| File name: | BarrierSetup-2.4.0-release.exe |
| Full analysis: | https://app.any.run/tasks/3615d376-bf9c-406f-8723-d9aa32b8e86d |
| Verdict: | Malicious activity |
| Analysis date: | December 14, 2023, 00:18:18 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | C48A830D6C2F0B8760A5536F7E8A4167 |
| SHA1: | 6BA5EB836CB77543E02B3F52B5B26F8FBB342F56 |
| SHA256: | 7E66B7B4D13312E607EDD06F8EA38F3C9B09B3E8AEA2B55250C00B25F9892885 |
| SSDEEP: | 196608:W/Uk4wuVqbOxU3Y7m2xlJsul4bP3F+CcgM3hgJer4IcJ:W/U7zV+OEYq2nJn2bP/SMJ |
MALICIOUS
Drops the executable file immediately after the start
- BarrierSetup-2.4.0-release.exe (PID: 1840)
- BarrierSetup-2.4.0-release.exe (PID: 2540)
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
SUSPICIOUS
Reads the Windows owner or organization settings
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
Uses NETSH.EXE to delete a firewall rule or allowed programs
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
Uses NETSH.EXE to add a firewall rule or allowed programs
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
Starts SC.EXE for service management
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
INFO
Create files in a temporary directory
- BarrierSetup-2.4.0-release.exe (PID: 2540)
- BarrierSetup-2.4.0-release.exe (PID: 1840)
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
Checks supported languages
- BarrierSetup-2.4.0-release.exe (PID: 2540)
- BarrierSetup-2.4.0-release.tmp (PID: 3048)
- BarrierSetup-2.4.0-release.exe (PID: 1840)
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
Reads the computer name
- BarrierSetup-2.4.0-release.tmp (PID: 3048)
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
Creates files in the program directory
- BarrierSetup-2.4.0-release.tmp (PID: 1152)
Manual execution by a user
- explorer.exe (PID: 2316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Delphi generic (57.2) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (18.2) |
| .exe | | | Win16/32 Executable Delphi generic (8.3) |
| .exe | | | Generic Win/DOS Executable (8) |
| .exe | | | DOS Executable Generic (8) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:06:14 15:27:46+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 66560 |
| InitializedDataSize: | 170496 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1181c |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.4.0.1 |
| ProductVersionNumber: | 2.4.0.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Debauchee Open Source Group |
| FileDescription: | Barrier Setup |
| FileVersion: | 2.4.0-release |
| LegalCopyright: | Copyright © 2018 Debauchee Open Source Group |
| ProductName: | Barrier |
| ProductVersion: | 2.4.0-release |
Total processes
54
Monitored processes
10
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1152 | "C:\Users\admin\AppData\Local\Temp\is-KURK4.tmp\BarrierSetup-2.4.0-release.tmp" /SL5="$1801F0,8842372,238080,C:\Users\admin\AppData\Local\Temp\BarrierSetup-2.4.0-release.exe" /SPAWNWND=$190194 /NOTIFYWND=$1B0142 | C:\Users\admin\AppData\Local\Temp\is-KURK4.tmp\BarrierSetup-2.4.0-release.tmp | — | BarrierSetup-2.4.0-release.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1840 | "C:\Users\admin\AppData\Local\Temp\BarrierSetup-2.4.0-release.exe" /SPAWNWND=$190194 /NOTIFYWND=$1B0142 | C:\Users\admin\AppData\Local\Temp\BarrierSetup-2.4.0-release.exe | BarrierSetup-2.4.0-release.tmp | ||||||||||||
User: admin Company: Debauchee Open Source Group Integrity Level: HIGH Description: Barrier Setup Exit code: 0 Version: 2.4.0-release Modules
| |||||||||||||||
| 1860 | "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Barrier Listener" protocol=TCP dir=in localport=24800 action=allow | C:\Windows\System32\netsh.exe | — | BarrierSetup-2.4.0-release.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2072 | "C:\Windows\system32\sc.exe" description Barrier "Manages the Barrier background processes." | C:\Windows\System32\sc.exe | — | BarrierSetup-2.4.0-release.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2316 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2540 | "C:\Users\admin\AppData\Local\Temp\BarrierSetup-2.4.0-release.exe" | C:\Users\admin\AppData\Local\Temp\BarrierSetup-2.4.0-release.exe | — | explorer.exe | |||||||||||
User: admin Company: Debauchee Open Source Group Integrity Level: MEDIUM Description: Barrier Setup Exit code: 0 Version: 2.4.0-release Modules
| |||||||||||||||
| 2868 | "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Barrier Listener" | C:\Windows\System32\netsh.exe | — | BarrierSetup-2.4.0-release.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3048 | "C:\Users\admin\AppData\Local\Temp\is-QGTTF.tmp\BarrierSetup-2.4.0-release.tmp" /SL5="$1B0142,8842372,238080,C:\Users\admin\AppData\Local\Temp\BarrierSetup-2.4.0-release.exe" | C:\Users\admin\AppData\Local\Temp\is-QGTTF.tmp\BarrierSetup-2.4.0-release.tmp | — | BarrierSetup-2.4.0-release.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3296 | "C:\Windows\system32\sc.exe" start Barrier | C:\Windows\System32\sc.exe | — | BarrierSetup-2.4.0-release.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 216 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3388 | "C:\Windows\system32\sc.exe" create Barrier start= auto binPath= "\"C:\Program Files\Barrier\barrierd.exe\"" | C:\Windows\System32\sc.exe | — | BarrierSetup-2.4.0-release.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 204
Read events
2 110
Write events
88
Delete events
6
Modification events
| (PID) Process: | (2868) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1860) netsh.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (1152) BarrierSetup-2.4.0-release.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: 9197081E97EC5CD5D1D4EAEF20E5BB4779555C752F9E3273C38360230B1E6F44 | |||
| (PID) Process: | (1152) BarrierSetup-2.4.0-release.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFiles0000 |
Value: C:\Program Files\Barrier\barrier.exe | |||
| (PID) Process: | (1152) BarrierSetup-2.4.0-release.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (1152) BarrierSetup-2.4.0-release.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: 382D49016C9A03240FD34193A4BB061A34D3627F98A97D8C6737435C0D43D035 | |||
| (PID) Process: | (1152) BarrierSetup-2.4.0-release.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: 80040000DE57A312232EDA01 | |||
| (PID) Process: | (1152) BarrierSetup-2.4.0-release.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
35
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2540 | BarrierSetup-2.4.0-release.exe | C:\Users\admin\AppData\Local\Temp\is-QGTTF.tmp\BarrierSetup-2.4.0-release.tmp | executable | |
MD5:03CA4EB54523B2FD984868B6E6A62981 | SHA256:38601D613FAB0A07766E6F55ED4682323D651C9A84C9A04851105B6AE5DF20F5 | |||
| 1840 | BarrierSetup-2.4.0-release.exe | C:\Users\admin\AppData\Local\Temp\is-KURK4.tmp\BarrierSetup-2.4.0-release.tmp | executable | |
MD5:03CA4EB54523B2FD984868B6E6A62981 | SHA256:38601D613FAB0A07766E6F55ED4682323D651C9A84C9A04851105B6AE5DF20F5 | |||
| 1152 | BarrierSetup-2.4.0-release.tmp | C:\Program Files\Barrier\is-OURL9.tmp | executable | |
MD5:2F3B726B2ACE0D4C666AFC5C92BDEB41 | SHA256:A05C6358FA316947FD8AA6640503C16C9B460BAAE5EAF3AA3EB9EC33A934C434 | |||
| 1152 | BarrierSetup-2.4.0-release.tmp | C:\Program Files\Barrier\guiunittests.exe | executable | |
MD5:ABEF9C38DAD04AE77A7DAE1050F93697 | SHA256:8109B30A1B616F695638B8892A0B08D29A0D09C11FA0CE7A560513924A9429CE | |||
| 1152 | BarrierSetup-2.4.0-release.tmp | C:\Users\admin\AppData\Local\Temp\is-M766I.tmp\isxdl.dll | executable | |
MD5:48AD1A1C893CE7BF456277A0A085ED01 | SHA256:B0CC4697B2FD1B4163FDDCA2050FC62A9E7D221864F1BD11E739144C90B685B3 | |||
| 1152 | BarrierSetup-2.4.0-release.tmp | C:\Program Files\Barrier\is-S8BHL.tmp | executable | |
MD5:D7F9693DAD03062D9B42BC69C0C83A68 | SHA256:939A372E9734283FA31D8BA16EB7BC1699B0CCB085058DE32C50E07961EED07D | |||
| 1152 | BarrierSetup-2.4.0-release.tmp | C:\Program Files\Barrier\barrierd.exe | executable | |
MD5:2F3B726B2ACE0D4C666AFC5C92BDEB41 | SHA256:A05C6358FA316947FD8AA6640503C16C9B460BAAE5EAF3AA3EB9EC33A934C434 | |||
| 1152 | BarrierSetup-2.4.0-release.tmp | C:\Program Files\Barrier\is-3M5NR.tmp | executable | |
MD5:9CA4566ACBCC843969961FE84633C7C6 | SHA256:FAE540D55AC9E9D2209D78C82F0DCCA71A40A8C01F52853E0F566D91CB7C2A2B | |||
| 1152 | BarrierSetup-2.4.0-release.tmp | C:\Program Files\Barrier\integtests.exe | executable | |
MD5:93298E557F44C62BC21C00494FF098BC | SHA256:38713547A3FF90D18C61B850F095C16279A9E93E80B95C11B5F12E8609398103 | |||
| 1152 | BarrierSetup-2.4.0-release.tmp | C:\Program Files\Barrier\is-70O3J.tmp | executable | |
MD5:FCCBAB0101ACB66B44D600DD804F8E72 | SHA256:C8A7C7D5CD839023FD482D069F940B2FEF6350C88E3C3DC356F294EAD328ED58 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |