Edit tour
Windows
Analysis Report
FireDaemon-Pro-x64-5.4.10.exe
Overview
General Information
| Sample name: | FireDaemon-Pro-x64-5.4.10.exe |
| Analysis ID: | 1447776 |
| MD5: | 85bcf18c247619f157bb66c59283bc54 |
| SHA1: | 9ffc8d1af864b73a50f9b95475cb7b53a96ef5e7 |
| SHA256: | 9105a2bfb52b971df10df6b89f26676cdec5c6d43878c7a1e66a77a286b607dd |
| Infos: | |
 | |
Detection
| Score: | 36 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 40% |
Compliance
| Score: | 21 |
| Range: | 0 - 100 |
Signatures
Creates files in alternative data streams (ADS)
Disables event log channels
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Adds / modifies Windows certificates
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables security privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
FireDaemon-Pro-x64-5.4.10.exe (PID: 3724 cmdline: "C:\Users\ user\Deskt op\FireDae mon-Pro-x6 4-5.4.10.e xe" MD5: 85BCF18C247619F157BB66C59283BC54) - FireDaemon-Pro-x64-5.4.10.exe (PID: 6520 cmdline:
"C:\Users\ user\Deskt op\FireDae mon-Pro-x6 4-5.4.10.e xe" /i "C: \Users\use r\AppData\ Roaming\Fi reDaemon T echnologie s Limited\ FireDaemon Pro 5.4.1 0\install\ 9D27617\Fi reDaemon-P ro-x64-5.4 .10.msi" A I_EUIMSI=1 APPDIR="C :\Program Files\Fire Daemon Pro " SHORTCUT DIR="C:\Pr ogramData\ Microsoft\ Windows\St art Menu\P rograms\Fi reDaemon P ro" PRODUC T_TEMPFOLD ER="C:\Use rs\user\Ap pData\Loca l\Temp\Fir eDaemon Pr o-5.4.10" SECONDSEQU ENCE="1" C LIENTPROCE SSID="3724 " AI_MORE_ CMD_LINE=1 MD5: 85BCF18C247619F157BB66C59283BC54)
msiexec.exe (PID: 5852 cmdline: C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 6196 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 65BC574 2A4D136F24 7A43F6F8A0 9CB61 C MD5: 9D09DC1EDA745A5F87553048E57620CF) 
FireDaemonUI.exe (PID: 6104 cmdline: "C:\Progra m Files\Fi reDaemon P ro\FireDae monUI.exe" MD5: AA20619DD394046CD32E0A2B6FEB0A0E) - FireDaemonUI.exe (PID: 4448 cmdline:
"C:\Progra m Files\Fi reDaemon P ro\FireDae monUI.exe" MD5: AA20619DD394046CD32E0A2B6FEB0A0E) 
chrome.exe (PID: 6520 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// www.fireda emon.com/d ownload-fi redaemon-p ro MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 3716 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2284 --fi eld-trial- handle=221 2,i,158671 4833246951 182,130306 9591673116 5331,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - msiexec.exe (PID: 6148 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng 911D350 BE57E64866 022B62F36B BA82C C MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 2300 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 4FDFDF4 7CA384F24D 6EDC9B370A 17B58 MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 6644 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng F00D2CF A17B3A1B81 3951E4AFEA 3B618 MD5: E5DA170027542E25EDE42FC54C929077) 
MSI4A8B.tmp (PID: 3692 cmdline: "C:\Window s\Installe r\MSI4A8B. tmp" /Enfo rcedRunAsA dmin /RunA sAdmin /Hi deWindow / dir "C:\Pr ogram File s\FireDaem on Pro\" w evtutil.ex e im "C:\U sers\user\ AppData\Lo cal\Temp\F ireDaemon Pro-5.4.10 \CoreETW.m an" /rf:"C :\Program Files\Fire Daemon Pro \Core.dll" /mf:"C:\P rogram Fil es\FireDae mon Pro\Co re.dll" MD5: BD4301EC1A62A6117C9830E9781A72C4) - wevtutil.exe (PID: 4688 cmdline:
"C:\Window s\System32 \wevtutil. exe" im "C :\Users\us er\AppData \Local\Tem p\FireDaem on Pro-5.4 .10\CoreET W.man" /rf :"C:\Progr am Files\F ireDaemon Pro\Core.d ll" /mf:"C :\Program Files\Fire Daemon Pro \Core.dll" MD5: 1AAE26BD68B911D0420626A27070EB8D) 
conhost.exe (PID: 3748 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - msiexec.exe (PID: 1272 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 8A88BC2 85C82FC453 C4ED127C82 769C1 E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 7152 cmdline:
C:\Windows \System32\ MsiExec.ex e -Embeddi ng 2C93263 EC56A61C42 6AD4BBB3DB BF379 E Gl obal\MSI00 00 MD5: E5DA170027542E25EDE42FC54C929077) - FireDaemonCLI.exe (PID: 2292 cmdline:
"C:\Progra m Files\Fi reDaemon P ro\FireDae monCLI.exe " control- all start- automatic MD5: 25300A4371287862B1B6F5CE5EEB7040) - conhost.exe (PID: 6384 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
Compliance |   |
|---|
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | EXE: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | Jump to behavior | ||
| Source: | Directory created: | |||
| Source: | Directory created: | |||
| Source: | Directory created: | |||
| Source: | Registry value created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | Jump to behavior | ||
| Source: | File opened: | |||
| Source: | File opened: | Jump to behavior | ||
| Source: | TCP traffic: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | JA3 fingerprint: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | TCP traffic detected without corresponding DNS query: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||
| Source: | HTTP traffic detected: | ||