Loading ...

Play interactive tourEdit tour

Windows Analysis Report setup.exe

Overview

General Information

Sample Name:setup.exe
Analysis ID:502663
MD5:fe5c2e1333b4477d029dedc9c1b5dd4d
SHA1:ce7e5a597b98eb1ec36a48e4368997b787228544
SHA256:fc91558efb40b16dd9f6b0e93c972a0f1ff85cad3ddefdd7028c2628d75a9ab9
Infos:

Most interesting Screenshot:

Detection

Score:5
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Uses 32bit PE files
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 7152 cmdline: 'C:\Users\user\Desktop\setup.exe' MD5: FE5C2E1333B4477D029DEDC9C1B5DD4D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: setup.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED
Source: Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00531CB0 FindFirstFileW,FindClose,0_2_00531CB0
Source: setup.exeString found in binary or memory: http://apache.org/xml/UknownNS
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://apache.org/xml/UknownNSUCS4UCS-4UCS_4UCS-4
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/calculate-src-ofs
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/disable-default-entity-resolution
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/dom-has-psvi-info
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/dom/byte-order-mark
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/dom/user-adopts-DOMDocument
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/schema/ignore-annotations
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation-error-as-fatal
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation/cache-grammarFromParse
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation/ignoreCachedDTD
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation/schema
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/skip-dtd-validation
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/validation/use-cachedGrammarInParse
Source: setup.exeString found in binary or memory: http://apache.org/xml/messages/XML4CErrors
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XML4CErrors#FIXEDEBCDIC-CP-USIBM037IBM1047IBM-1047IBM1140IBM01140CCSI
Source: setup.exeString found in binary or memory: http://apache.org/xml/messages/XMLDOMMsg
Source: setup.exeString found in binary or memory: http://apache.org/xml/messages/XMLErrors
Source: setup.exeString found in binary or memory: http://apache.org/xml/messages/XMLValidity
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://apache.org/xml/messages/XMLValidityWINDOWS-1252XERCES-XMLCHxmlxml
Source: setup.exeString found in binary or memory: http://apache.org/xml/parser-use-DOMDocument-from-Implementation
Source: setup.exeString found in binary or memory: http://apache.org/xml/properties/scannerName
Source: setup.exeString found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: setup.exeString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: setup.exeString found in binary or memory: http://apache.org/xml/properties/security-manager
Source: setup.exe, setup.exe, 00000000.00000002.306500404.00000000008EB000.00000040.00020000.sdmpString found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartup
Source: setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://digital.ni.com/express.nsf/bycode/WinFastStartupSOFTWARE
Source: setup.exe, setup.exe, 00000000.00000002.306026068.0000000000401000.00000040.00020000.sdmpString found in binary or memory: http://digital.ni.com/express.nsf/bycode/exke86
Source: setup.exeString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: setup.exeString found in binary or memory: http://xml.org/sax/features/namespaces
Source: setup.exeString found in binary or memory: http://xml.org/sax/features/validation
Source: setup.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED
Source: setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005780FA0_2_005780FA
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005713F00_2_005713F0
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005877100_2_00587710
Source: setup.exeStatic PE information: Resource name: RT_ICON type: COM executable for DOS
Source: setup.exeStatic PE information: Resource name: RT_GROUP_CURSOR type: unicos (cray) executable
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005F67C0 FormatMessageW,GetLastError,0_2_005F67C0
Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0053F498 FindResourceW,LoadResource,LockResource,FreeResource,0_2_0053F498
Source: setup.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: setup.exeString found in binary or memory: jp-ocr-b-add
Source: setup.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: setup.exeString found in binary or memory: jp-ocr-hand-add
Source: setup.exeString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: setup.exeString found in binary or memory: pre-install
Source: setup.exeString found in binary or memory: ISO_6937-2-add
Source: setup.exeString found in binary or memory: The host/address '{0}' could not be resolved
Source: setup.exeString found in binary or memory: "%s" -startDir "%s" -xmlPath "%s"
Source: setup.exeString found in binary or memory: NATS-SEFI-ADD
Source: setup.exeString found in binary or memory: NATS-DANO-ADD
Source: setup.exeString found in binary or memory: "%s" -v -startDir "%s" -xmlPath "%s"
Source: setup.exeString found in binary or memory: "%s" -filePath "%s" -startDir "%s" -xmlPath "%s"
Source: setup.exeString found in binary or memory: User agreed to pre-install.
Source: setup.exeString found in binary or memory: .NET 3.5 pre-install is needed, but user denied the prompt to install. Cannot continue - exiting.
Source: setup.exeString found in binary or memory: .NET 3.5 pre-install is disabled via command-line or setup.ini flag -- nothing to do.
Source: setup.exeString found in binary or memory: .NET 3.5 pre-install is not required on this OS -- nothing to do.
Source: setup.exeString found in binary or memory: .NET 3.5 not in distribution or pre-install disabled -- nothing to do.
Source: setup.exeString found in binary or memory: .NET 4.0 pre-install is needed, but user denied the prompt to install. Cannot continue - exiting.
Source: setup.exeString found in binary or memory: .NET 4.x pre-install is disabled via command-line or setup.ini flag -- nothing to do.
Source: setup.exeString found in binary or memory: .NET 4.5.x or 4.6.x install requested, but we are on Server 2003 or XP. Skipping pre-install so that the distribution launch (or m
Source: setup.exeString found in binary or memory: .NET 4.x not in distribution or pre-install disabled -- nothing to do.
Source: classification engineClassification label: clean5.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\setup.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
Source: setup.exeStatic file information: File size 1466368 > 1048576
Source: setup.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x144200
Source: Binary string: c:\P4\NIInstallers\trunk\17.5\src\MetaInstaller\Unicode_Release\setup.pdb source: setup.exe, 00000000.00000002.306404235.00000000007E7000.00000040.00020000.sdmp
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0057683A push ecx; ret 0_2_0057684D
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00576B39 push ecx; ret 0_2_00576B4C
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0058D233 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0058D233
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00538C8C MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,0_2_00538C8C
Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-11812
Source: C:\Users\user\Desktop\setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-11915
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00531CB0 FindFirstFileW,FindClose,0_2_00531CB0
Source: setup.exeBinary or memory string: hGfsu
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00570867 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00570867
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0058D233 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0058D233
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_00570867 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00570867
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_0056F98F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0056F98F
Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoA,0_2_0059B90E
Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoW,0_2_005E9980
Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoA,0_2_005981A5
Source: C:\Users\user\Desktop\setup.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_005972AD
Source: C:\Users\user\Desktop\setup.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,0_2_00597350
Source: C:\Users\user\Desktop\setup.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,0_2_00597314
Source: C:\Users\user\Desktop\setup.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,0_2_00596DCB
Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_005319A0 GetVersionExW,0_2_005319A0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionPath InterceptionSoftware Packing1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsNative API2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information11LSASS MemoryApplication Window Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.