Overview

overview

10

Static

static

5

stardock_i...32.exe

windows7_x64

10

stardock_i...32.exe

windows10-2004_x64

10

stardock_i...ta.exe

windows7_x64

1

stardock_i...ta.exe

windows10-2004_x64

1

stardock_i...a0.exe

windows7_x64

1

stardock_i...a0.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    164s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    stardock_iconpackager_5.10/Stardock IconPackager 5.10.032.exe

  • Size

    974KB

  • MD5

    f6cd9278cb1f9fa3eb2709ef6b6f782f

  • SHA1

    a69f07dc811c518c8165cf675b9db23461bafbb6

  • SHA256

    af380b244306d5b1b4354f267647655e885b12506fd288ed68121aae2951217b

  • SHA512

    01e64d742a8407a31abedde452c388c2b4fb53cbcffb141712f0ac84bf99a339acf5b6778b197db53f8acc18d2bb85c50c0c8d190be877623291c0f42dc45efe

Score
10/10
rmsevasionpersistencerattrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

    evasion
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies WinLogon 2 TTPs 6 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe
    "C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Stardock IconPackager 5.10.032.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin
      C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\data0.bin -ptoptorrent
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\ProgramData\Setup\update.exe
        "C:\ProgramData\Setup\update.exe"
        3⤵
        • Executes dropped EXE
        • Modifies WinLogon
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\ProgramData\Microsoft\Intel\wini.exe
          C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4580
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4084
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4836
              • C:\Windows\SysWOW64\regedit.exe
                regedit /s "reg1.reg"
                7⤵
                • Runs .reg file with regedit
                PID:4484
              • C:\Windows\SysWOW64\regedit.exe
                regedit /s "reg2.reg"
                7⤵
                • Runs .reg file with regedit
                PID:3256
          • C:\ProgramData\Windows\winit.exe
            "C:\ProgramData\Windows\winit.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2412
        • C:\programdata\install\cheat.exe
          C:\programdata\install\cheat.exe -pnaxui
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:308
    • C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
      C:\Users\Admin\AppData\Local\Temp\stardock_iconpackager_5.10\Repack.exe
      2⤵
        PID:4592

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Intel\wini.exe
      Filesize

      3.1MB

      MD5

      770fff853bc5b785524a5033d56994a9

      SHA1

      ab29b77554a893ec151093e75cc849bde4c40a44

      SHA256

      74c957325eeb381da0091487502854be1cd87ce9aefa326c6fc927c11d248f59

      SHA512

      7de03fa2e38e8e9e7df3e86528c0a187a13c80cacf646c13d0aaef7b4a41b4e729044bd99db31cdfad0e2f2e83dd5c742ab7979d10fab43835bdeaf90f0203fc

      Download Submit

    • C:\ProgramData\Microsoft\Intel\wini.exe
      Filesize

      3.1MB

      MD5

      770fff853bc5b785524a5033d56994a9

      SHA1

      ab29b77554a893ec151093e75cc849bde4c40a44

      SHA256

      74c957325eeb381da0091487502854be1cd87ce9aefa326c6fc927c11d248f59

      SHA512

      7de03fa2e38e8e9e7df3e86528c0a187a13c80cacf646c13d0aaef7b4a41b4e729044bd99db31cdfad0e2f2e83dd5c742ab7979d10fab43835bdeaf90f0203fc

      Download Submit

    • C:\ProgramData\Setup\update.exe
      Filesize

      12.0MB

      MD5

      3e42af7f6db601b213d561875d372eef

      SHA1

      b8ae5b12ecead1b352db98c25517f482af094270

      SHA256

      ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0

      SHA512

      3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

      Download Submit

    • C:\ProgramData\Setup\update.exe
      Filesize

      12.0MB

      MD5

      3e42af7f6db601b213d561875d372eef

      SHA1

      b8ae5b12ecead1b352db98c25517f482af094270

      SHA256

      ed39bf4f172680c31c5aafc734f5cfe57bc54b8ba39124451e9c83c20d0225a0

      SHA512

      3c13f392b854fb3e9703c9245a2fadb7585982443e0687def911b47bb0f9cddf942dfb775fb85875a6c1734ad2ecb2925d64366ac860f1a801fa09957709bb7c

      Download Submit

    • C:\ProgramData\Windows\install.vbs
      Filesize

      140B

      MD5

      5e36713ab310d29f2bdd1c93f2f0cad2

      SHA1

      7e768cca6bce132e4e9132e8a00a1786e6351178

      SHA256

      cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

      SHA512

      8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

      Download Submit

    • C:\ProgramData\Windows\reg1.reg
      Filesize

      12KB

      MD5

      4dc0fba4595ad8fe1f010f9079f59dd3

      SHA1

      b3a54e99afc124c64978d48afca2544d75e69da5

      SHA256

      b2fd919e2acd61601c3341179a20ce1d0c2074e8907692dc83d55ba6c6b3eb3a

      SHA512

      fb0855ad6a33a3efc44453f2a5624e0fc87818bf10d13a87d168be3e9c69b7c8dffb39a34193ab134f42b0af527566e74bada71742c09f90ffd60334ba5143b8

      Download Submit

    • C:\ProgramData\Windows\reg2.reg
      Filesize

      1KB

      MD5

      6a5d2192b8ad9e96a2736c8b0bdbd06e

      SHA1

      235a78495192fc33f13af3710d0fe44e86a771c9

      SHA256

      4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

      SHA512

      411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

      Download Submit

    • C:\ProgramData\Windows\winit.exe
      Filesize

      961KB

      MD5

      408ab35a0ad04043f6d680d9433dfd32

      SHA1

      56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4

      SHA256

      d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526

      SHA512

      de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

      Download Submit

    • C:\ProgramData\Windows\winit.exe
      Filesize

      961KB

      MD5

      408ab35a0ad04043f6d680d9433dfd32

      SHA1

      56deed84a1e4ce6981f0e99c3f6726c0f27fa0e4

      SHA256

      d698a05760903f585add7aa1a7034b03038f289efc15bf5aa5e8d4d03b3bb526

      SHA512

      de11c8633a84480fdb642cb53e32bb55eb47394fbdae5775be06cee6ec77a2170787954f9fda5c10783bf9c4d507ddcc444639a5e7c0e8e8a9d7480395c98ec9

      Download Submit

    • C:\ProgramData\install\cheat.exe
      Filesize

      4.1MB

      MD5

      56bf27304cf61f949f8842b8558ff2e3

      SHA1

      c52809302addbcd57000dc142ac4193460e91c6f

      SHA256

      3cc93cac7905c81a4419f328183e508c6742a359788043c7e3faba6e406795a4

      SHA512

      48aefb4b6fec6961dc8836686ad34aa8a4dd36720a09632e7a2fbc723c9132428d835c1630b06936a5065e2c79167bd4302c045d5f4ada7516660166708fa95e

      Download Submit

    • C:\Programdata\Windows\install.bat
      Filesize

      418B

      MD5

      db76c882184e8d2bac56865c8e88f8fd

      SHA1

      fc6324751da75b665f82a3ad0dcc36bf4b91dfac

      SHA256

      e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

      SHA512

      da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

      Download Submit

    • C:\programdata\install\cheat.exe
      Filesize

      3.2MB

      MD5

      ffb4918a5d12cb7ae2c77aa77853cfc1

      SHA1

      7271dde96598c1ea1f80fe22c0d1a91a1a140f22

      SHA256

      be4fca209d665da7360c50ad346e2c0bb30855d2ec1e70dea34c5809b6502b56

      SHA512

      6d85d44cc90af2fc049b59e45dd5cb57813944a4b1940d86da04afaa09c8030cdce3f7a0e4343f5dfe7e5868a6eabcc12695f5d9fe7f1fa7401808fbf1396d52

      Download Submit