Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Documents.zip

Overview

General Information

Sample name:Documents.zip
Analysis ID:1428208
MD5:889ca52a0d02aae55c2ad5928333bf7a
SHA1:56b37a87421d730cc85d259a9dcadb58209b4b2e
SHA256:0fd4dc92a7affb0e2340b52171b83766b61d1374371af2e83155095bc90f2b50
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Generic Patcher
Machine Learning detection for dropped file
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 2484 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • OpenWith.exe (PID: 3060 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • stardock.fences.3.0.5.x64-patch.exe (PID: 6312 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exe" MD5: A83C862CE356CE27AA1BCAD439DE71AC)
  • stardock.fences.3.0.5.x64-patch.exe (PID: 6776 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exe" MD5: A83C862CE356CE27AA1BCAD439DE71AC)
  • cleanup

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\dup2patcher.dllJoeSecurity_GenericPatcherYara detected Generic PatcherJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000015.00000002.2471795592.000000006FAF3000.00000080.00000001.01000000.0000000A.sdmpJoeSecurity_GenericPatcherYara detected Generic PatcherJoe Security
      00000015.00000002.2460753360.0000000001240000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericPatcherYara detected Generic PatcherJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\dup2patcher.dllAvira: detection malicious, Label: HEUR/AGEN.1323878
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\dup2patcher.dllReversingLabs: Detection: 75%
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\dup2patcher.dllJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\AppData\Local\Temp
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\AppData\Local
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\AppData
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\Desktop\desktop.ini
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\Documents\desktop.ini
        Source: classification engineClassification label: mal68.evad.winZIP@4/2@0/0
        Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile created: C:\Users\user\AppData\Local\Temp\dup2patcher.dll
        Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.ini
        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exe "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exe"
        Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ninput.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: textshaping.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: textinputframework.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: coreuicomponents.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: coremessaging.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: propsys.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: profapi.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: dui70.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: duser.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: dwmapi.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: edputil.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: explorerframe.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: windowscodecs.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: thumbcache.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: dataexchange.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: d3d11.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: dcomp.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: dxgi.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: twinapi.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: msftedit.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: windows.globalization.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: bcp47langs.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: bcp47mrm.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: globinputhost.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: xmllite.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: structuredquery.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: atlthunk.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: windows.fileexplorer.common.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: iertutil.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: windows.storage.search.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: secur32.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: sspicli.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: samcli.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: samlib.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: netutils.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: linkinfo.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: twinapi.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: winmm.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: networkexplorer.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: msftedit.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: assignedaccessruntime.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: xmllite.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: oleacc.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: urlmon.dll
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Windows\SysWOW64\MsftEdit.dll
        Source: Documents.zipStatic file information: File size 13680105 > 1048576
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile created: C:\Users\user\AppData\Local\Temp\dup2patcher.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile created: C:\Users\user\AppData\Local\Temp\C5E3399ED9A072FE864748D49BA96094.dllJump to dropped file
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dup2patcher.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\C5E3399ED9A072FE864748D49BA96094.dllJump to dropped file
        Source: C:\Windows\System32\OpenWith.exe TID: 3792Thread sleep count: 81 > 30
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\AppData\Local\Temp
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\AppData\Local
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\AppData
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\Desktop\desktop.ini
        Source: C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exeFile opened: C:\Users\user\Documents\desktop.ini

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Generic Patcher
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dup2patcher.dll, type: DROPPED
        Source: Yara matchFile source: 00000015.00000002.2471795592.000000006FAF3000.00000080.00000001.01000000.0000000A.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.2460753360.0000000001240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
        DLL Side-Loading        		1
        Process Injection        		1
        Virtualization/Sandbox Evasion        		OS Credential Dumping1
        Security Software Discovery        		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Rundll32        		LSASS Memory1
        Virtualization/Sandbox Evasion        		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
        Process Injection        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading        		NTDS11
        System Information Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\dup2patcher.dll100%AviraHEUR/AGEN.1323878
        C:\Users\user\AppData\Local\Temp\dup2patcher.dll100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\C5E3399ED9A072FE864748D49BA96094.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\dup2patcher.dll76%ReversingLabsWin32.Trojan.Generic

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1428208
        Start date and time:2024-04-18 16:44:41 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:21
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:1
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Sample name:Documents.zip
        Detection:MAL
        Classification:mal68.evad.winZIP@4/2@0/0
        Cookbook Comments:
        • Found application associated with file extension: .zip

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): fs.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: Documents.zip

        Created / dropped Files

        C:\Users\user\AppData\Local\Temp\C5E3399ED9A072FE864748D49BA96094.dll

        Download File
        Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):2560
        Entropy (8bit):2.3834002847708287
        Encrypted:false
        SSDEEP:
        MD5:13249BC6AA781475CDE4A1C90F95EFD4
        SHA1:0D8698BEFD283CA69D87CE44DAD225EF792B06DA
        SHA-256:3922A8C1B0F58B74FC3D89D7EEC3FE5C5B0E8BDA6B36491D2380431DD8E8284A
        SHA-512:AEC8B793C4A1C9789AF70FDAAD3AA473A581585E8B76669D187CABE6C88363BACBED28200DD8F243F9DD50FC8FC27339F0E687341024D466A4D5078C28A768D2
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o.....).m...o...n.......n.....g.....+.n.......n.....(.n...Richo...................PE..L....1RO...........!......................... ...............................P............@..........................!..[... ..<............................@....................................................... .. ............................text............................... ..`.rdata..[.... ......................@..@.data........0......................@....reloc..,....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\dup2patcher.dll

        Download File
        Process:C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_777680118a9128f5f59b3855ddeb6361b4171722.zip\stardock.fences.3.0.5.x64-patch.exe
        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):391168
        Entropy (8bit):6.2594747501346975
        Encrypted:false
        SSDEEP:
        MD5:86A2F12A950B5F57ACCD8EE868E7CC65
        SHA1:5599C5CC09227C72B2551F60E45FA3B670FA96AB
        SHA-256:CBEF8DF49983B92DC428F4CB970CA4C3F9690774E400A2720BD41B6DEA95229B
        SHA-512:2FAFD10C0CD8EA143E24825AC927619D124E37683922D166CC734C22816BF441D73607DE73CABB9525BA82D2431D7B9D1954A9B9BD28DFC7A1AD8623438D7CCE
        Malicious:true
        Yara Hits:
        • Rule: JoeSecurity_GenericPatcher, Description: Yara detected Generic Patcher, Source: C:\Users\user\AppData\Local\Temp\dup2patcher.dll, Author: Joe Security
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: ReversingLabs, Detection: 76%
        Reputation:unknown
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........bd............! ....n#......u....................u......u......u......u.....Rich............................PE..L......P...........!.........Z....... ....................................................@.........................p.......P........0...3...................p..H.......................................................D............................text...J........................... ....rdata..............................@..@.data....W..........................@....rsrc....3...0...4..................@....reloc..Z....p......................@..B................................................................................................................................................................................................................................................................................................................

        Static File Info

        General

        File type:Zip archive data, at least v1.0 to extract, compression method=store
        Entropy (8bit):7.9999867151513575
        TrID:
        • ZIP compressed archive (8000/1) 100.00%
        File name:Documents.zip
        File size:13'680'105 bytes
        MD5:889ca52a0d02aae55c2ad5928333bf7a
        SHA1:56b37a87421d730cc85d259a9dcadb58209b4b2e
        SHA256:0fd4dc92a7affb0e2340b52171b83766b61d1374371af2e83155095bc90f2b50
        SHA512:deb9a4ff8b21f0137c6817a38710698306853d8fbee0f3b22bbb863000bd677853ab115318fd8da4bb125b67ed14ed76d7ea8084d02ec8491d814e87780800a9
        SSDEEP:393216:rAxnrz0n24YXjPCcTabQnsUV13Jqd+tUMgaUXjVuB7MTjUZMy:ranX748Dns013JqUtUMgaURuUin
        TLSH:41D633D8B34937F2A53E8A26FF11271315A545A0F83A5DD6BB62589BFE0B81F0C73901
        File Content Preview:PK.........|.Xi.HL1...1...<...MDE_File_Sample_5a1a1e6cc30fa7274f0635f7b54dc4f186da280b.zipPK.........t.X.'+.W...K.....$.Stardock_Fences_v4.21.7z.. .........)^V2....(^V2....#^V2.......\g.:.Z@...sK...+Cz_.../.R...7gsc..cK.........n8.[d0&.....U..Y-...&7..+..

        File Icon

        Icon Hash:1c1c1e4e4ececedc