WindowBlinds-sd-setup.exe
This report is generated from a file or URL submitted to this webservice on October 14th 2017 06:13:26 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- POSTs files to a webserver
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Detected Emerging Threats Alert
- details
- Detected alert "ETPRO USER_AGENTS Suspicious User-Agent Setup Agent - Likely Malware" (SID: 2802841, Rev: 3, Severity: 1) categorized as "A Network Trojan was detected"
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/65 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Emerging Threats Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 2/88 Antivirus vendors marked dropped file "SetACL.exe" as malicious (classified as "W32.Agent" with 2% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%TEMP%\_ir_sf_temp_0\irsetup.exe" (Handle: 336)
"<Input Sample>" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" (Handle: 336)
"<Input Sample>" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" (Handle: 336)
"<Input Sample>" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" (Handle: 336)
"irsetup.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" (Handle: 828)
"irsetup.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" (Handle: 828)
"irsetup.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" (Handle: 828)
"irsetup.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" (Handle: 828)
"irsetup.exe" wrote 32 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 660)
"irsetup.exe" wrote 52 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 660)
"irsetup.exe" wrote 4 bytes to a remote process "C:\Windows\System32\reg.exe" (Handle: 660) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "74.204.71.147" (ASN: , Owner: ): ...
URL: http://install.api.stardock.net/installer/Initialize/?format=xml (AV positives: 1/64 scanned on 09/14/2017 13:59:00)
URL: http://install.api.stardock.net/installer/Initialize/ (AV positives: 1/65 scanned on 08/24/2017 21:10:25)
URL: http://install.api.stardock.net/installer/Initialize/?format=xml
Pattern (AV positives: 1/65 scanned on 06/23/2017 16:33:03)
URL: http://install.api.stardock.net/ (AV positives: 1/60 scanned on 10/29/2014 01:21:00)
File SHA256: 085cb77e03c1f353211cfe501ef9ac0a9b89b28769c3f01656ac724e0db0f05f (Scanned on 05/13/2017 00:34:51)
File SHA256: e1e75c3de7d27fbaba32422b3f99eff89313fce726467a710afaf43a0b4dbb8f (Scanned on 06/06/2016 11:07:51)
File SHA256: 1aecc4dcf48b977a770de3460e6cfba2e3be46746ecabdff5d7c867c2afe3afa (Scanned on 04/15/2016 15:55:39)
File SHA256: ab0d45ee6e2c1c92b45b0e972db0bc78de28972560095e37f2d48737bc0105b2 (Scanned on 03/13/2016 14:31:34)
File SHA256: 66aa93d97f9b9dda028b58604fa54b5cea1ef4c7c7abb558b562dd7455cb08be (Scanned on 03/12/2016 18:42:00)
File SHA256: 1821f7bd96041aa07dd48e59d0a63bd31c193d8108ac2ea27131b512f7a0e61c (AV positives: 22/57 scanned on 09/19/2015 23:35:13)
File SHA256: 511e16beebfbe6178139736e681bb7c33387bd2f8755fb0f4ed3a72a16338161 (AV positives: 19/57 scanned on 09/19/2015 01:19:32)
File SHA256: 591290371627441618c8455a2a6bc15dd5102d8ce8bbbf892fec5c8d0d61f94e (AV positives: 19/57 scanned on 09/19/2015 01:14:59)
File SHA256: 350185da9aa161ad822fd01bec75f61bc192c4d1f1fc77f35647ea3739da8744 (AV positives: 7/57 scanned on 08/23/2015 04:49:10)
File SHA256: b24583564782346b6fee075770c5f2b3720c42d6c9ac06d6c50f1e9be8235c7e (AV positives: 7/57 scanned on 08/22/2015 04:45:57) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Suspicious Indicators 22
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "irsetup.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
-
UPX1
.text
.text with unusual entropies 7.93159507769
7.99502188553
7.99932477779 - source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"irsetup.exe" has a section named "UPX0"
"irsetup.exe" has a section named "UPX1" - source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "lua5.1.dll.2902998933")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"irsetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"GetMachineSID.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "irsetup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/64 reputation engines marked "http://www.stardock.com" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Opened the service control manager
- details
-
"<Input Sample>" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"irsetup.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
-
POSTs files to a webserver
- details
-
"POST /installer/Initialize/?format=xml HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: install.api.stardock.net
Content-Length: 151
Connection: Keep-Alive
Cache-Control: no-cache" with no payload
"POST /installer/SaveInstallStats/?format=xml HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: install.api.stardock.net
Content-Length: 75
Connection: Keep-Alive
Cache-Control: no-cache" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Requested access to a system service
- details
-
"<Input Sample>" called "OpenService" to access the "PcaSvc" service
"irsetup.exe" called "OpenService" to access the "Sens" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"irsetup.exe" called "OpenService" to access the "rasman" service
"irsetup.exe" called "OpenService" to access the "RASMAN" service
"irsetup.exe" called "OpenService" to access the "PcaSvc" service - source
- API Call
- relevance
- 10/10
-
Opened the service control manager
-
Installation/Persistance
-
Creates new processes
- details
-
"<Input Sample>" is creating a new process (Name: "%TEMP%\_ir_sf_temp_0\irsetup.exe", Handle: 336)
"irsetup.exe" is creating a new process (Name: "%TEMP%\_ir_sf_temp_0\GetMachineSID.exe", Handle: 828)
"irsetup.exe" is creating a new process (Name: "%WINDIR%\System32\reg.exe", Handle: 660) - source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
-
"lua5.1.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"GetMachineSID.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"SetACL.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"irsetup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows UPX compressed"
"Wow64.lmd" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"Unicode.lmd" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed" - source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
-
"<Input Sample>" opened "MountPointManager"
"irsetup.exe" opened "MountPointManager" - source
- API Call
- relevance
- 5/10
-
Creates new processes
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "[10/14/2017 06:14:26] NoticeSetup engine version: 9.5.1.0"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"irsetup.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"irsetup.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"irsetup.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"irsetup.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"irsetup.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"irsetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"GetMachineSID.exe" claimed CRC 75068 while the actual is CRC 346938
"SetACL.exe" claimed CRC 454140 while the actual is CRC 75068
"irsetup.exe" claimed CRC 1409459 while the actual is CRC 454140
"Wow64.lmd" claimed CRC 144036 while the actual is CRC 1409459
"Unicode.lmd" claimed CRC 356435 while the actual is CRC 144036 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
- "irsetup.exe" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetFileAttributesA
WriteFile
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
GetModuleHandleA
TerminateProcess
GetTickCount
LoadLibraryA
GetStartupInfoA
DeleteFileA
GetProcAddress
CreateFileA
GetCommandLineA
GetModuleHandleW
CreateProcessA
Sleep
VirtualAlloc
LookupAccountNameA
GetModuleFileNameW
GetCommandLineW
GetStartupInfoW
LoadLibraryW
GetComputerNameA
CreateFileW
RegCreateKeyExW
RegCloseKey
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
LookupAccountNameW
RegEnumKeyExW
GetFileAttributesW
LoadLibraryExW
CreateThread
GetVersionExW
CreateDirectoryW
DeleteFileW
GetComputerNameW
GetFileSizeEx
FindNextFileW
FindFirstFileW
LockResource
FindResourceW
GetUserNameExW
VirtualProtect
URLDownloadToFileA
ShellExecuteA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"irsetup.exe" wrote bytes "c4ca6b7580bb6b75aa6e6c759fbb6b7508bb6b7546ce6b7561386c75de2f6c75d0d96b75000000001779b7764f91b7767f6fb776f4f7b77611f7b776f283b776857eb77600000000" to virtual address "0x6A7F1000" (part of module "MSIMG32.DLL")
"irsetup.exe" wrote bytes "92e6227779a82777be722777d62d27771de2227705a22777bee32277616f2777684125770050257700000000ad3738778b2d3877b641387700000000" to virtual address "0x74871000" (part of module "WSHTCPIP.DLL")
"irsetup.exe" wrote bytes "4053257758582677186a2677653c27770000000000bf6b750000000056cc6b75000000007cca6b750000000037683f756a2c2777d62d27770000000020693f750000000029a66b7500000000a48d3f7500000000f70e6b7500000000" to virtual address "0x77411000" (part of module "NSI.DLL")
"irsetup.exe" wrote bytes "7739237779a82777be722777d62d27771de2227705a22777c868267757d12d77bee32277616f2777684125770050257700000000ad3738778b2d3877b641387700000000" to virtual address "0x74DA1000" (part of module "WSHIP6.DLL")
"reg.exe" wrote bytes "4053257758582677186a2677653c27770000000000bf6b750000000056cc6b75000000007cca6b750000000037683f756a2c2777d62d27770000000020693f750000000029a66b7500000000a48d3f7500000000f70e6b7500000000" to virtual address "0x77411000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
- "irsetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 19
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
- Raw size of "UPX0" is zero
- source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IRSETUP.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IRSETUP.EXE")
"irsetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\REG.EXE")
"irsetup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\REG.EXE")
"irsetup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\GETMACHINESID.EXE")
"irsetup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\GETMACHINESID.EXE") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "install.api.stardock.net"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "74.204.71.147:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"c:\code\2011\GetSID\Release\GetSID.pdb"
"D:\Daten\Helge\Programmierung\SetACL3\Source\SetACL.exe\Win32\Release\SetACL.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_ir_sf_temp_0\irsetup.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\IRIMG2.JPG"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\SetACL.exe"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\eula.txt"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\Unicode.lmd"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\WindowBlinds Setup Log.txt"
"irsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\sdWebResults.xml"
"GetMachineSID.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\WininetProxyRegistryMutex"
"Local\_!MSFTHISTORY!_"
"Local\!IETld!Mutex"
"Local\c:!users!rdyucj4!appdata!roaming!microsoft!windows!cookies!" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "lua5.1.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "GetMachineSID.exe" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "irsetup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows UPX compressed"), Antivirus vendors marked dropped file "Wow64.lmd" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"), Antivirus vendors marked dropped file "Unicode.lmd" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed")
- source
- Binary File
- relevance
- 10/10
-
Scanning for window names
- details
- "irsetup.exe" searching for class "MS_WINHELP"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "irsetup.exe" with commandline "__IRAOFF:1870786 "__IRAFN:C:\0e31107ed4c8d449ea5415a20ea1645bf612c5f6b5370d7a5a185bb83a401f32.exe" "__IRCT:3" "__IRTSS:56774713" "__IRSID:S-1-5-21-4162757579-3804539371-4239455898-1000"" (Show Process)
Spawned process "GetMachineSID.exe" with commandline "%TEMP%\_ir_sf_temp_0\GetMachineSID.tmp" (Show Process)
Spawned process "reg.exe" with commandline "export HKLM\Software\Stardock %TEMP%\registry_export.txt /y" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"lua5.1.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"GetMachineSID.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"SetACL.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"irsetup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows UPX compressed"
"Wow64.lmd" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"IRIMG2.JPG" has type "JPEG image data JFIF standard 1.02 resolution (DPI) density 72x72 segment length 16 Exif Standard: [TIFF image data big-endian direntries=7 orientation=upper-left xresolution=98 yresolution=106 resolutionunit=2 software=Adobe Photoshop CS2 Windows datetime=2008:07:08 14:20:15] baseline precision 8 166x312 frames 3"
"eula.txt" has type "ISO-8859 text with very long lines with CRLF line terminators"
"Unicode.lmd" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"WindowBlinds Setup Log.txt" has type "ASCII text with CRLF line terminators"
"irsetup.dat" has type "data"
"IRIMG1.JPG" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 72x72 segment length 16 baseline precision 8 497x63 frames 3"
"sdWebResults.xml" has type "ASCII text with very long lines with no line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\system32\en-US\PROPSYS.dll.mui"
"<Input Sample>" touched file "C:\Windows\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "C:\Windows\AppPatch\pcamain.sdb"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini"
"irsetup.exe" touched file "C:\Windows\system32\OLEACCRC.DLL"
"irsetup.exe" touched file "C:\Windows\system32\tzres.dll"
"irsetup.exe" touched file "C:\Windows\system32\en-US\tzres.dll.mui"
"irsetup.exe" touched file "C:\Windows\Globalization\Sorting\sortdefault.nls"
"irsetup.exe" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "f*A:J^.dM"
Heuristic match: "destructor>c:\P.gr"
Pattern match: "http://sv.symcb.com/sv.crl0a"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Pattern match: "http://www.stardock.com/products/windowblinds"
Pattern match: "http://s.symcd.com06"
Pattern match: "http://s.symcb.com/universal-root.crl0"
Pattern match: "https://d.symcb.com/rpa0@"
Pattern match: "http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0"
Pattern match: "www.lua.org"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "https://secure.comodo.net/CPS0C"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Pattern match: "http://www.indigorose.com"
Heuristic match: "uhq~91.Je"
Heuristic match: "W(M*v<.Hr"
Pattern match: "www.indigorose.com"
Pattern match: "http://www.w3.org/2001/XMLSchema-instance"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEFKJ43qAwqimi42WThU6rjg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcd.com"
Pattern match: "http://www.symauth.com/cps0*"
Heuristic match: "install.api.stardock.net"
Pattern match: "www.mindquake.com.br"
Pattern match: "http://www.stardock.com/products/"
Pattern match: "http://www.stardock.com"
Pattern match: "http://www.stardock.com/privacy.asp"
Pattern match: "http://helgeklein.com"
Pattern match: "http://helgeklein.com/setacl/documentation/command-line-version-setacl-exe"
Heuristic match: "eklein.com"
Pattern match: "http://www.windowblinds.netAllNonej"
Pattern match: "http://www.windowblinds.netAllNonej"
Pattern match: "wblind.dll/S:\Software\MyDesktop\wb10.Media\bin\BaseVista\.dllArchiveO"
Pattern match: "wblind7.dllwblind7.dll/S:\Software\MyDesktop\wb10.Media\bin\BaseVista\.dllArchive"
Pattern match: "WBSrv.exeWBSrv.exe/S:\Software\MyDesktop\wb10.Media\bin\BaseVista\.exeArchiveR"
Pattern match: "http://install.api.stardock.net/installer/SaveInstallStats/?format=xml"
Pattern match: "http://install.api.stardock.net/installer/SaveInstallStats"
Pattern match: "http://www.stardock.com/support/software_eula.aspx"
Heuristic match: "-- there's enough space on the drive...so"
Heuristic match: "-- user said to install anyway...so"
Pattern match: "http://www.stardock.com/whoami.asp"
Pattern match: "http://www.stardock.comM"
Pattern match: "http://www.indigorose.com/forums/threads/20141-comma-limited-string?highlight=string%20table"
Pattern match: "http://www.indigorose.com/forums/threads/30634-Script-StringToBase64"
Pattern match: "http://lua-users.org/wiki/BaseSixtyFour"
Pattern match: "http://www.indigorose.com/forums/threads/25710-Associating-File-Types-with-my-application"
Pattern match: "http://install.api.stardock.net/installer/Initialize/?format=xml"
Pattern match: "http://sd.stardock.com/ModernMix_noreboot_remove.exe" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"lua5.1.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"GetMachineSID.exe" was detected as "VC8 -> Microsoft Corporation"
"SetACL.exe" was detected as "VC8 -> Microsoft Corporation"
"irsetup.exe" was detected as "UPX v1.25 (Delphi) Stub"
"Wow64.lmd" was detected as "PeCompact 2.53 DLL --> BitSum Technologies"
"Unicode.lmd" was detected as "PeCompact 2.53 DLL --> BitSum Technologies" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
WindowBlinds-sd-setup.exe
- Filename
- WindowBlinds-sd-setup.exe
- Size
- 54MiB (56781792 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 0e31107ed4c8d449ea5415a20ea1645bf612c5f6b5370d7a5a185bb83a401f32
- MD5
- 0ec3f9797a5ff246d01b0b5fa0023989
- SHA1
- 89ea2de683b149bea1ebca1d7769f58c1cb43d3c
Classification (TrID)
- 75.7% (.EXE) Win32 EXE Yoda's Crypter
- 12.8% (.EXE) Win32 Executable (generic)
- 5.7% (.EXE) Generic Win/DOS Executable
- 5.7% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2772)
2/65
-
irsetup.exe
__IRAOFF:1870786 "__IRAFN:C:\0e31107ed4c8d449ea5415a20ea1645bf612c5f6b5370d7a5a185bb83a401f32.exe" "__IRCT:3" "__IRTSS:56774713" "__IRSID:S-1-5-21-4162757579-3804539371-4239455898-1000"
(PID: 2880)
- GetMachineSID.exe %TEMP%\_ir_sf_temp_0\GetMachineSID.tmp (PID: 3404)
- reg.exe export HKLM\Software\Stardock %TEMP%\registry_export.txt /y (PID: 3400)
-
irsetup.exe
__IRAOFF:1870786 "__IRAFN:C:\0e31107ed4c8d449ea5415a20ea1645bf612c5f6b5370d7a5a185bb83a401f32.exe" "__IRCT:3" "__IRTSS:56774713" "__IRSID:S-1-5-21-4162757579-3804539371-4239455898-1000"
(PID: 2880)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
install.api.stardock.net
OSINT |
74.204.71.147 |
GODADDY.COM, LLC
Organization: Stardock Corporation Name Server: NS-1040.AWSDNS-02.ORG Creation Date: Wed, 25 Jun 1997 00:00:00 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
74.204.71.147 |
80
TCP |
irsetup.exe PID: 2880 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
74.204.71.147:80 (install.api.stardock.net) | POST | install.api.stardock.net/installer/Initialize/?format=xml | POST /installer/Initialize/?format=xml HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: install.api.stardock.net
Content-Length: 151
Connection: Keep-Alive
Cache-Control: no-cache 200 OK More Details |
74.204.71.147:80 (install.api.stardock.net) | POST | install.api.stardock.net/installer/SaveInstallStats/?format=xml | POST /installer/SaveInstallStats/?format=xml HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: install.api.stardock.net
Content-Length: 75
Connection: Keep-Alive
Cache-Control: no-cache 200 OK More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 74.204.71.147:80 (TCP) | A Network Trojan was detected | ETPRO USER_AGENTS Suspicious User-Agent Setup Agent - Likely Malware | 2802841 |
local -> 74.204.71.147:80 (TCP) | A Network Trojan was detected | ETPRO USER_AGENTS Suspicious User-Agent Setup Agent - Likely Malware | 2802841 |
Extracted Strings
Extracted Files
-
Malicious 1
-
-
SetACL.exe
- Size
- 443KiB (454056 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "W32.Agent" (2/88)
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 451ae03d3c92777f09840ca56f08ab62
- SHA1
- 328d049da1814cfe7d1c7783691304577854482f
- SHA256
- d5e779d151772504662e8226eb4107330ffa7a51209eee42b6d5883d99100ba9
-
-
Clean 5
-
-
GetMachineSID.exe
- Size
- 58KiB (59472 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/79
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 55bbf335f75f2a2fe0a5daf603964d41
- SHA1
- f1b9686e8a9f10682722fc5e08c02c016b597804
- SHA256
- 723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43
-
Unicode.lmd
- Size
- 344KiB (351880 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
- AV Scan Result
- 0/77
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 513c279740c287dec3508ae26d7916c0
- SHA1
- cafe05c4d5528d6fb51d94a33307d1e2cc5a9bf6
- SHA256
- a285299f207a0093158c05d46996b880032a9b11fb456ce78bba18988be9b14a
-
Wow64.lmd
- Size
- 98KiB (99976 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
- AV Scan Result
- 0/77
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- d5c82eaca74946caf9034dd825b6a74f
- SHA1
- 8dc6f303a101d6d2bce71c1ff5d356acb1728738
- SHA256
- 22bcf60a0600926518fc9b82e9a1066df74b8c3afe9655ca2090a3122462f2bc
-
irsetup.exe
- Size
- 1.3MiB (1396128 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
- AV Scan Result
- 0/66
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 973cc3ccf641e286bd54adc320c312cf
- SHA1
- 684a297dda265a234bb106cdffe7025ee3461890
- SHA256
- 4c8383fba364c98029cecc1f2df511ef3a0fc007d92cb935d424984e7c0c8f74
-
lua5.1.dll
- Size
- 327KiB (334840 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 05ceb6d2e88a896d6ada0ab3f0dc40aa
- SHA1
- 2b62cc437f5b3268acb3f569b43fd6c0a08e4e47
- SHA256
- b574d89422afcaae5446d8fd88d3b7cb48d608cf5411db761916b35c9999b41a
-
-
Informative 6
-
-
WindowBlinds Setup Log.txt
- Size
- 2.7KiB (2767 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 807a214427355caa9303680ab032e141
- SHA1
- 9919808f477f088e2482e7134aeadc9813c75d85
- SHA256
- f01e558dddd72569b688d3a706c548c09962d060fe1a34168d682856b0794a69
-
IRIMG1.JPG
- Size
- 2.3KiB (2362 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 497x63, frames 3
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 3220a6aefb4fc719cc8849f060859169
- SHA1
- 85f624debcefd45fdfdf559ac2510a7d1501b412
- SHA256
- 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
-
IRIMG2.JPG
- Size
- 28KiB (29054 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, frames 3
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- ac40ded6736e08664f2d86a65c47ef60
- SHA1
- c352715bbf5ae6c93eeb30df2c01b6f44faedaaa
- SHA256
- f35985fe1e46a767be7dcea35f8614e1edd60c523442e6c2c2397d1e23dbd3ea
-
eula.txt
- Size
- 11KiB (10896 bytes)
- Type
- text
- Description
- ISO-8859 text, with very long lines, with CRLF line terminators
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 7980fa314300da861b7ffece06f03ef8
- SHA1
- eb54317df71b84003bc2a186f3b59dd1a2325685
- SHA256
- a3d2b9c1082ea60e69fcfac6074e405110acb2a8cf2ca6a95426f5f4e2ad025a
-
irsetup.dat
- Size
- 2MiB (2140088 bytes)
- Type
- html
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 744afa5e3f6f308b177be889ec5e9b23
- SHA1
- b0f5ff6fa2fb6293f202d7dcf23c71d0bc347768
- SHA256
- b271b9f1818537d264a1bf06300cc57877ca8e65743a76821fddaa44b188df4f
-
sdWebResults.xml
- Size
- 400B (400 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with no line terminators
- Runtime Process
- irsetup.exe (PID: 2880)
- MD5
- 25ef8c52b90967b56f2e1f7aa2ec78e3
- SHA1
- 66f3a3de3d57cd6c4bc396cd4ae2800dd007e986
- SHA256
- a65e745f0686d22645bd25b673a0a4027df91674665b6783fc054635c2497c2c
-
Notifications
-
Runtime
- Added comment to Virus Total report
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)