GWSetup[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

GWSetup.exe
Size

8.4MB
MD5

c160a6e0498ceb212df1e4f4590cef12
SHA1

28aecda9e2977d4bb9eb2cb35e5ea346fae1d79c
SHA256

b77dc5437c8d9c21c1c3c65807b1a7ff7074bc49a9173f04acd04d6b89a58b26
SHA512

07a71159ec9761552402ee58d94b8dfed8decf676df7a5228424a4b6b04c2486795c9a98502f7eedbe5b3f088dcb20f809a751a730b19bc7a605bf070ebea122
SSDEEP

98304:AN/rPVWY/T1oxEXN4yH7T8HdtuuicVGLPFIwGjP9r5fIKCA+cxVFe3XpBWC5ju7R:C/zAY/T2a/OyuilNIFjvzVVtcU7fgQ0A

Score

1^/10

Malware Config

Signatures

Files

GWSetup.exe
.exe windows x86

a993f02d40ecc0ce5de2c4bb31f66532

Code Sign

08:c8:ec:ea:59:44:ae:e2:2b:b2:18:50:8e:97:98:b8
Certificate

Issuer

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

31/07/2020, 00:00

Not After

03/08/2023, 12:00

Subject

CN=Qi An Xin Technology Group Inc.,O=Qi An Xin Technology Group Inc.,ST=Beijing,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:1c:b2:8a:00:00:00:00:00:26
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:41

Not After

15/04/2021, 19:51

Subject

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

31/05/2021, 06:43

Not After

17/09/2029, 06:43

Subject

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2b:d4:ae:70:b9:d0:63:5b:2a:e9:84:c8:d6:74:aa:30
Certificate

Issuer

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

28/07/2022, 08:56

Not After

27/07/2033, 08:56

Subject

CN=Certum Timestamp 2022,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

Issuer

CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

11/02/2011, 12:00

Not After

10/02/2026, 12:00

Subject

CN=DigiCert Assured ID Code Signing CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19/05/2021, 05:32

Not After

18/05/2036, 05:32

Subject

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

61:20:4d:b4:00:00:00:00:00:27
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:45

Not After

15/04/2021, 19:55

Subject

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:bc:db:09:00:11:fd:11:c3:34:1d:74:52:75:e9:9a
Certificate

Issuer

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

06/08/2020, 00:00

Not After

03/08/2023, 12:00

Subject

SERIALNUMBER=91110105397625067T,CN=Qi An Xin Technology Group Inc.,O=Qi An Xin Technology Group Inc.,ST=Beijing,C=CN,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.2=#13074265696a696e67,1.3.6.1.4.1.311.60.2.1.3=#1302434e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

Issuer

CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US

Not Before

18/04/2012, 12:00

Not After

18/04/2027, 12:00

Subject

CN=DigiCert EV Code Signing CA (SHA2),OU=www.digicert.com,O=DigiCert Inc,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

2b:d4:ae:70:b9:d0:63:5b:2a:e9:84:c8:d6:74:aa:30
Certificate

Issuer

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Not Before

28/07/2022, 08:56

Not After

27/07/2033, 08:56

Subject

CN=Certum Timestamp 2022,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

Issuer

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

19/05/2021, 05:32

Not After

18/05/2036, 05:32

Subject

CN=Certum Timestamping 2021 CA,O=Asseco Data Systems S.A.,C=PL

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

Issuer

CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Not Before

31/05/2021, 06:43

Not After

17/09/2029, 06:43

Subject

CN=Certum Trusted Network CA 2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

de:26:20:98:4d:e6:2a:d6:30:13:05:a7:83:25:d8:39:32:2c:09:8f:68:2f:93:ff:bc:96:78:7e:ab:61:2a:eb
Signer

Actual PE Digest

de:26:20:98:4d:e6:2a:d6:30:13:05:a7:83:25:d8:39:32:2c:09:8f:68:2f:93:ff:bc:96:78:7e:ab:61:2a:eb

Digest Algorithm

sha256

PE Digest Matches

true

22:aa:90:a2:8f:c9:e1:70:50:08:c0:65:55:9c:df:ff:91:99:ba:74
Signer

Actual PE Digest

22:aa:90:a2:8f:c9:e1:70:50:08:c0:65:55:9c:df:ff:91:99:ba:74

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

LoadLibraryExA
RemoveDirectoryA
FindClose
FindNextFileA
FindFirstFileA
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetTimeZoneInformation
GetFileTime
GetVersionExA
GetSystemInfo
GetModuleHandleA
GetEnvironmentVariableA
MultiByteToWideChar
OutputDebugStringA
ExpandEnvironmentStringsA
GetCurrentProcess
Process32Next
lstrcmpiA
Process32First
FindResourceA
QueryDosDeviceA
GetLogicalDriveStringsA
OpenProcess
Process32NextW
Process32FirstW
GetStartupInfoA
GetExitCodeProcess
ProcessIdToSessionId
CreateProcessA
GetCurrentThread
Module32Next
Module32First
LocalFree
TerminateProcess
GetModuleHandleW
VirtualQuery
SetEndOfFile
SetFilePointer
GetLocalTime
LockResource
LoadResource
lstrcmpiW
MoveFileExA
GetSystemTime
CopyFileA
GetProcessHeap
HeapAlloc
HeapFree
GetLastError
GetFileInformationByHandle
FileTimeToLocalFileTime
FileTimeToDosDateTime
GetFileAttributesA
DosDateTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
SetFileAttributesA
lstrcpynA
lstrcpyA
lstrcatA
FreeLibrary
GetTempPathA
CreateDirectoryA
LoadLibraryA
GetProcAddress
CloseHandle
Sleep
GetModuleFileNameA
GlobalFree
lstrlenA
DeleteFileA
WriteFile
CreateFileA
GetFileSize
GlobalAlloc
ReadFile
CreateToolhelp32Snapshot

user32

ExitWindowsEx
EnumWindows
MessageBoxA
GetWindowThreadProcessId

advapi32

ConvertSidToStringSidA
RegEnumKeyExA
RegDeleteKeyA
RegEnumKeyA
RegEnumValueA
RegQueryValueExA
RegSetValueExA
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
LookupAccountNameA
LookupAccountSidA
LookupPrivilegeValueA
AdjustTokenPrivileges
OpenSCManagerA
CloseServiceHandle
LookupPrivilegeNameA
OpenThreadToken
GetTokenInformation
EqualSid
DuplicateTokenEx
SetTokenInformation
OpenProcessToken
CreateProcessAsUserA
AllocateAndInitializeSid
GetLengthSid
InitializeAcl
AddAccessAllowedAceEx
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
SetFileSecurityA
FreeSid
AddAccessAllowedAce
RegDeleteValueA
RegSetKeySecurity

shell32

StrStrIA
StrCmpNIA

shlwapi

PathRemoveFileSpecA
StrTrimA

version

VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA

msvcrt

atoi
strncat
strncpy
_strrev
_access
sprintf
_open
_CxxThrowException
_read
_write
memmove
_close
_lseek
??2@YAPAXI@Z
??3@YAXPAX@Z
strchr
_errno
strrchr
_snprintf
__CxxFrameHandler
fclose
fopen
free
malloc
ftell
fseek
_wcsicmp
_vsnprintf
iscntrl
__dllonexit
_onexit
??1type_info@@UAE@XZ
_strnicmp
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
strstr
_stricmp
_fileno
remove
_exit

setupapi

SetupIterateCabinetA

msvcp60

??0_Winit@std@@QAE@XZ
??0Init@ios_base@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBDI@Z
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??1Init@ios_base@std@@QAE@XZ

wintrust

WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
WinVerifyTrust
WTHelperGetProvCertFromChain

crypt32

CertGetNameStringA

psapi

GetModuleFileNameExA
GetProcessImageFileNameA

iphlpapi

GetTcpTable
SetTcpEntry

Sections

.text
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 280KB - Virtual size: 279KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a993f02d40ecc0ce5de2c4bb31f66532

Code Sign

08:c8:ec:ea:59:44:ae:e2:2b:b2:18:50:8e:97:98:b8Certificate

Extended Key Usages

Key Usages

61:1c:b2:8a:00:00:00:00:00:26Certificate

Key Usages

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27Certificate

Key Usages

2b:d4:ae:70:b9:d0:63:5b:2a:e9:84:c8:d6:74:aa:30Certificate

Extended Key Usages

Key Usages

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bdCertificate

Extended Key Usages

Key Usages

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87Certificate

Extended Key Usages

Key Usages

61:20:4d:b4:00:00:00:00:00:27Certificate

Key Usages

0a:bc:db:09:00:11:fd:11:c3:34:1d:74:52:75:e9:9aCertificate

Extended Key Usages

Key Usages

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5cCertificate

Extended Key Usages

Key Usages

2b:d4:ae:70:b9:d0:63:5b:2a:e9:84:c8:d6:74:aa:30Certificate

Extended Key Usages

Key Usages

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87Certificate

Extended Key Usages

Key Usages

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27Certificate

Key Usages

de:26:20:98:4d:e6:2a:d6:30:13:05:a7:83:25:d8:39:32:2c:09:8f:68:2f:93:ff:bc:96:78:7e:ab:61:2a:ebSigner

22:aa:90:a2:8f:c9:e1:70:50:08:c0:65:55:9c:df:ff:91:99:ba:74Signer

Headers

File Characteristics

Imports

kernel32

user32

advapi32

shell32

shlwapi

version

msvcrt

setupapi

msvcp60

wintrust

crypt32

psapi

iphlpapi

Sections

.text Size: 31KB - Virtual size: 31KB

.rdata Size: 7KB - Virtual size: 6KB

.data Size: 5KB - Virtual size: 10KB

.rsrc Size: 280KB - Virtual size: 279KB

08:c8:ec:ea:59:44:ae:e2:2b:b2:18:50:8e:97:98:b8
Certificate

61:1c:b2:8a:00:00:00:00:00:26
Certificate

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

2b:d4:ae:70:b9:d0:63:5b:2a:e9:84:c8:d6:74:aa:30
Certificate

0f:a8:49:06:15:d7:00:a0:be:21:76:fd:c5:ec:6d:bd
Certificate

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

61:20:4d:b4:00:00:00:00:00:27
Certificate

0a:bc:db:09:00:11:fd:11:c3:34:1d:74:52:75:e9:9a
Certificate

03:f1:b4:e1:5f:3a:82:f1:14:96:78:b3:d7:d8:47:5c
Certificate

2b:d4:ae:70:b9:d0:63:5b:2a:e9:84:c8:d6:74:aa:30
Certificate

e7:ff:69:c7:3b:35:ce:4b:91:26:d8:74:7c:68:a5:87
Certificate

1b:b5:8f:25:2a:df:23:00:49:28:c9:ae:3d:7e:ed:27
Certificate

de:26:20:98:4d:e6:2a:d6:30:13:05:a7:83:25:d8:39:32:2c:09:8f:68:2f:93:ff:bc:96:78:7e:ab:61:2a:eb
Signer

22:aa:90:a2:8f:c9:e1:70:50:08:c0:65:55:9c:df:ff:91:99:ba:74
Signer

.text
Size: 31KB - Virtual size: 31KB

.rdata
Size: 7KB - Virtual size: 6KB

.data
Size: 5KB - Virtual size: 10KB

.rsrc
Size: 280KB - Virtual size: 279KB