Setup.exe

  • File Path: C:\windows\system32\oobe\Setup.exe
  • Description: Windows Installation and Setup

Screenshot

Setup.exe Setup.exe Setup.exe

Hashes

Type Hash
MD5 900A1E32FA0871A47A43804A5279AB0A
SHA1 7FAF047F8F4B35CEEFD24E587F17460EB2662348
SHA256 47F3BE4FBDC620088D26D3CC5BBEF6BAB0E84D60D7BBC7936D40D56340DF1638
SHA384 9CE97B7210F68599827640A881B9A61ECEEE123947B509F5B65D975030BF9B50CA8147AA625DF2CD0A700EDE81E43104
SHA512 B303370CDB712D8C98184A642D35F13C479A205C57707D948CF205DD5C01B01A0CBF9D336291CB02E3E746A73F78BAEDA41896D0E19DA73589736976F0016A4B
SSDEEP 6144:DMdhqqDGa93Up82QPQLXlwAOp0FlUVOBJAQzhQXJQ50m2U:DMdcqSa93Up82iQDSAyCCA7naQyU

Signature

  • Status: Signature verified.
  • Serial: 33000002CF6D2CC57CAA65A6D80000000002CF
  • Thumbprint: 1A221B3B4FEF088B17BA6704FD088DF192D9E0EF
  • Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SETUP.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Setup.exe being misused. While Setup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma pypi-publish.yml uses: actions/setup-python@v1 DRL 1.0
sigma sigma-test.yml uses: actions/setup-python@v1 DRL 1.0
sigma aws_update_login_profile.yml description: An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. DRL 1.0
sigma cisco_cli_net_sniff.yml description: Show when a monitor or a span/rspan is setup or modified DRL 1.0
sigma cisco_cli_net_sniff.yml - Admins may setup new or modify old spans, or use a monitor for troubleshooting DRL 1.0
sigma win_susp_security_eventlog_cleared.yml - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) DRL 1.0
sigma win_mal_flowcloud.yml - 'HKLM\SYSTEM\Setup\PrintResponsor\\*' DRL 1.0
sigma win_apt_winnti_pipemon.yml - 'setup.exe -x:0' DRL 1.0
sigma win_apt_winnti_pipemon.yml - 'setup.exe -x:1' DRL 1.0
sigma win_apt_winnti_pipemon.yml - 'setup.exe -x:2' DRL 1.0
sigma win_exploit_cve_2019_1378.yml - '*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd' DRL 1.0
sigma win_exploit_cve_2019_1378.yml - '*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd' DRL 1.0
sigma win_exploit_cve_2019_1378.yml - 'C:\Windows\Setup\\*' DRL 1.0
LOLBAS Setup.yml Name: Setup.exe  
LOLBAS Setup.yml - Command: Run Setup.exe  
LOLBAS Setup.yml Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.  
LOLBAS Runonce.yml - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY  
LOLBAS Setupapi.yml Description: Windows Setup Application Programming Interface  
LOLBAS Syssetup.yml Description: Windows NT System Setup  
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-sf © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-nh © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-zn © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-pq © ESET 2014-2018
malware-ioc evilnum \|C8458A1568639EA2270E1845B0A386FF75C23421\|nvstviews.exe \|ALPS Setup \|B1C248AD370D1ACE6FA03572CE1AE6297E14A3F8``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc glupteba.misp-event.json "value": "setup.exe\|f7230b2cab4e4910bca473b39ee8fd4df394ce0d", © ESET 2014-2018
malware-ioc glupteba \|F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D\|setup.exe \|MSIL/Adware.CsdiMonetize.AG © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json © ESET 2014-2018
malware-ioc potao Fake TrueCrypt Setup: © ESET 2014-2018
malware-ioc windigo depending on your setup. For example we know that suPHP uses shared memory. © ESET 2014-2018
malware-ioc winnti_group setup.exe © ESET 2014-2018
atomic-red-team Atomic_Friday.md ## Setup MIT License. © 2018 Red Canary
atomic-red-team Getting_Lateral.md ## Setup MIT License. © 2018 Red Canary
atomic-red-team T1046.md | nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe| MIT License. © 2018 Red Canary
atomic-red-team T1046.md Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} MIT License. © 2018 Red Canary
atomic-red-team T1046.md Start-Process $env:temp\nmap-7.80-setup.exe /S MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar $a1 = “https://setup.icloud.com/setup/authenticate/” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s8 = “Setup a communication socket with the process by injecting” fullword ascii wide CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x1 = “Setup=unsecess.exe” fullword ascii CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x2 = “Setup=leassnp.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s0 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s3 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_miniasp.yar $x2 = “run http://%s/logo.png setup.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.02’ */ CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x2 = “del /f /q %TEMP%\setup.cab && cliconfg.exe” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $s6 = “\setup.cab” fullword ascii CC BY-NC 4.0
signature-base apt_promethium_neodymium.yar $s2 = “c:\windows\temp\TrueCrypt-Setup-7.1a-tamindir.exe” fullword wide CC BY-NC 4.0
signature-base apt_sakula.yar description = “Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s7 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s6 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s1 = “c:\windows\ime\setup.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file setup.exe” CC BY-NC 4.0
signature-base crime_fireball.yar $s3 = “\SETUP.dll” fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x6 = “wevtutil cl Setup & wevtutil cl System” ascii CC BY-NC 4.0
signature-base gen_anomalies_keyword_combos.yar $fp6 = “Paint.NET Setup” wide fullword CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “SwitchSniffer Setup” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.