Windows Analysis Report setup.exe

Overview

General Information

Sample Name: setup.exe
Analysis ID: 502663
MD5: fe5c2e1333b4477d029dedc9c1b5dd4d
SHA1: ce7e5a597b98eb1ec36a48e4368997b787228544
SHA256: fc91558efb40b16dd9f6b0e93c972a0f1ff85cad3ddefdd7028c2628d75a9ab9
Infos:

Most interesting Screenshot:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Uses 32bit PE files
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: setup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED
Source: Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00531CB0 FindFirstFileW,FindClose, 0_2_00531CB0
Source: setup.exe String found in binary or memory: http://apache.org/xml/UknownNS
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UCS-4
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/calculate-src-ofs
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/disable-default-entity-resolution
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/dom-has-psvi-info
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/dom/byte-order-mark
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/dom/user-adopts-DOMDocument
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/schema/ignore-annotations
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation-error-as-fatal
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation/cache-grammarFromParse
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation/ignoreCachedDTD
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation/schema/skip-dtd-validation
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/validation/use-cachedGrammarInParse
Source: setup.exe String found in binary or memory: http://apache.org/xml/messages/XML4CErrors
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: setup.exe String found in binary or memory: http://apache.org/xml/messages/XMLDOMMsg
Source: setup.exe String found in binary or memory: http://apache.org/xml/messages/XMLErrors
Source: setup.exe String found in binary or memory: http://apache.org/xml/messages/XMLValidity
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml
Source: setup.exe String found in binary or memory: http://apache.org/xml/parser-use-DOMDocument-from-Implementation
Source: setup.exe String found in binary or memory: http://apache.org/xml/properties/scannerName
Source: setup.exe String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: setup.exe String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: setup.exe String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: setup.exe, setup.exe, 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmp String found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartup
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartupSOFTWARE
Source: setup.exe, setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmp String found in binary or memory: http://digital.ni.com/express.nsf/bycode/exke86
Source: setup.exe String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: setup.exe String found in binary or memory: http://xml.org/sax/features/namespaces
Source: setup.exe String found in binary or memory: http://xml.org/sax/features/validation

System Summary:

barindex
Uses 32bit PE files
Source: setup.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED
PE file contains strange resources
Source: setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_005780FA 0_2_005780FA
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_005713F0 0_2_005713F0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00587710 0_2_00587710
PE file contains executable resources (Code or Archives)
Source: setup.exe Static PE information: Resource name: RT_ICON type: COM executable for DOS
Source: setup.exe Static PE information: Resource name: RT_GROUP_CURSOR type: unicos (cray) executable
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_005F67C0 FormatMessageW,GetLastError, 0_2_005F67C0
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0053F498 FindResourceW,LoadResource,LockResource,FreeResource, 0_2_0053F498
Source: setup.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: setup.exe String found in binary or memory: jp-ocr-b-add
Source: setup.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: setup.exe String found in binary or memory: jp-ocr-hand-add
Source: setup.exe String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: setup.exe String found in binary or memory: pre-install
Source: setup.exe String found in binary or memory: ISO_6937-2-add
Source: setup.exe String found in binary or memory: The host/address '{0}' could not be resolved
Source: setup.exe String found in binary or memory: "%s" -startDir "%s" -xmlPath "%s"
Source: setup.exe String found in binary or memory: NATS-SEFI-ADD
Source: setup.exe String found in binary or memory: NATS-DANO-ADD
Source: setup.exe String found in binary or memory: "%s" -v -startDir "%s" -xmlPath "%s"
Source: setup.exe String found in binary or memory: "%s" -filePath "%s" -startDir "%s" -xmlPath "%s"
Source: setup.exe String found in binary or memory: User agreed to pre-install.
Source: setup.exe String found in binary or memory: .NET 3.5 pre-install is needed, but user denied the prompt to install. Cannot continue - exiting.
Source: setup.exe String found in binary or memory: .NET 3.5 pre-install is disabled via command-line or setup.ini flag -- nothing to do.
Source: setup.exe String found in binary or memory: .NET 3.5 pre-install is not required on this OS -- nothing to do.
Source: setup.exe String found in binary or memory: .NET 3.5 not in distribution or pre-install disabled -- nothing to do.
Source: setup.exe String found in binary or memory: .NET 4.0 pre-install is needed, but user denied the prompt to install. Cannot continue - exiting.
Source: setup.exe String found in binary or memory: .NET 4.x pre-install is disabled via command-line or setup.ini flag -- nothing to do.
Source: setup.exe String found in binary or memory: .NET 4.5.x or 4.6.x install requested, but we are on Server 2003 or XP. Skipping pre-install so that the distribution launch (or m
Source: setup.exe String found in binary or memory: .NET 4.x not in distribution or pre-install disabled -- nothing to do.
Source: classification engine Classification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: setup.exe Static file information: File size 1466368 > 1048576
Source: setup.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x144200
Source: Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0057683A push ecx; ret 0_2_0057684D
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00576B39 push ecx; ret 0_2_00576B4C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0058D233 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_0058D233
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00538C8C MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00538C8C
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\setup.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\setup.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00531CB0 FindFirstFileW,FindClose, 0_2_00531CB0
Source: setup.exe Binary or memory string: hGfsu

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00570867 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00570867
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0058D233 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_0058D233
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00570867 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00570867
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0056F98F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0056F98F

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\setup.exe Code function: GetLocaleInfoA, 0_2_0059B90E
Source: C:\Users\user\Desktop\setup.exe Code function: GetLocaleInfoW, 0_2_005E9980
Source: C:\Users\user\Desktop\setup.exe Code function: GetLocaleInfoA, 0_2_005981A5
Source: C:\Users\user\Desktop\setup.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_005972AD
Source: C:\Users\user\Desktop\setup.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 0_2_00597350
Source: C:\Users\user\Desktop\setup.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_00597314
Source: C:\Users\user\Desktop\setup.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_00596DCB
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_005319A0 GetVersionExW, 0_2_005319A0
No contacted IP infos