Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report Setup.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:825331
Start date:26.03.2019
Start time:15:20:32
Joe Sandbox Product:Cloud
Overall analysis duration:0h 12m 5s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Setup.exe
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 7 x64 (Office 2003 SP3, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 41, Firefox 36)
Number of analysed new started processes analysed:19
Number of new started drivers analysed:1
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal68.evad.winEXE@13/20@7/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 98.9% (good quality ratio 94.9%)
  • Quality average: 82.1%
  • Quality standard deviation: 25.6%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): wmpnscfg.exe, dllhost.exe, WMIADAP.exe, conhost.exe, mscorsvw.exe, VSSVC.exe, svchost.exe, mobsync.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtFsControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: infinstaller.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold680 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Bootkit1Process Injection1Disabling Security Tools21Input Capture11Account Discovery1Application Deployment SoftwareInput Capture11Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionModify Existing Service2New Service1Process Injection1Network SniffingSecurity Software Discovery21Remote ServicesClipboard Data1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationNew Service1Path InterceptionObfuscated Files or Information2Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery23Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: asushotfix.comvirustotal: Detection: 13%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Setup.exevirustotal: Detection: 41%Perma Link

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_01272650 FindFirstFileW,FindClose,16_2_01272650
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_01272B00 _memset,_memset,SHGetSpecialFolderPathW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,CoInitialize,CoCreateInstance,_wcsnlen,GetCurrentProcessId,EnumWindows,SHDeleteValueW,CoUninitialize,DeleteFileW,wsprintfW,RemoveDirectoryW,RemoveDirectoryW,wsprintfW,RemoveDirectoryW,FindClose,SHDeleteKeyW,SHDeleteKeyW,SHDeleteKeyW,16_2_01272B00

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2027109 ET TROJAN ShadowHammer DNS Lookup 192.168.1.13:61365 -> 8.8.8.8:53
Found strings which match to known social media urlsShow sources
Source: infinstaller.exe, 00000005.00000002.653565680.00000000004AD000.00000004.sdmpString found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: dns.msftncsi.com
Urls found in memory or binary dataShow sources
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: infinstaller.exe, 00000005.00000002.658715071.000000001BED0000.00000004.sdmp, drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Setup.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Setup.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: drvinst.exe, 0000000B.00000002.617547657.000000000009E000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: drvinst.exe, 0000000B.00000002.617547657.000000000009E000.00000004.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en008R2
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0N
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://ocsp.ver
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Setup.exe, 00000010.00000002.745599656.0000000000691000.00000004.sdmpString found in binary or memory: https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873
Source: Setup.exe, 00000010.00000002.745599656.0000000000691000.00000004.sdmpString found in binary or memory: https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873rj
Source: drvinst.exe, 0000000B.00000002.618771824.0000000000108000.00000004.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: Setup.exeString found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboardShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012E4052 __EH_prolog3_catch_GS,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,16_2_012E4052
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012DC0F5 GetAsyncKeyState,16_2_012DC0F5

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFEB9.tmpJump to dropped file
Source: C:\Windows\System32\7za.exeFile created: C:\Users\user\Downloads\net\netvirtnet64.catJump to dropped file
Source: C:\Users\user\Downloads\net\infinstaller.exeFile created: C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD71.tmpJump to dropped file

System Summary:

barindex
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)Show sources
Source: C:\Windows\System32\7za.exeMemory allocated: 776C0000 page execute and read and writeJump to behavior
Source: C:\Windows\System32\7za.exeMemory allocated: 775C0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Downloads\Setup.exeMemory allocated: 776C0000 page execute and read and writeJump to behavior
Source: C:\Users\user\Downloads\Setup.exeMemory allocated: 775C0000 page execute and read and writeJump to behavior
Creates driver filesShow sources
Source: C:\Windows\System32\7za.exeFile created: C:\Users\user\Downloads\net\virtnet.sysJump to behavior
Creates files inside the driver directoryShow sources
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}Jump to behavior
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Deletes files inside the Windows folderShow sources
Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFEB9.tmpJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0127380016_2_01273800
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0136C3B916_2_0136C3B9
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012D674A16_2_012D674A
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012A29FD16_2_012A29FD
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012D4B8A16_2_012D4B8A
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012FCEB816_2_012FCEB8
Enables driver privilegesShow sources
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess token adjusted: Load DriverJump to behavior
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: String function: 0136966A appears 74 times
Source: C:\Users\user\Downloads\Setup.exeCode function: String function: 01271680 appears 33 times
Source: C:\Users\user\Downloads\Setup.exeCode function: String function: 01369601 appears 200 times
PE file contains strange resourcesShow sources
Source: Setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file does not import any functionsShow sources
Source: infinstaller.exe.4.drStatic PE information: No import functions for PE file found
Reads the hosts fileShow sources
Source: C:\Users\user\Downloads\Setup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Downloads\Setup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Downloads\Setup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: Setup.exe, 00000010.00000001.737819959.00000000013DE000.00000002.sdmpBinary or memory string: OriginalFilenameSelfUpdt.EXE vs Setup.exe
Source: Setup.exe, 00000010.00000002.745148975.0000000000150000.00000008.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs Setup.exe
Source: Setup.exeBinary or memory string: OriginalFilenameSelfUpdt.EXE vs Setup.exe
Spawns driversShow sources
Source: unknownDriver loaded: C:\Windows\system32\DRIVERS\virtnet.sys
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: metadata-2.6.drBinary string: buttonup_off.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.6.drBinary string: scenes_intro_bg_pal.wmv22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.6.drBinary string: acxtrnal.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.6.drBinary string: sbdrop.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.6.drBinary string: system.web.dynamicdata.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.6.drBinary string: system.addin.contract.dll22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.6.drBinary string: wmplayer.exe.mui22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Classification labelShow sources
Source: classification engineClassification label: mal68.evad.winEXE@13/20@7/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_01274480 SetFileAttributesW,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetTokenInformation,SetSecurityDescriptorOwner,SetFileSecurityW,AdjustTokenPrivileges,GetLastError,16_2_01274480
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0127E37E CoInitialize,CoCreateInstance,16_2_0127E37E
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012865DC FindResourceW,LoadResource,LockResource,FreeResource,16_2_012865DC
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\7za.exeFile created: C:\Users\user\Downloads\netJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Downloads\net\infinstaller.exeFile created: C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}Jump to behavior
Found command line outputShow sources
Source: C:\Windows\System32\cmd.exeConsole Write: ..................<J............M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.]. .,.......,.....H.........,.............Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............................d16.......................MD............`{?J......?J............X.,...............,.............Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............................d16.......................MD............`{?J......?J....................~.........,.............Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............................d16.......................MD............`{?J......?J............X.,...............,.............Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............................X.......................0.MD....@..O......?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........H.........>J.... .@J..............,.....(.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x.................................N.....................0.MD..............?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............C.:.\.W.i.n.d.o.w.s.>...........................H.......t.>J.... .@J..............,.......................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............C.:.\.>.........f.>J............................H.......f.>J.... .@J..............,.......................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................c.d. .U.s.e.r.s......... ...............>.......................................8.,.............2l>J......N.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............C.:.\.U.s.e.r.s.>.>J............................H.......p.>J.... .@J..............,.......................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................c.d. .h.a.n.s.p.e.t.e.r. .......................................................8.,.............2l>J......N.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.>...........H.........>J.... .@J..............,.....&.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................c.d. .D.o.w.n.l.o.a.d.s. .......................................................8.,.............2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................x...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ..................<J....................................@c@J..... ........,..............qRw............0.,.............X.......................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................X.................................N.....................0.MD..............?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................X...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................7.z.a. .x. .n.e.t...z.i.p.......................................................8.,.............2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................X...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................c.d. .n.e.t.......&..... .......................................................8.,.............2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................X...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e.................................................8.,..... .......2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e. .C.:.\.U.s.e.r.s...............................8.,.....2.......2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e. .".C.:.\.U.s.e.r.s.\.A.l.l. .U.s.e.r.s.".......8.,.....J.......2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e. .C.:.\.U.s.e.r.s.\.D.e.f.a.u.l.t.(.............8.,.....B.......2l>J......(.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................i.n.f.i.n.s.t.a.l.l.e.r...e.x.e. .C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r...........8.,.....F.......2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................................!.(..... ...(...........................................................Z.......2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................................!.(..... ...0...........f...............................................b.......2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................................!.(..... ...3...................................!...............................2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................................!.(..... ...C........... .......................!.(.............................2l>J......(.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................,.................................N.....................0.MD..............?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................,...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................L.................................N.....................0.MD..............?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................L...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................l...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ..................<J....................................@c@J..... ........,..............qRw............ .,.....................................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................l.................................N.....................0.MD..............?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................l...............C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ..................................................N.....................0.MD..............?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.\.n.e.t.>.@J..............,.....B.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ..................................................N.....................0.MD..............?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................S.e.t.u.p...e.x.e....... ................C......................................8.,.............2l>J......O.....Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ..................................................N.....................0.MD..............?J......?J..............,.............................Jump to behavior
Source: C:\Windows\System32\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.h.a.n.s.p.e.t.e.r.\.D.o.w.n.l.o.a.d.s.>.>J.... .@J..............,.....:.................>J....Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ....................................W.i.n.d.o.w.s. .I.P. .C.o.n.f.i.g.u.r.a.t.i.o.n.....................................<.......x...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................X...............0.6.....(.P..............................3..............................................^.......................Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................X...............0.6.....(.P..............................4..............................................R.......................Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................X...............0.6.....(.P.............................#4..............................................^.......................Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................X...............0.6.....(.P.............................+4..............................................V.......................Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................X...............0.6.....(.P.............................14..............................................V.......................Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P.............................b4..............................................^.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P.............................h4..............................................R.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P.............................n4......................................................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P.............................t4..............................................t.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P.............................z4..............................................X.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................X.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4......................................................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4......................................................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................h.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................R.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................4..........................2.E.................d.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4......................................................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................v.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................v.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................v.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................4..............................................`.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................Z.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................R.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4......................................................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................t.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................V.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................4..............................................X.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................4......................................................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................4..............................................l.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................4..............................................h.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................4..........................D.5.................`.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................4..........................D.5.................`.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P..............................5..........................D.5.........................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................5..........................D.5.................v.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................5..........................D.5.................R.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................5..........................D.5.........................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................5..........................D.5.........................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................#5..........................D.5.................V.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................)5..........................D.5.................X.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P............................./5..........................D.5.................n.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................55..........................D.5.................v.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................@5..........................D.5.................R.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................F5..........................D.5.........................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................L5..........................D.5.........................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................R5..........................D.5.................V.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................X5..........................D.5.................X.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ..................................7.....(.P.............................^5..........................D.5.........................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................d5..........................D.5.................v.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................j5..........................D.5.................R.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................p5..........................D.5.........................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................v5..........................D.5.........................(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P.............................|5..........................D.5.................V.......(...............Jump to behavior
Source: C:\Windows\System32\ipconfig.exeConsole Write: ................................0.6.....(.P..............................5..........................D.5.................X.......(...............Jump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Downloads\net\infinstaller.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f89061884b75dab0e3967d7221e5290d\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\Downloads\Setup.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\7za.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat
Sample is known by AntivirusShow sources
Source: Setup.exevirustotal: Detection: 41%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe'
Source: unknownProcess created: C:\Windows\System32\7za.exe 7za x net.zip
Source: unknownProcess created: C:\Users\user\Downloads\net\infinstaller.exe infinstaller.exe C:\Users\user\Downloads\net\netVirtNet1.inf
Source: unknownProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe '4' '0' 'C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\netvirtnet1.inf' '9' '6cfbba9e7' '00000000000003E4' 'WinSta0\Default' '00000000000005C8' '208' 'c:\users\user\downloads\net'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat
Source: unknownProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe '2' '211' 'ROOT\NET\0000' 'C:\Windows\INF\oem4.inf' 'netvirtnet1.inf:NTKR.NTAMD64:*virtnet.ndi:1.0.0.0:*nm_virtnet' '6cfbba9e7' '00000000000003E4' '00000000000005D0' '0000000000000570'
Source: unknownProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: unknownProcess created: C:\Users\user\Downloads\Setup.exe Setup.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\7za.exe 7za x net.zipJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Downloads\net\infinstaller.exe infinstaller.exe C:\Users\user\Downloads\net\netVirtNet1.infJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Downloads\Setup.exe Setup.exeJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.catJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\drvinst.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B966436-6781-4906-8035-9AF94B32C3F7}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
PE file has a big code sizeShow sources
Source: Setup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Submission file is bigger than most known malware samplesShow sources
Source: Setup.exeStatic file information: File size 3333936 > 1048576
PE file has a big raw sectionShow sources
Source: Setup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x11aa00
Source: Setup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1a0600
PE file imports many functionsShow sources
Source: Setup.exeStatic PE information: More than 200 imports for USER32.dll
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Setup.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: D:\projects\VirtNet\bin\amd64\virtnet.pdb source: 7za.exe, 00000004.00000003.382744292.0000000000100000.00000004.sdmp, SETE957.tmp.11.dr
Source: Binary string: c:\Users\admin\Documents\SharpDevelop Projects\test1\test1\obj\Debug\test1.pdb source: infinstaller.exe, 00000005.00000001.459151771.0000000001092000.00000020.sdmp, infinstaller.exe.4.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012DE296 push 3BFFFFFFh; iretd 16_2_012DE29B

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settingsShow sources
Source: unknownProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
Drops PE filesShow sources
Source: C:\Windows\System32\7za.exeFile created: C:\Users\user\Downloads\net\virtnet.sysJump to dropped file
Source: C:\Users\user\Downloads\net\infinstaller.exeFile created: C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmpJump to dropped file
Source: C:\Windows\System32\7za.exeFile created: C:\Users\user\Downloads\net\infinstaller.exeJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETE957.tmpJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETE957.tmpJump to dropped file
May use bcdedit to modify the Windows boot settingsShow sources
Source: metadata-2.6.drBinary or memory string: bcdedit.exe22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\
Contains functionality to read ini properties file for application configurationShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_01273800 _memset,_memset,_memset,PathFileExistsW,PathFileExistsW,PathFileExistsW,_memset,DeleteFileW,_memset,GetPrivateProfileStringW,_memset,_memset,GetWindowsDirectoryW,lstrcatW,GetModuleFileNameW,_wcsnlen,_wcsrchr,GetVersion,ShellExecuteW,16_2_01273800

Boot Survival:

barindex
Creates or modifies windows servicesShow sources
Source: C:\Windows\System32\drvinst.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisherJump to behavior
Modifies existing windows servicesShow sources
Source: C:\Windows\System32\drvinst.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestoreJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012AE06E GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,16_2_012AE06E
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012C831C GetParent,GetParent,IsIconic,GetParent,16_2_012C831C
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012B2290 IsWindowVisible,IsIconic,16_2_012B2290
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012C240F IsIconic,PostMessageW,16_2_012C240F
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012C04F4 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,16_2_012C04F4
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_01298DD7 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,16_2_01298DD7
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012C0F83 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,16_2_012C0F83
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012C0F83 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,16_2_012C0F83
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012C0F83 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,16_2_012C0F83
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0127F4B4 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,16_2_0127F4B4
Stores large binary data to the registryShow sources
Source: C:\Windows\System32\drvinst.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network ConfigJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Downloads\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Checks the free space of harddrivesShow sources
Source: C:\Windows\System32\drvinst.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Downloads\net\infinstaller.exeThread delayed: delay time: 922337203685477Jump to behavior
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\Downloads\net\infinstaller.exeDropped PE file which has not been started: C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmpJump to dropped file
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Downloads\Setup.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_16-31877
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Downloads\Setup.exeAPI coverage: 5.7 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Downloads\net\infinstaller.exe TID: 2412Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\drvinst.exe TID: 2476Thread sleep count: 39 > 30Jump to behavior
Source: C:\Windows\System32\drvinst.exe TID: 2476Thread sleep time: -2340000s >= -30000sJump to behavior
Source: C:\Windows\System32\ipconfig.exe TID: 1556Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\ipconfig.exe TID: 1556Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\Downloads\Setup.exe TID: 1572Thread sleep time: -1500000s >= -30000sJump to behavior
Source: C:\Users\user\Downloads\Setup.exe TID: 1572Thread sleep time: -60000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_01272650 FindFirstFileW,FindClose,16_2_01272650
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_01272B00 _memset,_memset,SHGetSpecialFolderPathW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,CoInitialize,CoCreateInstance,_wcsnlen,GetCurrentProcessId,EnumWindows,SHDeleteValueW,CoUninitialize,DeleteFileW,wsprintfW,RemoveDirectoryW,RemoveDirectoryW,wsprintfW,RemoveDirectoryW,FindClose,SHDeleteKeyW,SHDeleteKeyW,SHDeleteKeyW,16_2_01272B00
Contains functionality to query system informationShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0136CB07 VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,16_2_0136CB07
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: infinstaller.exe, 00000005.00000002.654051633.0000000000502000.00000004.sdmpBinary or memory string: ROOT\LEGACY_VMWAREAUTH\0000
Source: drvinst.exe, 00000006.00000003.508886036.00000000017BC000.00000004.sdmpBinary or memory string: microsoft-hyper-v-migration-replacement.man
Source: metadata-2.6.drBinary or memory string: lsm.exe22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\
Source: metadata-2.6.drBinary or memory string: iasmigplugin-dl.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.6.drBinary or memory string: iasmigplugin-dl.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{4d4a291d-7dbc-11e1-a697-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Program exit pointsShow sources
Source: C:\Users\user\Downloads\Setup.exeAPI call chain: ExitProcess graph end nodegraph_16-31876

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Downloads\net\infinstaller.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0136EA27 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0136EA27
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0136CB07 VirtualProtect ?,-00000001,00000104,?16_2_0136CB07
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0136EA27 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0136EA27
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Downloads\net\infinstaller.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\7za.exe 7za x net.zipJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Downloads\net\infinstaller.exe infinstaller.exe C:\Users\user\Downloads\net\netVirtNet1.infJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\Downloads\Setup.exe Setup.exeJump to behavior
Source: C:\Windows\System32\drvinst.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.catJump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.cat
Source: C:\Windows\System32\drvinst.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{5d5a63fc-7ebe-5905-74c9-9936171bf316} Global\{0a6852b4-0342-09c6-94d5-2f292fdc7b02} C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet1.inf C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\netvirtnet64.catJump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012745E0 _memset,_memset,InitializeSecurityDescriptor,LookupAccountNameW,SetFileAttributesW,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetFileSecurityW,16_2_012745E0

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Downloads\Setup.exeCode function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,16_2_01274D46
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Downloads\net\infinstaller.exeQueries volume information: C:\Users\user\Downloads\net\infinstaller.exe VolumeInformationJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeQueries volume information: C:\Users\user\Downloads\net\netvirtnet64.cat VolumeInformationJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeQueries volume information: C:\Users\user\Downloads\net\netvirtnet64.cat VolumeInformationJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeQueries volume information: C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet64.cat VolumeInformationJump to behavior
Source: C:\Users\user\Downloads\net\infinstaller.exeQueries volume information: C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet64.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet64.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\FileRepository\netvirtnet1.inf_amd64_neutral_55f5524394231d93\netvirtnet64.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CAT VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0136C70D GetSystemTimeAsFileTime,__aulldiv,16_2_0136C70D
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_012745E0 _memset,_memset,InitializeSecurityDescriptor,LookupAccountNameW,SetFileAttributesW,GetLengthSid,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetFileSecurityW,16_2_012745E0
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Downloads\Setup.exeCode function: 16_2_0127F4B4 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,16_2_0127F4B4
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Downloads\net\infinstaller.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificatesShow sources
Source: C:\Windows\System32\drvinst.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 BlobJump to behavior
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 825331 Sample: Setup.exe Startdate: 26/03/2019 Architecture: WINDOWS Score: 68 43 ipv6.msftncsi.com 2->43 45 dns.msftncsi.com 2->45 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Uses ipconfig to lookup or modify the Windows network settings 2->55 7 cmd.exe 2->7         started        9 drvinst.exe 91 5 2->9         started        13 drvinst.exe 10 14 2->13         started        15 virtnet.sys 2->15         started        signatures3 process4 dnsIp5 17 Setup.exe 10 7->17         started        20 7za.exe 6 7->20         started        23 infinstaller.exe 2 9 7->23         started        25 ipconfig.exe 7->25         started        47 1.0.0.0 unknown Australia 9->47 35 C:\Windows\System32\drivers\SETE957.tmp, PE32+ 9->35 dropped 37 C:\Windows\System32\...\SETFED9.tmp, PE32+ 13->37 dropped 27 rundll32.exe 13->27         started        file6 process7 dnsIp8 39 asushotfix.com 17->39 41 169.254.255.255 unknown Reserved 17->41 29 C:\Users\user\Downloads\net\virtnet.sys, PE32+ 20->29 dropped 31 C:\Users\user\Downloads\...\infinstaller.exe, PE32+ 20->31 dropped 33 C:\Users\user~1\AppData\Local\...\SETFD81.tmp, PE32+ 23->33 dropped file9

Simulations

Behavior and APIs

TimeTypeDescription
15:22:34API Interceptor1x Sleep call for process: 7za.exe modified
15:23:07API Interceptor1x Sleep call for process: infinstaller.exe modified
15:23:08API Interceptor327x Sleep call for process: drvinst.exe modified
15:23:09API Interceptor1x Sleep call for process: rundll32.exe modified
15:24:38API Interceptor5x Sleep call for process: ipconfig.exe modified
15:25:03API Interceptor34x Sleep call for process: Setup.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
Setup.exe41%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmp0%virustotalBrowse
C:\Users\user~1\AppData\Local\Temp\{55b76fcb-15ca-13b2-f5e3-4f2c32e01445}\SETFD81.tmp0%metadefenderBrowse
C:\Users\user\Downloads\net\virtnet.sys0%metadefenderBrowse
C:\Windows\System32\DriverStore\Temp\{63a5b06f-2f1a-44aa-e741-2e65e6af082c}\SETFED9.tmp0%metadefenderBrowse
C:\Windows\System32\drivers\SETE957.tmp0%metadefenderBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
asushotfix.com13%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC8730%Avira URL Cloudsafe
https://asushotfix.com/logo2.jpg?3A8EA62E32B4ECBE33DF500A28EBC873rj0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
1.0.0.0VHHyfEe6kw.rtfGet hashmaliciousBrowse
    VHHyfEe6kw.rtfGet hashmaliciousBrowse
      oWwsW39bEi.exeGet hashmaliciousBrowse

        Domains

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        dns.msftncsi.com42Order Sample Picture.exeGet hashmaliciousBrowse
        • 131.107.255.255
        5NEW PO.exeGet hashmaliciousBrowse
        • 131.107.255.255
        61redacted@threatwav.exeGet hashmaliciousBrowse
        • 131.107.255.255
        37pobrien@orbtec.exeGet hashmaliciousBrowse
        • 131.107.255.255
        25edgegloba.exeGet hashmaliciousBrowse
        • 131.107.255.255
        103srd.exeGet hashmaliciousBrowse
        • 131.107.255.255
        46Bestellung-0857893850.scrGet hashmaliciousBrowse
        • 131.107.255.255
        78bmuxgvmkey.exeGet hashmaliciousBrowse
        • 131.107.255.255
        25transcrip.exeGet hashmaliciousBrowse
        • 131.107.255.255
        25transcrip.exeGet hashmaliciousBrowse
        • 131.107.255.255
        39transcrip.exeGet hashmaliciousBrowse
        • 131.107.255.255
        ACH form.docGet hashmaliciousBrowse
        • 131.107.255.255
        69PO#32893489339222.scrGet hashmaliciousBrowse
        • 131.107.255.255
        79Purchase Enquiry.pdf.exeGet hashmaliciousBrowse
        • 131.107.255.255
        17Transfer Copy.jar.jarGet hashmaliciousBrowse
        • 131.107.255.255
        109gkcotcntx.exeGet hashmaliciousBrowse
        • 131.107.255.255
        109gkcotcntx.exeGet hashmaliciousBrowse
        • 131.107.255.255
        101iemand@voorbeel.exeGet hashmaliciousBrowse
        • 131.107.255.255
        25edgegloba.exeGet hashmaliciousBrowse
        • 131.107.255.255
        73PO# JUL20170714 (2).exeGet hashmaliciousBrowse
        • 131.107.255.255

        ASN

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        unknownInvoice0186.pdfGet hashmaliciousBrowse
        • 192.168.0.40
        P_2038402.xlsxGet hashmaliciousBrowse
        • 192.168.0.44
        bad.pdfGet hashmaliciousBrowse
        • 192.168.0.44
        RFQ.pdfGet hashmaliciousBrowse
        • 192.168.0.44
        100323.pdfGet hashmaliciousBrowse
        • 192.168.0.44
        Copy.pdfGet hashmaliciousBrowse
        • 127.0.0.1
        2.exeGet hashmaliciousBrowse
        • 192.168.0.40
        UPPB502981.docGet hashmaliciousBrowse
        • 192.168.0.44
        Adm_Boleto.via2.comGet hashmaliciousBrowse
        • 192.168.0.40
        00ECF4AD.exeGet hashmaliciousBrowse
        • 192.168.0.40
        PDF_100987464500.exeGet hashmaliciousBrowse
        • 192.168.0.40
        filedata.exeGet hashmaliciousBrowse
        • 192.168.0.40
        .exeGet hashmaliciousBrowse
        • 192.168.1.60
        33redacted@threatwave.comGet hashmaliciousBrowse
        • 192.168.1.71
        unknownInvoice0186.pdfGet hashmaliciousBrowse
        • 192.168.0.40
        P_2038402.xlsxGet hashmaliciousBrowse
        • 192.168.0.44
        bad.pdfGet hashmaliciousBrowse
        • 192.168.0.44
        RFQ.pdfGet hashmaliciousBrowse
        • 192.168.0.44
        100323.pdfGet hashmaliciousBrowse
        • 192.168.0.44
        Copy.pdfGet hashmaliciousBrowse
        • 127.0.0.1
        2.exeGet hashmaliciousBrowse
        • 192.168.0.40
        UPPB502981.docGet hashmaliciousBrowse
        • 192.168.0.44
        Adm_Boleto.via2.comGet hashmaliciousBrowse
        • 192.168.0.40
        00ECF4AD.exeGet hashmaliciousBrowse
        • 192.168.0.40
        PDF_100987464500.exeGet hashmaliciousBrowse
        • 192.168.0.40
        filedata.exeGet hashmaliciousBrowse
        • 192.168.0.40
        .exeGet hashmaliciousBrowse
        • 192.168.1.60
        33redacted@threatwave.comGet hashmaliciousBrowse
        • 192.168.1.71

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.