Setup.exe
This report is generated from a file or URL submitted to this webservice on August 26th 2020 18:37:57 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.31 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 9
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.99660853703
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
General
-
Reads configuration files
- details
- "Setup.exe" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Monitors specific registry key for changes
- details
- "Setup.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4; Subtree: 580864)
- source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "+| xvnce" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains a remote desktop related string
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
GetFileAttributesW
UnhandledExceptionFilter
FindResourceExW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExA
LoadLibraryExW
TerminateProcess
GetModuleHandleExW
LoadLibraryW
VirtualProtect
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetTempFileNameW
WriteFile
FindNextFileW
FindFirstFileExW
GetProcAddress
CreateFileW
FindResourceW
LockResource
GetCommandLineW
GetCommandLineA
GetModuleHandleW
GetTempPathW
CreateProcessW
VirtualAlloc - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"Setup.exe" wrote bytes "c0dff7761cf9f676ccf8f6760d64f87600000000c011a27400000000fc3ea27400000000e013a274000000009457877425e0f776c6e0f77600000000bc6a867400000000cf31a2740000000093198774000000002c32a27400000000" to virtual address "0x75401000" (part of module "NSI.DLL")
"Setup.exe" wrote bytes "d83a8174" to virtual address "0x748201E0" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4368174" to virtual address "0x74820200" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4360200" to virtual address "0x74814EA4" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4368174" to virtual address "0x748201E4" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4360200" to virtual address "0x74814D68" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "7111ad007a3bac00ab8b02007f950200fc8c0200729602006cc805001ecda9007d26a900" to virtual address "0x765007E4" (part of module "USER32.DLL")
"Setup.exe" wrote bytes "68130000" to virtual address "0x74B41680" (part of module "WS2_32.DLL")
"Setup.exe" wrote bytes "b81015a873ffe0" to virtual address "0x748136B4" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a8174" to virtual address "0x74820274" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "a011a873" to virtual address "0x74FCE324" (part of module "WININET.DLL")
"Setup.exe" wrote bytes "b89012a873ffe0" to virtual address "0x74813AD8" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a0200" to virtual address "0x74814E38" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a0200" to virtual address "0x74814D78" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a8174" to virtual address "0x74820258" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4368174" to virtual address "0x74820278" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b88011a873ffe0" to virtual address "0x74B41368" (part of module "WS2_32.DLL")
"Setup.exe" wrote bytes "b4368174" to virtual address "0x7482025C" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a8174" to virtual address "0x748201FC" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 8
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/37 Antivirus vendors marked sample as malicious (0% detection rate)
0/70 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "D:\BuildAgent\work\acd6e4e05bdc1e8e\src\Setup\bin\Release\Setup.pdb"
- source
- File/Memory
- relevance
- 1/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 1B:9B:5E:C6:A6:A4:DC:31:C1:08:6E:2F:4B:42:0E:CA:63:12:0B:91; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "Setup.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Touches files in the Windows directory
- details
-
"Setup.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"Setup.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"Setup.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"Setup.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"Setup.exe" touched file "%WINDIR%\Fonts\StaticCache.dat" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "$BN*F_.tn"
Pattern match: "www.digicert.com1$0"
Pattern match: "www.digicert.com110/"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl05"
Pattern match: "http://crl4.digicert.com/sha2-assured-cs-g1.crl0L"
Pattern match: "http://ocsp.digicert.com0N"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0"
Pattern match: "http://www.techsmith.com0"
Pattern match: "http://crl3.digicert.com/sha2-assured-ts.crl02"
Pattern match: "http://crl4.digicert.com/sha2-assured-ts.crl0"
Pattern match: "http://ocsp.digicert.com0O"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=397707-http://go.microsoft.com/fwlink/?LinkId=780596"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=825298" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "Setup.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "5c14f4afb6abe88c9734fe0627c5ac65a701580acb69494a1007d01923d1aa03.bin" was detected as "VC8 -> Microsoft Corporation"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
Setup.exe
- Filename
- Setup.exe
- Size
- 14MiB (15145056 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 5c14f4afb6abe88c9734fe0627c5ac65a701580acb69494a1007d01923d1aa03
- MD5
- fb92d09ddd251d7440f0f55824009592
- SHA1
- f078ca9260c000e361351ae0b74cfd96de3d69f8
- ssdeep
- 393216:D3dy+Gq3qPfdbD8TYpvD3Jf7TJH1eoi+I+gOpDV:pltydHfvDZDF1INDY
- imphash
- 101de88f30689a9ad136d1ecd5e1a903
- authentihash
- ddb0a23eb4c8002e5906ce1041d8d041b5b39b643c1b83940da5b5c84896ba67
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 04/30/2020 15:04:36 (UTC)
- PDB Pathway
- D:\BuildAgent\work\acd6e4e05bdc1e8e\src\Setup\bin\Release\Setup.pdb
- PDB GUID
- 73489F487DE34FB0992C4A139510986D
Version Info
- LegalCopyright
- Copyright 2017 TechSmith. All rights reserved.
- InternalName
- Setup.exe
- FileVersion
- 1.1.14.517
- CompanyName
- TechSmith Corporation
- SquirrelAwareVersion
- 1
- ProductName
- TechSmith Capture
- ProductVersion
- 1.1.14.517
- FileDescription
- TechSmith Capture
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 72.3% (.EXE) Win64 Executable (generic)
- 11.8% (.EXE) Win32 Executable (generic)
- 5.3% (.EXE) OS/2 Executable (generic)
- 5.2% (.EXE) Generic Win/DOS Executable
- 5.2% (.EXE) DOS Executable Generic
File Metadata
- 1 Unknown Resource Files (build: 0)
- 7 .BAS Files compiled with C2.EXE 5.0 (Visual Basic 6) (build: 24215)
- 11 .LIB Files generated with LIB.EXE 11.00 (Visual Studio 2012) (build: 65501)
- 1 .C Files (converted from .NET IL) compiled with CVTCIL.EXE 17.00 (Visual Studio 2012) (build: 65501)
- 66 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 24123)
- 2 .C Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 65501)
- 3 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 23013)
- 36 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 24123)
- 21 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 24123)
- File contains Visual Basic code
- File is the product of a small codebase (7 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Error validating certificate: No signature was present in the subject. (0x800b0100)
Download Certificate File (7.1KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 409181b5fd5bb66755343b56f955008 |
10/22/2013 12:00:00 10/22/2028 12:00:00 |
B6:56:37:6C:3D:2A:CE:BB:A1:88:49:D6:04:36:1B:D5 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6 |
CN=TechSmith Corporation, OU=IT, O=TechSmith Corporation, L=Okemos, ST=MI, C=US | CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: fefb2a5054f0400c0e442649a7c027f |
04/06/2018 00:00:00 04/14/2021 12:00:00 |
25:65:68:EE:0C:97:E9:75:D5:D5:C0:DB:EF:A1:08:D7 1B:9B:5E:C6:A6:A4:DC:31:C1:08:6E:2F:4B:42:0E:CA:63:12:0B:91 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- Setup.exe (PID: 2328)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.