c170f40383aa0e31471a18bb296ddd901b2a5396d0fafb55a6efdbdad3a16de2

Analysis

max time kernel
142s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fences5-sd-setup.exe
Size

13.2MB
MD5

e87d579f1739ed05a18631e4e152414b
SHA1

412c77de6f3602d288c6381fe03821b41757829b
SHA256

e137e6bb3f096c35582647d7d2f43d28f1c890f5adf8d6edb4ebeb56be43ebec
SHA512

e3ef90052efc72f72b297646221399cccce85a6446fb8c0c5a568c3f49418d9cc05b07ab86612e4e66de85c7e5301ac9749fc86758853b36e030ceff0c69e6fb
SSDEEP

196608:6NaqQ8EuKAvWWqq1Q4mpMLjaceFLxbOZ92N6Ms5rE+vQrFvrfXvQdrIPF:6APmWWR1apUaceFL9Wm6o+UFvrfYqF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000014ab3-3.dat	upx
behavioral1/memory/1364-5-0x0000000002B20000-0x0000000002F08000-memory.dmp	upx
behavioral1/files/0x000b000000014ab3-7.dat	upx
behavioral1/files/0x000b000000014ab3-8.dat	upx
behavioral1/files/0x000b000000014ab3-13.dat	upx
behavioral1/files/0x000b000000014ab3-11.dat	upx
behavioral1/files/0x000b000000014ab3-15.dat	upx
behavioral1/files/0x000b000000014ab3-19.dat	upx
behavioral1/memory/2752-22-0x0000000000C10000-0x0000000000FF8000-memory.dmp	upx
behavioral1/files/0x000b000000014ab3-51.dat	upx
behavioral1/memory/2752-98-0x0000000000C10000-0x0000000000FF8000-memory.dmp	upx

Executes dropped EXE 2 IoCs

pid	Process
2752	irsetup.exe
2372	GetMachineSID.exe

Loads dropped DLL 11 IoCs

pid	Process
1364	Fences5-sd-setup.exe
1364	Fences5-sd-setup.exe
1364	Fences5-sd-setup.exe
1364	Fences5-sd-setup.exe
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	irsetup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2752	irsetup.exe
2752	irsetup.exe
2752	irsetup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2752	1364	Fences5-sd-setup.exe	28
PID 1364 wrote to memory of 2752	1364	Fences5-sd-setup.exe	28
PID 1364 wrote to memory of 2752	1364	Fences5-sd-setup.exe	28
PID 1364 wrote to memory of 2752	1364	Fences5-sd-setup.exe	28
PID 1364 wrote to memory of 2752	1364	Fences5-sd-setup.exe	28
PID 1364 wrote to memory of 2752	1364	Fences5-sd-setup.exe	28
PID 1364 wrote to memory of 2752	1364	Fences5-sd-setup.exe	28
PID 2752 wrote to memory of 2584	2752	irsetup.exe	29
PID 2752 wrote to memory of 2584	2752	irsetup.exe	29
PID 2752 wrote to memory of 2584	2752	irsetup.exe	29
PID 2752 wrote to memory of 2584	2752	irsetup.exe	29
PID 2752 wrote to memory of 2372	2752	irsetup.exe	31
PID 2752 wrote to memory of 2372	2752	irsetup.exe	31
PID 2752 wrote to memory of 2372	2752	irsetup.exe	31
PID 2752 wrote to memory of 2372	2752	irsetup.exe	31
PID 2752 wrote to memory of 2372	2752	irsetup.exe	31
PID 2752 wrote to memory of 2372	2752	irsetup.exe	31
PID 2752 wrote to memory of 2372	2752	irsetup.exe	31

C:\Users\Admin\AppData\Local\Temp\Fences5-sd-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Fences5-sd-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1940002 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Fences5-sd-setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-928733405-3780110381-2966456290-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
    3⤵
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
40B

MD5
4f51825527b9fa8fe0f6fe7fdb680ce6

SHA1
3e24686dc7f79274a43756971417c10963f917a3

SHA256
75d701f567dbf5dd1eaacea2809c56b9a185c945ddfb6fc15b206f7c3a98396a

SHA512
14acdc5b278711ebae8ab579f4023861924729cff4a1a8f9d093ccd388a5c97fab1257f67b41748d5683eb9b25bdf3d30e9cb4c52e75b3cdf4197699c5c69f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\eula.txt

Filesize
22KB

MD5
1345eca97d4afbfce7519c90b5312ab1

SHA1
6bbf9ae942e0e066b9039d8f437ae364a3887b64

SHA256
ee0c0b950573ae14eb006168a7c42b1c2bc1edf9223c9acc560db13bc63900e1

SHA512
8c48526f2aa7b066dbfa15434fd6c1a555544d100cd30c6ea92021a65f21a2a20ea1c0f5cf1f37b3d1cd564f30c4999ce83d269ab729822904102a27cd40795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
552KB

MD5
267780c260bfaef34101e05449b4208a

SHA1
5efcf9b2c1d7dc4c7d6e54f062797c73f168d58e

SHA256
568c64928754162482a2b6c989d65c8a7d9e3f7d4c0a871ff1d5349e387dcb1b

SHA512
6e8393aa96d04c7470865cbd3a86dac0f4ece818bfb3a95b40fa231ffdf4e2186dde6d15a30a2efecfefc654642c27df128c79788e68354f2514bbeb701d3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
640KB

MD5
ad8d610df2ade36b3b01e406b0991d6f

SHA1
9ef9b300498476edd80652572396dc1517f52d55

SHA256
85abbd99a1b06e38af9d3386570b2071ed116e4d3c5864ca9f13f25069eacd63

SHA512
1d5ec1424d414cbc3f0c854edc3eb797c68a579e4d1d12cdbec409e2ce69615ede2701c631b9661a0364f4b56e5e6497552c41d5f7aa049acc616ae3fc7f5ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
507KB

MD5
d55f8fb4141aeb8063272f68daf4c8a1

SHA1
082138e2cc8fa9499392e3f43188a1b44a497087

SHA256
7eb36fef9ac49d0d0a851e80fa0ca0f8b9584be4fc7c6209f449194cfc56975e

SHA512
4c1936319ade00658cf1ed978aae6effbe17004a93c636b07e51b0a9c179d4947905c618a913601ff2be3e1f46268ff171b36ab3ca433454d8fdbb8217f87b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\registry_export.txt

Filesize
406B

MD5
7cee57cbef71160b4acdfd692cf923d7

SHA1
dcbaf7657eb5ba82f98457335fa3f54d5e094e79

SHA256
3be0b7c42a33868a33c5e659102d1133b48708f31e9e73424ab9e2167a8df3ac

SHA512
b9a9c889a9638669e7b8d08d9c504e2354338bfde301746dcc2006efb123fdded3897ee363b0a5931da0148e78013238898d890c13fc52e1064ee2f54b6633fb

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
362KB

MD5
386eb10c63531ac8445439108a9aeb64

SHA1
faa27e476d8d672bbe60cb2872349173f0d17c76

SHA256
33b9c5213c8b069924a23890478aba271607f041d2e5bd52b376ac7ae271be63

SHA512
98faadae75e00c40899318311ece62a23bbc60507c64a0f383b4e35769c2454e02ee2fe7c759dc096128af6e2321645024f06b5d3412bafefcaf0e1b5c4e8209

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
9KB

MD5
2076a58ef809fd48ffe4ca904e5cb812

SHA1
e3ab4ddc8ce2df8595abfee44cce6bb1708affcc

SHA256
d0d57d336a9c7bb993361dd3843e8afeec458916a221b1137c7b7f697422d634

SHA512
6f10f79d1b4ea077d6f4d186020da5a302ef8115b6cb59776d4822d5982d909fdab32abc1a048734d189c237af8e8d737c50e884864b4af3a73fe3c9382d326e

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
42KB

MD5
8ae189f4bf8c507550dbe5f781da2f47

SHA1
b07ae037bd1a9f9a21cde225833f54ef7793f6a7

SHA256
221ef194a385998dfb340edc86fe0f3290167ea7c8a02d5548c65b690d75fcc6

SHA512
7b2860cc50aca0fa1cd8f4558daa554b1c767622dbffe93ccd49604882abe9f91cb41599899d6899b1bb22653f016ff6ca2c9e43872240d67c1738ff42fd5013

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
642KB

MD5
349d19766159ec9c18030209a2b2b0e2

SHA1
d6f86edd55ead3b5d06dad095eae5ae8e1699892

SHA256
c313847ea3438197553ee4c56d5dfadaba09afbf3ce648219900ab9f010f4776

SHA512
52d628a0af22b1cfb623e3892ef5dbcf396d4dd2854e27182c976b3bf400c2411afe6b11c07a58960f5fd92558e74f753c6c5e6baced88ff32b9a4d8b1ea5c59

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
566KB

MD5
da296f760541c8ff9dfe3f9a24f9cf29

SHA1
5e2a04f161a33790b44d446c8511b0ea61255f2e

SHA256
9d389f138a1848998a4144a3cc5de616eb6fe0257718962eeac53958a08f58fb

SHA512
695a9ce503ab0bebe8d32edacb584a0c836161a8a5ce961a9e0c22e0705ac7d3ba295e9622744a571daf151562ade251dfb967f4618d842582e07cd06a3ced24

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
130KB

MD5
ddd108b21949108e674ccc24bb8e6437

SHA1
a25c2fa4b93dc18deb05e1d6a4132b1c66410066

SHA256
c0d244a65fd40fbbc1d48855a6ffe65a020f47854f3ebca0427bf2795c8d7e6e

SHA512
68c26709b7548fa6b99a302ec4362a4dc674db8332d0176aa2d4effe38b4c2dabb10e712d96906082f6b9ef53e16123b933d799dabf1f0b2b0226a47af75c910

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
593KB

MD5
566582a9dad6606b4e9eea79b5a54d88

SHA1
363db4922b261790d8f9166245547a1010af6bed

SHA256
bb2e877cb9bd5775d9f653a1b50e3d9f49b555de363cd5beb4afc41eb3dd0dbd

SHA512
a924ae605c1cb681b14e9cd4c3d07185c1edbc2292c51f15ac67dc4f2092e149de90dfd9de3f41ab70a86b6e95c5623c8e1aa319dcda99432dbaff87729395b6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/1364-18-0x0000000002B20000-0x0000000002F08000-memory.dmp

Filesize
3.9MB

Download
memory/1364-100-0x0000000002B20000-0x0000000002F08000-memory.dmp

Filesize
3.9MB

Download
memory/1364-5-0x0000000002B20000-0x0000000002F08000-memory.dmp

Filesize
3.9MB

Download
memory/2752-98-0x0000000000C10000-0x0000000000FF8000-memory.dmp

Filesize
3.9MB

Download
memory/2752-22-0x0000000000C10000-0x0000000000FF8000-memory.dmp

Filesize
3.9MB

Download
memory/2752-41-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/2752-52-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/2752-99-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2752-40-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2752-102-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2752-103-0x00000000003C0000-0x00000000003C3000-memory.dmp

Filesize
12KB

Download
memory/2752-104-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/2752-108-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2752-116-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2752-126-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download