c39d5f5fdd0d75d49b077258eebc8b513dddae950f895adbbe9d2238cab42502

General

Target

Stardock Fences v4.19.0/StardockFences v4.19.0 x64/StardockFences v4.19.0 x64.exe
Size

13.1MB
MD5

1859e9321fe3864a9c618e07f88083d8
SHA1

0d4faad7c2fb84ffde884f02431d6d7ac599e0f6
SHA256

924a04a650561cc238b242c04bb3ce941f444b156617a5d2b6c6022028cf9dd4
SHA512

9bb0a5709454ea2f9d2e3a1ab7a3fde565b40bdebbc5085d624f557eb51615802aa7c4382b8d906767f0f03e1c3c4671b8015cf81faaf293bec40833f970e26c
SSDEEP

393216:TAPSiFj6xF2V8x8BERsRGHD+rFvajKhX9:sPSC6xFuC8ORSGDyL

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x0037000000014349-3.dat	upx
behavioral3/memory/2280-18-0x0000000000850000-0x0000000000C38000-memory.dmp	upx
behavioral3/memory/2280-71-0x0000000000850000-0x0000000000C38000-memory.dmp	upx
behavioral3/memory/2280-79-0x0000000000850000-0x0000000000C38000-memory.dmp	upx

Executes dropped EXE 2 IoCs

pid	Process
2280	irsetup.exe
2892	GetMachineSID.exe

Loads dropped DLL 11 IoCs

pid	Process
2008	StardockFences v4.19.0 x64.exe
2008	StardockFences v4.19.0 x64.exe
2008	StardockFences v4.19.0 x64.exe
2008	StardockFences v4.19.0 x64.exe
2280	irsetup.exe
2280	irsetup.exe
2280	irsetup.exe
2280	irsetup.exe
2280	irsetup.exe
2280	irsetup.exe
2280	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2280	irsetup.exe
2280	irsetup.exe
2280	irsetup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2280	2008	StardockFences v4.19.0 x64.exe	28
PID 2008 wrote to memory of 2280	2008	StardockFences v4.19.0 x64.exe	28
PID 2008 wrote to memory of 2280	2008	StardockFences v4.19.0 x64.exe	28
PID 2008 wrote to memory of 2280	2008	StardockFences v4.19.0 x64.exe	28
PID 2008 wrote to memory of 2280	2008	StardockFences v4.19.0 x64.exe	28
PID 2008 wrote to memory of 2280	2008	StardockFences v4.19.0 x64.exe	28
PID 2008 wrote to memory of 2280	2008	StardockFences v4.19.0 x64.exe	28
PID 2280 wrote to memory of 2508	2280	irsetup.exe	29
PID 2280 wrote to memory of 2508	2280	irsetup.exe	29
PID 2280 wrote to memory of 2508	2280	irsetup.exe	29
PID 2280 wrote to memory of 2508	2280	irsetup.exe	29
PID 2280 wrote to memory of 2892	2280	irsetup.exe	31
PID 2280 wrote to memory of 2892	2280	irsetup.exe	31
PID 2280 wrote to memory of 2892	2280	irsetup.exe	31
PID 2280 wrote to memory of 2892	2280	irsetup.exe	31
PID 2280 wrote to memory of 2892	2280	irsetup.exe	31
PID 2280 wrote to memory of 2892	2280	irsetup.exe	31
PID 2280 wrote to memory of 2892	2280	irsetup.exe	31

C:\Users\Admin\AppData\Local\Temp\Stardock Fences v4.19.0\StardockFences v4.19.0 x64\StardockFences v4.19.0 x64.exe
"C:\Users\Admin\AppData\Local\Temp\Stardock Fences v4.19.0\StardockFences v4.19.0 x64\StardockFences v4.19.0 x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1948706 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Stardock Fences v4.19.0\StardockFences v4.19.0 x64\StardockFences v4.19.0 x64.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2737914667-933161113-3798636211-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
    3⤵
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
40B

MD5
97d86518f98394a87352f7f4ef3eec08

SHA1
93231558534e494cfc0f91cfa713209565fc6f46

SHA256
2727d87dbcb92d4e4e255ac7a6001043d9894faee3e6adf9c7196dd5ff1e4bae

SHA512
2bda915e142251ed409e17ce562f6c0aea6dd58c0a73d44d0459d73a681c85f3b11733cc3f1276f31dd17f437e99fcfe2c4840d5187553618d897d03c59ae2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
memory/2008-14-0x0000000003220000-0x0000000003608000-memory.dmp

Filesize
3.9MB

Download
memory/2008-15-0x0000000003220000-0x0000000003608000-memory.dmp

Filesize
3.9MB

Download
memory/2008-73-0x0000000003220000-0x0000000003608000-memory.dmp

Filesize
3.9MB

Download
memory/2280-41-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2280-52-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2280-42-0x00000000005A0000-0x00000000005A3000-memory.dmp

Filesize
12KB

Download
memory/2280-72-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2280-71-0x0000000000850000-0x0000000000C38000-memory.dmp

Filesize
3.9MB

Download
memory/2280-18-0x0000000000850000-0x0000000000C38000-memory.dmp

Filesize
3.9MB

Download
memory/2280-79-0x0000000000850000-0x0000000000C38000-memory.dmp

Filesize
3.9MB

Download
memory/2280-81-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/2280-82-0x0000000002410000-0x0000000002420000-memory.dmp

Filesize
64KB

Download
memory/2280-92-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing