File name: | Setup.exe |
Full analysis: | https://app.any.run/tasks/543ecf88-771d-4ed1-98d0-d63bffd95f84 |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 20:33:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | 01FB3A1AB79AC7A0BF4A8B3162E1B986 |
SHA1: | E066CA7F11F24BB8D69DE0C91787DA0A40BCD72D |
SHA256: | D55B033BEBC166F806EB70BEC8BCC3AD1DE10A01368ABB16F0B03AB87E0180E8 |
SSDEEP: | 196608:dtQxECTP5u7r8qxHN3Uu9mfu/Tf+kUS2j+lUPWuCZk3KkgM5vSwR:fQSCFIr8qBGOdTPUS2yyPW9aKtwR |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2020-Aug-01 02:44:50 |
Detected languages: |
|
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 200 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2020-Aug-01 02:44:50 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 25687 | 26112 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.43499 |
.rdata | 32768 | 4992 | 5120 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.261 |
.data | 40960 | 152888 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.13373 |
.ndata | 196608 | 40960 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rsrc | 237568 | 118976 | 119296 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.66514 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.07519 | 67624 | UNKNOWN | English - United States | RT_ICON |
2 | 5.18057 | 16936 | UNKNOWN | English - United States | RT_ICON |
3 | 7.94338 | 13784 | UNKNOWN | English - United States | RT_ICON |
4 | 5.11861 | 9640 | UNKNOWN | English - United States | RT_ICON |
5 | 5.28543 | 4264 | UNKNOWN | English - United States | RT_ICON |
6 | 5.42544 | 1128 | UNKNOWN | English - United States | RT_ICON |
7 | 0 | 296 | UNKNOWN | English - United States | RT_ICON |
103 | 2.56193 | 288 | UNKNOWN | English - United States | RT_DIALOG |
104 | 2.70411 | 344 | UNKNOWN | English - United States | RT_DIALOG |
105 | 2.67385 | 512 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Setup.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3732 | "C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Setup.exe | Explorer.EXE | |
User: admin Integrity Level: HIGH |
PID | Process | Filename | Type | |
---|---|---|---|---|
3732 | Setup.exe | C:\Users\admin\AppData\Local\Temp\nsjAEA0.tmp\splash.wav | — | |
MD5:— | SHA256:— | |||
3732 | Setup.exe | C:\Users\admin\AppData\Local\Temp\nsjAEA0.tmp\splash.bmp | image | |
MD5:8DE8DACFB539F3795A40A0344ADD874B | SHA256:526FDB4C3784634D03C3E3F5E14B63AAAC55AAF4069B9E4D733BC1DA4C1CD242 | |||
3732 | Setup.exe | C:\Users\admin\AppData\Local\Temp\nsjAEA0.tmp\modern-wizard.bmp | image | |
MD5:9994112337B6672B057A05C3339DA647 | SHA256:55B8B46240070CED644869256F98E8971769345DF79B135113FFC49AD9DC971E | |||
3732 | Setup.exe | C:\Users\admin\AppData\Local\Temp\nsjAEA0.tmp\modern-header.bmp | image | |
MD5:25B91B6F3AF1488564AD7E372B1D1E84 | SHA256:2DDB4262EAEDC9152265BD9220BAE4E228DD666CED244590AE5B674C84F6270F | |||
3732 | Setup.exe | C:\Users\admin\AppData\Local\Temp\nsjAEA0.tmp\ioSpecial.ini | ini | |
MD5:E2D5070BC28DB1AC745613689FF86067 | SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0 | |||
3732 | Setup.exe | C:\Users\admin\AppData\Local\Temp\nsjAEA0.tmp\InstallOptions.dll | executable | |
MD5:5F35212D7E90EE622B10BE39B09BD270 | SHA256:31944B93E44301974D9C6F810D2DA792E34A53DCACD619A08CB0385AC59E513D | |||
3732 | Setup.exe | C:\Users\admin\AppData\Local\Temp\nsjAEA0.tmp\Banner.dll | executable | |
MD5:AC369CD93AAB6FD9999E6279386782F5 | SHA256:B20C56EC29AE7CA9DB8AB7F65928CE5783EBCA3AD7E47AB26952A5A0F377D565 | |||
3732 | Setup.exe | C:\Users\admin\AppData\Local\Temp\nsjAEA0.tmp\advsplash.dll | executable | |
MD5:176EC6DC75972CE900793396723ED374 | SHA256:F568EBB5792B5054CD871CBE128E6F409B097E79BE7366D409189E0A1C1F9F83 |