analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

setup.exe

Full analysis: https://app.any.run/tasks/b493ba2c-cff1-4c8a-844c-5fe72f6d7cd4
Verdict: Malicious activity
Analysis date: October 05, 2022, 00:55:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D2EA92875A1B9A5BDCCF966F17C545B7

SHA1:

40D18FCEBC8105512369910D9F30C95C24B53CFD

SHA256:

E94A49E237EC3C99ABEAB49A8A676073D31F9BE841D4A38AFC555EC90893EFCF

SSDEEP:

49152:MDyo7MklXa+1NI9ZTSTIlqBbjbETbmjCg4:DOMklq+1NIoNj+byCj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msiexec.exe (PID: 2824)

    • Loads dropped or rewritten executable

      • GCloud.exe (PID: 2668)

    • Application was dropped or rewritten from another process

      • GCloud.exe (PID: 2668)

  • SUSPICIOUS

    • Checks supported languages

      • setup.exe (PID: 3904)
      • msiexec.exe (PID: 2824)
      • MsiExec.exe (PID: 3848)
      • GCloud.exe (PID: 2668)

    • Reads the computer name

      • msiexec.exe (PID: 2824)
      • setup.exe (PID: 3904)
      • MsiExec.exe (PID: 3848)
      • GCloud.exe (PID: 2668)

    • Reads Windows owner or organization settings

      • MSIEXEC.EXE (PID: 2880)
      • msiexec.exe (PID: 2824)

    • Starts Microsoft Installer

      • setup.exe (PID: 3904)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 3904)
      • msiexec.exe (PID: 2824)

    • Executed as Windows Service

      • vssvc.exe (PID: 1388)
      • GCloud.exe (PID: 2668)

    • Reads the Windows organization settings

      • MSIEXEC.EXE (PID: 2880)
      • msiexec.exe (PID: 2824)

    • Reads Environment values

      • vssvc.exe (PID: 1388)
      • Netsh.exe (PID: 2768)
      • GCloud.exe (PID: 2668)

    • Creates a directory in Program Files

      • msiexec.exe (PID: 2824)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 2824)

    • Uses NETSH.EXE for network configuration

      • GCloud.exe (PID: 2668)

  • INFO

    • Checks supported languages

      • MSIEXEC.EXE (PID: 2880)
      • vssvc.exe (PID: 1388)
      • Netsh.exe (PID: 2768)

    • Reads the computer name

      • MSIEXEC.EXE (PID: 2880)
      • vssvc.exe (PID: 1388)
      • Netsh.exe (PID: 2768)

    • Application launched itself

      • msiexec.exe (PID: 2824)

    • Creates files in the program directory

      • msiexec.exe (PID: 2824)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 2824)

    • Searches for installed software

      • msiexec.exe (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (56.1)
.scr | Windows screen saver (26.6)
.exe | Win32 Executable (generic) (9.1)
.exe | Generic Win/DOS Executable (4)
.exe | DOS Executable Generic (4)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2015-Sep-09 05:59:06
Detected languages:
  • English - United States
Debug artifacts:
  • C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb
CompanyName: GIGABYTE
FileDescription: Setup Launcher Unicode
FileVersion: 1.19.0624.1
InternalName: Setup
LegalCopyright: Copyright (c) 2015 Flexera Software LLC. All Rights Reserved.
OriginalFilename: InstallShield Setup.exe
ProductName: GService
ProductVersion: 1.19.0624.1
Internal Build Number: 158438
ISInternalVersion: 22.0.347
ISInternalDescription: Setup Launcher Unicode

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 4
TimeDateStamp: 2015-Sep-09 05:59:06
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
734341
734720
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.58334
.rdata
741376
221704
222208
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.10399
.data
966656
35896
9728
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.50984
.rsrc
1003520
324916
325120
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.62524

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.27303
1640
Latin 1 / Western European
UNKNOWN
RT_ICON
2
3.835
744
Latin 1 / Western European
UNKNOWN
RT_ICON
3
3.35696
296
Latin 1 / Western European
UNKNOWN
RT_ICON
4
6.14965
3752
Latin 1 / Western European
UNKNOWN
RT_ICON
5
6.18448
2216
Latin 1 / Western European
UNKNOWN
RT_ICON
6
4.85842
1384
Latin 1 / Western European
UNKNOWN
RT_ICON
7
5.57777
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
8
5.81004
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
9
6.06596
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
10
3.22977
744
Latin 1 / Western European
UNKNOWN
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
VERSION.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start setup.exe no specs setup.exe msiexec.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe no specs gcloud.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1968"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exeExplorer.EXE
User:
admin
Company:
GIGABYTE
Integrity Level:
MEDIUM
Description:
Setup Launcher Unicode
Exit code:
3221226540
Version:
1.19.0624.1
3904"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exe
Explorer.EXE
User:
admin
Company:
GIGABYTE
Integrity Level:
HIGH
Description:
Setup Launcher Unicode
Exit code:
0
Version:
1.19.0624.1
2880MSIEXEC.EXE /i "C:\Users\admin\AppData\Local\Downloaded Installations\{89481967-8BEF-4362-BA5A-D05CF787E272}\GService.msi" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"C:\Windows\system32\MSIEXEC.EXEsetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2824C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1388C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3848C:\Windows\system32\MsiExec.exe -Embedding 74D05718AD9689AA712B56A42EB285F8C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2668"C:\Program Files\GIGABYTE\GService\GCloud.exe"C:\Program Files\GIGABYTE\GService\GCloud.exeservices.exe
User:
SYSTEM
Company:
Microsoft
Integrity Level:
SYSTEM
Description:
GCloud
Version:
1.0.0.0
2768"Netsh.exe" advfirewall firewall add rule name="allow 9009" protocol=TCP dir=in localport=9009 action=allowC:\Windows\system32\Netsh.exeGCloud.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
11 484
Read events
11 181
Write events
101
Delete events
0

Modification events

(PID) Process:(2824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000001CB4A82E55D8D801080B0000F0050000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000001CB4A82E55D8D801080B0000F0050000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
69
(PID) Process:(2824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000009A13E92E55D8D801080B0000F0050000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000F475EB2E55D8D801080B0000800C0000E803000001000000000000000000000042A179B64970064E94A30410F1BC18760000000000000000
(PID) Process:(1388) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B661F72E55D8D8016C050000380D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1388) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B661F72E55D8D8016C050000B40E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1388) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B661F72E55D8D8016C0500000C0D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1388) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000B661F72E55D8D8016C050000140F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1388) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000C488FE2E55D8D8016C0500000C0D0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
11
Suspicious files
6
Text files
10
Unknown types
3

Dropped files

PID
Process
Filename
Type
2824msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2824msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:C2E070F3A42CBB9B31A1A2B5522048FC
SHA256:E90B9934A71CB58B216392055C7C2F81C1ADBF18962AA58D519C9A42AC6F0B04
3904setup.exeC:\Users\admin\AppData\Local\Downloaded Installations\{89481967-8BEF-4362-BA5A-D05CF787E272}\GService.msiexecutable
MD5:848B61A206614812B66CA9B43B2C05C5
SHA256:9D791CD97730F263A109D0AA0BFD5BCC14892ABE6E84B192EBF966CC62C1C37B
2824msiexec.exeC:\Windows\Installer\dc8af.msiexecutable
MD5:848B61A206614812B66CA9B43B2C05C5
SHA256:9D791CD97730F263A109D0AA0BFD5BCC14892ABE6E84B192EBF966CC62C1C37B
2824msiexec.exeC:\Program Files\GIGABYTE\GService\Upfail.xmlxml
MD5:63A5644C1111C0D4FB99C49B6867D508
SHA256:4C3106D22F6700C15F58493DDC908FF4A79268151E94668D0F118E04A74B9FA3
3904setup.exeC:\Users\admin\AppData\Local\Temp\{C03AD033-C676-4914-94AC-981C80F00D28}\GService.msiexecutable
MD5:848B61A206614812B66CA9B43B2C05C5
SHA256:9D791CD97730F263A109D0AA0BFD5BCC14892ABE6E84B192EBF966CC62C1C37B
2824msiexec.exeC:\Windows\Installer\MSICA47.tmpbinary
MD5:A0FB8E14E33B20C617E9B0BAF35FD866
SHA256:9AA63E18BB576A4E0DE95791588A446C6864DD3A45E89E0228117E723B803E32
2824msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF352D05B47C385612.TMPgmc
MD5:946D6C588BC8B060347379AD9330D1CB
SHA256:0988B77B7EF92ADEB7C4DA8BD0CEDC8B0CE84913289F9893C386A880DC6E12A4
2824msiexec.exeC:\Program Files\GIGABYTE\GService\RGB.xmlxml
MD5:41C7868AD2BA61D7A1A709E362AEBC58
SHA256:3EA92B7FE1AFEB46859D1C72DAEDD79BA3B6F8AB6117EA0C1ADA12D266ECFB8F
2824msiexec.exeC:\Program Files\GIGABYTE\GService\RGB_Set.xmlxml
MD5:777466184C20F81CB178BB5F14E85EBF
SHA256:36013C918CEBE7810C157966B22B77CD912C4ECE4F1E33EC55B6DFDCA4FE0B7D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe