Setup.exe

  • File Path: C:\WINDOWS\system32\DriverStore\FileRepository\netwew01.inf_amd64_d48428047ce3cc1e\Setup.exe
  • Description: Intel PROSet/Wireless Software

Screenshot

Setup.exe Setup.exe Setup.exe

Hashes

Type Hash
MD5 DE608134E33D3ABFFA944723ACD3E292
SHA1 26FA39E2DBE001EB2F3DFD25685FD32363495A6F
SHA256 A201756B24C7872F42FF71008B28DA0B10D0963E33F84395411125A27FD9C0DD
SHA384 2066AE0018F1F6EB2B8B757BD147594EFE0D3EAA76AE2EC8A4878A57491D3ADDB091B117345A1BA2E931B6AF73D8EE43
SHA512 CCDB39CF6D30CF5EA56B2A76EA2D4D2CB9B3271AFB15DD1BF7E78F33C2A130239CFEECD954C02409D2FAAE990AC3B973B884DC7AEB27E7CD1F1A0B5F65C6E776
SSDEEP 49152:TFmoJsL19tkT6ligMQTj0fMRdHUkA/pMVZjA:UoJgkgMCj/HUppURA

Signature

  • Status: Signature verified.
  • Serial: 330000001DC31A761624754F8000000000001D
  • Thumbprint: 96C51247E27DAE45A1BCD582A0503256F9EAEDAC
  • Issuer: CN=Microsoft Windows Third Party Component CA 2012, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows Hardware Compatibility Publisher, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Setup.exe
  • Product Name: Intel PROSet/Wireless Software
  • Company Name: Intel Corporation
  • File Version: 18.11.0
  • Product Version: 18.11.0
  • Language: English (United States)
  • Legal Copyright: Copyright (c) Intel Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of Setup.exe being misused. While Setup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sigma-test.yml uses: actions/setup-python@v1 DRL 1.0
sigma aws_update_login_profile.yml An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. DRL 1.0
sigma cisco_cli_net_sniff.yml description: Show when a monitor or a span/rspan is setup or modified DRL 1.0
sigma cisco_cli_net_sniff.yml - Admins may setup new or modify old spans, or use a monitor for troubleshooting DRL 1.0
sigma win_iso_mount.yml ObjectName: '\Device\CdRom0\setup.exe' DRL 1.0
sigma win_susp_eventlog_cleared.yml - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) DRL 1.0
sigma win_system_susp_eventlog_cleared.yml - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) DRL 1.0
sigma file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml - 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage\|endswith: \Installer\setup.exe DRL 1.0
sigma proc_creation_win_apt_winnti_pipemon.yml - 'setup.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1378.yml - 'C:\Windows\Setup\Scripts\' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1378.yml - 'C:\Windows\Setup\' DRL 1.0
sigma proc_creation_win_powershell_cmdline_special_characters.yml - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) DRL 1.0
sigma proc_creation_win_susp_run_folder.yml - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SYSTEM\Setup\CmdLine' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SYSTEM\Setup\CmdLine' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml TargetObject\|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\' DRL 1.0
sigma registry_event_asep_reg_keys_modification_wow6432node.yml - '\setup.exe' DRL 1.0
sigma registry_event_mal_flowcloud.yml - 'HKLM\SYSTEM\Setup\PrintResponsor\' DRL 1.0
sigma registry_event_new_application_appcompat.yml - Newly setup system. DRL 1.0
sigma registry_event_runonce_persistence.yml TargetObject\|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
LOLBAS Setup.yml Name: Setup.exe  
LOLBAS Setup.yml - Command: Run Setup.exe  
LOLBAS Setup.yml Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.  
LOLBAS OneDriveStandaloneUpdater.yml - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files  
LOLBAS Runonce.yml - IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY  
LOLBAS Setupapi.yml Description: Windows Setup Application Programming Interface  
LOLBAS Syssetup.yml Description: Windows NT System Setup  
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-sf © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-nh © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-zn © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-pq © ESET 2014-2018
malware-ioc evilnum \|C8458A1568639EA2270E1845B0A386FF75C23421\|nvstviews.exe \|ALPS Setup \|B1C248AD370D1ACE6FA03572CE1AE6297E14A3F8``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc glupteba.misp-event.json "value": "setup.exe\|f7230b2cab4e4910bca473b39ee8fd4df394ce0d", © ESET 2014-2018
malware-ioc glupteba \|F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D\|setup.exe \|MSIL/Adware.CsdiMonetize.AG © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml - Legitimate use of the Wireless Network Setup Wizard © ESET 2014-2018
malware-ioc win_lolbin_setupSNK.yml title: Wireless Network Setup Settings Changed © ESET 2014-2018
malware-ioc win_lolbin_setupSNK.yml - Legitimate use of the Wireless Network Setup Wizard © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json © ESET 2014-2018
malware-ioc potao Fake TrueCrypt Setup: © ESET 2014-2018
malware-ioc 2021_T2 Setup © ESET 2014-2018
malware-ioc windigo depending on your setup. For example we know that suPHP uses shared memory. © ESET 2014-2018
malware-ioc winnti_group setup.exe © ESET 2014-2018
atomic-red-team index.md - T1547.014 Active Setup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1547.014 Active Setup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | At (Windows) | Active Setup CONTRIBUTE A TEST | Accessibility Features | Application Access Token CONTRIBUTE A TEST | AS-REP Roasting | Browser Bookmark Discovery | Distributed Component Object Model | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Asynchronous Procedure Call | Bash History | Cloud Account CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Library | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Compromise Software Supply Chain CONTRIBUTE A TEST | Component Object Model CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Accessibility Features | Asynchronous Procedure Call | Brute Force CONTRIBUTE A TEST | Browser Bookmark Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Default Accounts | Component Object Model and Distributed COM CONTRIBUTE A TEST | Add-ins | Active Setup CONTRIBUTE A TEST | BITS Jobs | Cached Domain Credentials CONTRIBUTE A TEST | Domain Account | Internal Spearphishing CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | MIT License. © 2018 Red Canary
atomic-red-team T1046.md | nmap_url | NMap installer download URL | Url | https://nmap.org/dist/nmap-7.80-setup.exe| MIT License. © 2018 Red Canary
atomic-red-team T1046.md Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} MIT License. © 2018 Red Canary
atomic-red-team T1046.md Start-Process $env:temp\nmap-7.80-setup.exe /S MIT License. © 2018 Red Canary
atomic-red-team T1047.md Invoke-WebRequest ‘https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi’ -OutFile PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi MIT License. © 2018 Red Canary
atomic-red-team T1484.002.md if ($new) { Write-Host “nFederation successfully added to Azure AD" } else { Write-Host "nThe federation setup failed” } MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar $a1 = “https://setup.icloud.com/setup/authenticate/” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s8 = “Setup a communication socket with the process by injecting” fullword ascii wide CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x1 = “Setup=unsecess.exe” fullword ascii CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x2 = “Setup=leassnp.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s0 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s3 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_miniasp.yar $x2 = “run http://%s/logo.png setup.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.02’ */ CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x2 = “del /f /q %TEMP%\setup.cab && cliconfg.exe” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $s6 = “\setup.cab” fullword ascii CC BY-NC 4.0
signature-base apt_promethium_neodymium.yar $s2 = “c:\windows\temp\TrueCrypt-Setup-7.1a-tamindir.exe” fullword wide CC BY-NC 4.0
signature-base apt_sakula.yar description = “Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s7 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s6 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s1 = “c:\windows\ime\setup.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file setup.exe” CC BY-NC 4.0
signature-base crime_fireball.yar $s3 = “\SETUP.dll” fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x6 = “wevtutil cl Setup & wevtutil cl System” ascii CC BY-NC 4.0
signature-base gen_anomalies_keyword_combos.yar $fp6 = “Paint.NET Setup” wide fullword CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “SwitchSniffer Setup” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.