Setup.exe

  • File Path: C:\Windows\system32\oobe\Setup.exe
  • Description: Windows Installation and Setup

Screenshot

Setup.exe Setup.exe Setup.exe

Hashes

Type Hash
MD5 F35692328D9B6BFDBD9A69D60867693B
SHA1 1ACF7DDD5F90D4564178258EB3821EC3BB9DFF42
SHA256 7148FD863089886BE84D9066B2F6643D779AE09CC6643E413014D2AA8A574932
SHA384 509FABEC9290BA383554E737F532CFCBB16556197942784A92F0A769D9E94E9189F6BECF571569EC9EAE233B6EF965B8
SHA512 1B8D28DB6E71816F0AD73C0ECD81A190CDAB530F8185C5B65F323E3FB219F09976478D13E3C8E90614BEA1D4A1AB4706C4D7DC0E135AE3241C54C786DBB33567
SSDEEP 6144:xmgDddcYp7qgUKPywFpd600MBxZOrzhQXJgzBU4GfjT/:xmgDVpbJywoJag6
IMP 2706683A4F43E1FD3187D4EE9829C335
PESHA1 06F6CAB4301B8DC43C0B6F28C3584E52AF3A482F
PE256 B6E5A07DCFF533C479D6522644AD8F38E19CCBAD405019C01AFAB2B39497583D

Runtime Data

Window Title:

Install Windows

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\oobe\en-US\setup.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Windows\System32\oobe File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1703657751 Section
\Windows\Theme1455388728 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\oobe\Setup.exe
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SETUP.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/7148fd863089886be84d9066b2f6643d779ae09cc6643e413014d2aa8a574932/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\oobe\Setup.exe 44
C:\Windows\system32\oobe\Setup.exe 41
C:\Windows\system32\oobe\Setup.exe 88
C:\Windows\system32\oobe\Setup.exe 36
C:\Windows\system32\oobe\Setup.exe 43
C:\WINDOWS\system32\oobe\Setup.exe 44

Possible Misuse

The following table contains possible examples of Setup.exe being misused. While Setup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma pypi-publish.yml uses: actions/setup-python@v1 DRL 1.0
sigma sigma-test.yml uses: actions/setup-python@v1 DRL 1.0
sigma aws_update_login_profile.yml description: An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users. DRL 1.0
sigma cisco_cli_net_sniff.yml description: Show when a monitor or a span/rspan is setup or modified DRL 1.0
sigma cisco_cli_net_sniff.yml - Admins may setup new or modify old spans, or use a monitor for troubleshooting DRL 1.0
sigma win_susp_security_eventlog_cleared.yml - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) DRL 1.0
sigma win_mal_flowcloud.yml - 'HKLM\SYSTEM\Setup\PrintResponsor\\*' DRL 1.0
sigma win_apt_winnti_pipemon.yml - 'setup.exe -x:0' DRL 1.0
sigma win_apt_winnti_pipemon.yml - 'setup.exe -x:1' DRL 1.0
sigma win_apt_winnti_pipemon.yml - 'setup.exe -x:2' DRL 1.0
sigma win_exploit_cve_2019_1378.yml - '*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd' DRL 1.0
sigma win_exploit_cve_2019_1378.yml - '*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd' DRL 1.0
sigma win_exploit_cve_2019_1378.yml - 'C:\Windows\Setup\\*' DRL 1.0
LOLBAS Setup.yml Name: Setup.exe  
LOLBAS Setup.yml - Command: Run Setup.exe  
LOLBAS Setup.yml Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.  
LOLBAS Runonce.yml - IOC: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY  
LOLBAS Setupapi.yml Description: Windows Setup Application Programming Interface  
LOLBAS Syssetup.yml Description: Windows NT System Setup  
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-sf © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-nh © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-zn © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-pq © ESET 2014-2018
malware-ioc evilnum \|C8458A1568639EA2270E1845B0A386FF75C23421\|nvstviews.exe \|ALPS Setup \|B1C248AD370D1ACE6FA03572CE1AE6297E14A3F8``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc glupteba.misp-event.json "value": "setup.exe\|f7230b2cab4e4910bca473b39ee8fd4df394ce0d", © ESET 2014-2018
malware-ioc glupteba \|F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D\|setup.exe \|MSIL/Adware.CsdiMonetize.AG © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json © ESET 2014-2018
malware-ioc potao Fake TrueCrypt Setup: © ESET 2014-2018
malware-ioc windigo depending on your setup. For example we know that suPHP uses shared memory. © ESET 2014-2018
malware-ioc winnti_group setup.exe © ESET 2014-2018
atomic-red-team Atomic_Friday.md ## Setup MIT License. © 2018 Red Canary
atomic-red-team Getting_Lateral.md ## Setup MIT License. © 2018 Red Canary
atomic-red-team T1046.md | nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe| MIT License. © 2018 Red Canary
atomic-red-team T1046.md Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} MIT License. © 2018 Red Canary
atomic-red-team T1046.md Start-Process $env:temp\nmap-7.80-setup.exe /S MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar $a1 = “https://setup.icloud.com/setup/authenticate/” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s8 = “Setup a communication socket with the process by injecting” fullword ascii wide CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x1 = “Setup=unsecess.exe” fullword ascii CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x2 = “Setup=leassnp.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s0 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s3 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_miniasp.yar $x2 = “run http://%s/logo.png setup.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.02’ */ CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x2 = “del /f /q %TEMP%\setup.cab && cliconfg.exe” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $s6 = “\setup.cab” fullword ascii CC BY-NC 4.0
signature-base apt_promethium_neodymium.yar $s2 = “c:\windows\temp\TrueCrypt-Setup-7.1a-tamindir.exe” fullword wide CC BY-NC 4.0
signature-base apt_sakula.yar description = “Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s7 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s6 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s1 = “c:\windows\ime\setup.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file setup.exe” CC BY-NC 4.0
signature-base crime_fireball.yar $s3 = “\SETUP.dll” fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x6 = “wevtutil cl Setup & wevtutil cl System” ascii CC BY-NC 4.0
signature-base gen_anomalies_keyword_combos.yar $fp6 = “Paint.NET Setup” wide fullword CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “SwitchSniffer Setup” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.