43a8fa5d8e3665c983bcdc6362e2f7340f6737300db00680074def530d564e40

General

Target

Fences5-sd-setup.exe
Size

13.2MB
MD5

e87d579f1739ed05a18631e4e152414b
SHA1

412c77de6f3602d288c6381fe03821b41757829b
SHA256

e137e6bb3f096c35582647d7d2f43d28f1c890f5adf8d6edb4ebeb56be43ebec
SHA512

e3ef90052efc72f72b297646221399cccce85a6446fb8c0c5a568c3f49418d9cc05b07ab86612e4e66de85c7e5301ac9749fc86758853b36e030ceff0c69e6fb
SSDEEP

196608:6NaqQ8EuKAvWWqq1Q4mpMLjaceFLxbOZ92N6Ms5rE+vQrFvrfXvQdrIPF:6APmWWR1apUaceFL9Wm6o+UFvrfYqF

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000153c7-3.dat	upx
behavioral1/memory/1148-6-0x0000000002D70000-0x0000000003158000-memory.dmp	upx
behavioral1/memory/1524-32-0x00000000008F0000-0x0000000000CD8000-memory.dmp	upx
behavioral1/memory/1524-79-0x00000000008F0000-0x0000000000CD8000-memory.dmp	upx
behavioral1/memory/1524-101-0x00000000008F0000-0x0000000000CD8000-memory.dmp	upx

Executes dropped EXE 2 IoCs

pid	Process
1524	irsetup.exe
2488	GetMachineSID.exe

Loads dropped DLL 11 IoCs

pid	Process
1148	Fences5-sd-setup.exe
1148	Fences5-sd-setup.exe
1148	Fences5-sd-setup.exe
1148	Fences5-sd-setup.exe
1524	irsetup.exe
1524	irsetup.exe
1524	irsetup.exe
1524	irsetup.exe
1524	irsetup.exe
1524	irsetup.exe
1524	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	irsetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	irsetup.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1524	irsetup.exe
1524	irsetup.exe
1524	irsetup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1524	1148	Fences5-sd-setup.exe	28
PID 1148 wrote to memory of 1524	1148	Fences5-sd-setup.exe	28
PID 1148 wrote to memory of 1524	1148	Fences5-sd-setup.exe	28
PID 1148 wrote to memory of 1524	1148	Fences5-sd-setup.exe	28
PID 1148 wrote to memory of 1524	1148	Fences5-sd-setup.exe	28
PID 1148 wrote to memory of 1524	1148	Fences5-sd-setup.exe	28
PID 1148 wrote to memory of 1524	1148	Fences5-sd-setup.exe	28
PID 1524 wrote to memory of 1184	1524	irsetup.exe	29
PID 1524 wrote to memory of 1184	1524	irsetup.exe	29
PID 1524 wrote to memory of 1184	1524	irsetup.exe	29
PID 1524 wrote to memory of 1184	1524	irsetup.exe	29
PID 1524 wrote to memory of 2488	1524	irsetup.exe	31
PID 1524 wrote to memory of 2488	1524	irsetup.exe	31
PID 1524 wrote to memory of 2488	1524	irsetup.exe	31
PID 1524 wrote to memory of 2488	1524	irsetup.exe	31
PID 1524 wrote to memory of 2488	1524	irsetup.exe	31
PID 1524 wrote to memory of 2488	1524	irsetup.exe	31
PID 1524 wrote to memory of 2488	1524	irsetup.exe	31

C:\Users\Admin\AppData\Local\Temp\Fences5-sd-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Fences5-sd-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1940002 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Fences5-sd-setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2248906074-2862704502-246302768-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
    3⤵
    PID:1184
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
40B

MD5
4dcb2cc2e5793086cc2ed4029ef9df03

SHA1
18f49507d35ef839a9a6f99be13c2e2ca9b2b5f5

SHA256
3ed9ecf260ede24d3e0ca05d03edb1fd5f26e6e30f8731eb657f44cf60ca2671

SHA512
75502ef655fd33b69475cd6f51960126ccd4ae02aa9c4dcbdb29e1eeae71d2305a7211d4b19f6902bfdcc5f1ef290af83e2d342cceb25852181a0601bdeace03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\eula.txt

Filesize
22KB

MD5
1345eca97d4afbfce7519c90b5312ab1

SHA1
6bbf9ae942e0e066b9039d8f437ae364a3887b64

SHA256
ee0c0b950573ae14eb006168a7c42b1c2bc1edf9223c9acc560db13bc63900e1

SHA512
8c48526f2aa7b066dbfa15434fd6c1a555544d100cd30c6ea92021a65f21a2a20ea1c0f5cf1f37b3d1cd564f30c4999ce83d269ab729822904102a27cd40795e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\registry_export.txt

Filesize
406B

MD5
7cee57cbef71160b4acdfd692cf923d7

SHA1
dcbaf7657eb5ba82f98457335fa3f54d5e094e79

SHA256
3be0b7c42a33868a33c5e659102d1133b48708f31e9e73424ab9e2167a8df3ac

SHA512
b9a9c889a9638669e7b8d08d9c504e2354338bfde301746dcc2006efb123fdded3897ee363b0a5931da0148e78013238898d890c13fc52e1064ee2f54b6633fb

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
memory/1148-100-0x0000000002D70000-0x0000000003158000-memory.dmp

Filesize
3.9MB

Download
memory/1148-18-0x0000000002D70000-0x0000000003158000-memory.dmp

Filesize
3.9MB

Download
memory/1148-6-0x0000000002D70000-0x0000000003158000-memory.dmp

Filesize
3.9MB

Download
memory/1524-42-0x0000000000410000-0x0000000000413000-memory.dmp

Filesize
12KB

Download
memory/1524-52-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/1524-40-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/1524-32-0x00000000008F0000-0x0000000000CD8000-memory.dmp

Filesize
3.9MB

Download
memory/1524-79-0x00000000008F0000-0x0000000000CD8000-memory.dmp

Filesize
3.9MB

Download
memory/1524-80-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/1524-101-0x00000000008F0000-0x0000000000CD8000-memory.dmp

Filesize
3.9MB

Download
memory/1524-103-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/1524-107-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/1524-113-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing