 90 times
Source: C:\Users\user\Desktop\setup.exeCode function: String function: 012D1D8B appears 31 times
Source: C:\Users\user\Desktop\setup.exeCode function: String function: 012D15CB appears 32 times
Source: C:\Users\user\Desktop\setup.exeCode function: String function: 01302842 appears 216 times
Source: C:\Users\user\Desktop\setup.exeCode function: String function: 01302878 appears 75 times
Source: C:\Users\user\Desktop\setup.exeCode function: String function: 01301423 appears 43 times
Source: C:\Users\user\Desktop\setup.exeCode function: String function: 0130280F appears 214 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 0039C6E1 appears 109 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003D280F appears 302 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003925E0 appears 345 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003A15CB appears 41 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003D5630 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 00391070 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003D2842 appears 296 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003D1423 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003D1570 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003D2878 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: String function: 003A1D8B appears 39 times
PE file contains strange resourcesShow sources
Source: setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\Desktop\setup.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\setup.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: sus36.evad.winEXE@8/13@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0131895B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,0_2_0131895B
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003E895B GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,2_2_003E895B
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012FFFF7 lstrcpyW,GetDiskFreeSpaceExW,0_2_012FFFF7
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012F1AAB CoCreateInstance,0_2_012F1AAB
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012D50E1 FindResourceW,LoadResource,SizeofResource,_memset,LockResource,_memmove,__CxxThrowException@8,0_2_012D50E1
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user~1\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}Jump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: runfromtemp2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: eprq2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: debuglog2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Setup.cpp2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: reboot2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Setup.cpp2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Setup.cpp2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: %s%s2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: tempdisk1folder2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: ISSetup.dll2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: ISSetup.dll2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Skin2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Startup2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: setup.isn2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Supported2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Languages2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: %s\%s.ini2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: %s\%s.ini2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: %s\%.04ld.mst2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: %s\%.04ld.mst2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: StartUp2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Setup.cpp2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: clone_wait2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Hs@2_2_003CACD1
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCommand line argument: Setup.cpp2_2_003CACD1
PE file has an executable .text section and no other executable sectionShow sources
Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\setup.exeFile read: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\_ISMSIDEL.INIJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\setup.exe 'C:\Users\user\Desktop\setup.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exe C:\Users\user~1\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exe /q'C:\Users\user\Desktop\setup.exe' /tempdisk1folder'C:\Users\user~1\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}' /IS_temp
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\system32\MSIEXEC.EXE' /i 'C:\Users\user~1\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\CDOROMv2.17.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='setup.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C8F4D588E0C1A72B91735367709D2197 C
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\explorer.exe
Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exe C:\Users\user~1\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exe /q'C:\Users\user\Desktop\setup.exe' /tempdisk1folder'C:\Users\user~1\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}' /IS_tempJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess created: C:\Windows\SysWOW64\msiexec.exe 'C:\Windows\system32\MSIEXEC.EXE' /i 'C:\Users\user~1\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\CDOROMv2.17.msi' SETUPEXEDIR='C:\Users\user\Desktop' SETUPEXENAME='setup.exe'Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\system32\explorer.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\msiexec.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Users\user\Desktop\setup.exeFile written: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\_ISMSIDEL.INIJump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Next >
Source: C:\Windows\SysWOW64\msiexec.exeAutomated click: Install
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: setup.exeStatic file information: File size 4681569 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: setup.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: setup.exe
PE file contains a valid data directory to section mappingShow sources
Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: setup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01300314 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,0_2_01300314
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_013027DD push ecx; ret 0_2_013027F0
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01305675 push ecx; ret 0_2_01305688
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003D5675 push ecx; ret 2_2_003D5688
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003D27DD push ecx; ret 2_2_003D27F0

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF812.tmpJump to dropped file
Source: C:\Users\user\Desktop\setup.exeFile created: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003D5BD3 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_003D5BD3
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-30143
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\setup.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-31349
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\setup.exeAPI coverage: 9.9 %
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012EA5EF __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,0_2_012EA5EF
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003BA5EF __EH_prolog3_GS,_memset,GetTempPathW,FindFirstFileW,CompareFileTime,DeleteFileW,FindNextFileW,2_2_003BA5EF
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012FE477 __EH_prolog3,CreateFileW,CreateFileMappingW,GetSystemInfo,MapViewOfFile,IsBadReadPtr,UnmapViewOfFile,MapViewOfFile,IsBadReadPtr,GetLastError,0_2_012FE477
Program exit pointsShow sources
Source: C:\Users\user\Desktop\setup.exeAPI call chain: ExitProcess graph end nodegraph_0-30145

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_013070DD _memset,IsDebuggerPresent,0_2_013070DD
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0130D67E EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0130D67E
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_01300314 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,#17,0_2_01300314
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012D9AD9 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,0_2_012D9AD9
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0130A9EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0130A9EE
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003DA9CB SetUnhandledExceptionFilter,2_2_003DA9CB
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003DA9EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_003DA9EE

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeMemory written: PID: 2872 base: 2EE0000 value: B8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeMemory written: PID: 2872 base: 2D8E2D8 value: 00Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeMemory written: PID: 2872 base: 2D8F1E8 value: 00Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeMemory written: PID: 2872 base: 2EBF120 value: 20Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 2EBF120Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003C997A __EH_prolog3_GS,_memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,2_2_003C997A
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0131CD79 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_0131CD79
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: setup.exeBinary or memory string: Shell_TrayWnd
Source: setup.exe, 00000000.00000000.628674418.0000000001336000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd0x0409
Source: setup.exeBinary or memory string: AShell_TrayWnd0x0409
Source: setup.exe, 00000002.00000000.632310872.0000000000406000.00000002.00020000.sdmpBinary or memory string: :Shell_TrayWnd0x0409

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,2_2_003CFC89
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: GetLocaleInfoW,2_2_003CFD0E
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exeCode function: 2_2_003D5263 cpuid 2_2_003D5263
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0130D1E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0130D1E8
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_012E105E __EH_prolog3_GS,_memset,_memset,GetVersionExW,_memset,GetTempPathW,GetWindowsDirectoryW,0_2_012E105E

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 151578 Sample: setup.exe Startdate: 12/07/2019 Architecture: WINDOWS Score: 36 6 setup.exe 7 2->6         started        9 msiexec.exe 2->9         started        file3 19 C:\Users\user\AppData\Local\...\setup.exe, PE32 6->19 dropped 21 C:\Users\user\...\setup.exe:Zone.Identifier, ASCII 6->21 dropped 11 setup.exe 6 6->11         started        process4 signatures5 25 Injects code into the Windows Explorer (explorer.exe) 11->25 27 Writes to foreign memory regions 11->27 14 msiexec.exe 6 11->14         started        17 explorer.exe 11->17         started        process6 file7 23 C:\Users\user\AppData\Local\...\MSIF812.tmp, PE32 14->23 dropped

Simulations

Behavior and APIs

TimeTypeDescription
11:25:35API Interceptor3x Sleep call for process: setup.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
setup.exe1%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSIF812.tmp0%virustotalBrowse
C:\Users\user\AppData\Local\Temp\MSIF812.tmp3%metadefenderBrowse
C:\Users\user\AppData\Local\Temp\{F869E3AB-B2FB-4B3B-80FE-200ABA12C095}\setup.exe1%virustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.1.setup.exe.12c0000.0.unpack100%Joe Sandbox MLDownload File
2.1.setup.exe.390000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.