7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
Size

213KB
MD5

106410a0b6c81a4b001643f016c44bf5
SHA1

dc550b45d7da526b598ac7556d03ce6cbb945b32
SHA256

7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2
SHA512

ae5601bd438ec0db4768a23cc6d830216f173d4a0b775b172aa657c6dc077e228b03373b1c78e1761d23c3475818c9fdbe0c955da178a680843e8968fda069d1
SSDEEP

3072:VYg4pumJbneWoh8HmBrIhbnlj2RvyP6OQ0IeIL8Y0+xJ60S58oyc/3ebFdu:VlfQOu1iOhIez+LVI8o9/WFk

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1928	VOneNAinst.exe
1524	AxSvrLoader.exe
604	AxSvrLoader.exe
1832	AxSvrLoader.exe
664	axservice.exe

Loads dropped DLL 4 IoCs

pid	Process
800	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
1928	VOneNAinst.exe
1928	VOneNAinst.exe
1832	AxSvrLoader.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AxClientSetup.log	VOneNAinst.exe
File opened for modification	C:\Windows\SysWOW64\LOG_LEVEL_2.log	axservice.exe
File opened for modification	C:\Windows\SysWOW64\SVClient.log	axservice.exe
File created	C:\Windows\SysWOW64\VOneNAinst.exe	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File opened for modification	C:\Windows\SysWOW64\AxSvrLoader.log	AxSvrLoader.exe
File created	C:\Windows\SysWOW64\topvdev.sys	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File opened for modification	C:\Windows\SysWOW64\LOG_LEVEL_0.log	axservice.exe
File created	C:\Windows\SysWOW64\AxService.exe	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File created	C:\Windows\SysWOW64\AxSvrLoader.exe	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File opened for modification	C:\Windows\SysWOW64\AxSvrLoader.log	AxSvrLoader.exe
File opened for modification	C:\Windows\SysWOW64\AxSvrLoader.log	AxSvrLoader.exe
File opened for modification	C:\Windows\SysWOW64\LOG_LEVEL_1.log	axservice.exe
File opened for modification	C:\Windows\SysWOW64\LOG_LEVEL_3.log	axservice.exe
File created	C:\Windows\SysWOW64\topvdev.inf	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\VONE\TopSecNAPlugin\topvdev.sys	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File created	C:\Program Files (x86)\VONE\TopSecNAPlugin\topvdev.inf	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File created	C:\Program Files (x86)\VONE\TopSecNAPlugin\VOneNAinst.exe	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File created	C:\Program Files (x86)\VONE\TopSecNAPlugin\AxSvrLoader.exe	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File created	C:\Program Files (x86)\VONE\TopSecNAPlugin\AxService.exe	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
File created	C:\Program Files (x86)\VONE\TopSecNAPlugin\uninst.exe	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1928	VOneNAinst.exe
Token: SeRestorePrivilege	1928	VOneNAinst.exe
Token: SeRestorePrivilege	1928	VOneNAinst.exe
Token: SeRestorePrivilege	1928	VOneNAinst.exe
Token: SeRestorePrivilege	1928	VOneNAinst.exe
Token: SeRestorePrivilege	1928	VOneNAinst.exe
Token: SeRestorePrivilege	1928	VOneNAinst.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1928	800	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe	28
PID 800 wrote to memory of 1928	800	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe	28
PID 800 wrote to memory of 1928	800	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe	28
PID 800 wrote to memory of 1928	800	7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe	28
PID 1928 wrote to memory of 1524	1928	VOneNAinst.exe	29
PID 1928 wrote to memory of 1524	1928	VOneNAinst.exe	29
PID 1928 wrote to memory of 1524	1928	VOneNAinst.exe	29
PID 1928 wrote to memory of 1524	1928	VOneNAinst.exe	29
PID 1928 wrote to memory of 604	1928	VOneNAinst.exe	31
PID 1928 wrote to memory of 604	1928	VOneNAinst.exe	31
PID 1928 wrote to memory of 604	1928	VOneNAinst.exe	31
PID 1928 wrote to memory of 604	1928	VOneNAinst.exe	31
PID 1832 wrote to memory of 664	1832	AxSvrLoader.exe	34
PID 1832 wrote to memory of 664	1832	AxSvrLoader.exe	34
PID 1832 wrote to memory of 664	1832	AxSvrLoader.exe	34
PID 1832 wrote to memory of 664	1832	AxSvrLoader.exe	34

C:\Users\Admin\AppData\Local\Temp\7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe
"C:\Users\Admin\AppData\Local\Temp\7723df505b726251c1510add27ed80c27075261eba9b7612f200e8da2b0439f2.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\VOneNAinst.exe
  "C:\Windows\system32\VOneNAinst.exe" -install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\AxSvrLoader.exe
    C:\Windows\system32\AxSvrLoader.exe -i
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1524
- - C:\Windows\SysWOW64\AxSvrLoader.exe
    C:\Windows\system32\AxSvrLoader.exe -r AxSvrLoader
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:604

C:\Windows\SysWOW64\AxSvrLoader.exe
C:\Windows\SysWOW64\AxSvrLoader.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\axservice.exe
  "C:\Windows\system32\axservice.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\AxService.exe

Filesize
370KB

MD5
4b98e4b2741ed0b110bdc18f2e8c4593

SHA1
643ccff6b1657f8e12bac341aadd647ad0392e77

SHA256
f452699a41517d85a34b0e7d549b3675d8722eecc27f75fc79595723bc941c83

SHA512
0ad2f55dd46c2b4d199afcd270c13ebfe84dc9f4761867d21be7fcc45a3c5e0b09b9f6ddc6bd1e5c0a8312f0811438364b8eb5bcf7de86947ddbc2bd245cb6ea

Download Submit
C:\Windows\SysWOW64\AxService.exe

Filesize
370KB

MD5
4b98e4b2741ed0b110bdc18f2e8c4593

SHA1
643ccff6b1657f8e12bac341aadd647ad0392e77

SHA256
f452699a41517d85a34b0e7d549b3675d8722eecc27f75fc79595723bc941c83

SHA512
0ad2f55dd46c2b4d199afcd270c13ebfe84dc9f4761867d21be7fcc45a3c5e0b09b9f6ddc6bd1e5c0a8312f0811438364b8eb5bcf7de86947ddbc2bd245cb6ea

Download Submit
C:\Windows\SysWOW64\AxSvrLoader.exe

Filesize
86KB

MD5
12aed48068521b7092119f0d4ae83f15

SHA1
f6a2114a099af856c5b15c550471ddb0db8557b2

SHA256
2a51e0c2e09ad8fc90e2bf142cf0d4b49062398d58e4295346c125dc665d15b6

SHA512
cd17542cdccab0ba4a292b08eaeb6d0b80a2c4c615feff6e3b61a337945b46ae83c668c11e64ab0c752841dca569e0a713b6b79fe3c44d3e6f6256479d19c0fd

Download Submit
C:\Windows\SysWOW64\AxSvrLoader.exe

Filesize
86KB

MD5
12aed48068521b7092119f0d4ae83f15

SHA1
f6a2114a099af856c5b15c550471ddb0db8557b2

SHA256
2a51e0c2e09ad8fc90e2bf142cf0d4b49062398d58e4295346c125dc665d15b6

SHA512
cd17542cdccab0ba4a292b08eaeb6d0b80a2c4c615feff6e3b61a337945b46ae83c668c11e64ab0c752841dca569e0a713b6b79fe3c44d3e6f6256479d19c0fd

Download Submit
C:\Windows\SysWOW64\AxSvrLoader.exe

Filesize
86KB

MD5
12aed48068521b7092119f0d4ae83f15

SHA1
f6a2114a099af856c5b15c550471ddb0db8557b2

SHA256
2a51e0c2e09ad8fc90e2bf142cf0d4b49062398d58e4295346c125dc665d15b6

SHA512
cd17542cdccab0ba4a292b08eaeb6d0b80a2c4c615feff6e3b61a337945b46ae83c668c11e64ab0c752841dca569e0a713b6b79fe3c44d3e6f6256479d19c0fd

Download Submit
C:\Windows\SysWOW64\AxSvrLoader.exe

Filesize
86KB

MD5
12aed48068521b7092119f0d4ae83f15

SHA1
f6a2114a099af856c5b15c550471ddb0db8557b2

SHA256
2a51e0c2e09ad8fc90e2bf142cf0d4b49062398d58e4295346c125dc665d15b6

SHA512
cd17542cdccab0ba4a292b08eaeb6d0b80a2c4c615feff6e3b61a337945b46ae83c668c11e64ab0c752841dca569e0a713b6b79fe3c44d3e6f6256479d19c0fd

Download Submit
C:\Windows\SysWOW64\AxSvrLoader.log

Filesize
300B

MD5
b50eef8fff13d5f8cab39cdeec235216

SHA1
7edf6ca368f37a813172b41cf45b01b2f805c893

SHA256
6f704606ac262e8d71d17bc8a93b38128eb157b0f27f22f64c977cbb1d6daf4d

SHA512
48426701654fb93263af067d99a2b67c73aae62c26ff7c35a1a7bb7d527ad61a829d1212f1d1e093c35ff6dc421aa2fb766e8e52eded08eebf5d6f2907a14556

Download Submit
C:\Windows\SysWOW64\AxSvrLoader.log

Filesize
494B

MD5
0ab3db0978bcc342a202163164d7970c

SHA1
39d0004588c6c0d53d484faef6997092c8bc1871

SHA256
4970155682faf498de8a4674080cbe8503e5af51bb6a728f215e5d1e2a9a8403

SHA512
d8b6ecb073be9849d83dcb820cc1349f244a2fb19501cc23677b0af3176e72097d5383ed01ec59e4aed700ce7deaaceeffb5de9da97e7c195f860dbbf0679875

Download Submit
C:\Windows\SysWOW64\AxSvrLoader.log

Filesize
545B

MD5
fb5e9a3172bfaf0d83a722d9cc5aa8bc

SHA1
10b81b610171720a5708fd3be25d03dfd39b8cc4

SHA256
84d779e59d13cd5e89b8814c7351197378cfbc8bc70fd7c65f5bfd2095712101

SHA512
0536c090dc55df3341f786d51181ecd4c11f40e65d5def1883831bd1327864f0fee016b47903b26f0db5d14b2a79c6dc7fe4348e97f2ce792c9e969770ad1fae

Download Submit
C:\Windows\SysWOW64\AxSvrLoader.log

Filesize
726B

MD5
7ea7bfd3c869f2abc39851146f1b52be

SHA1
95a501b56329c27fc8fd6c4d5937cab6a9e54fe4

SHA256
7f550f84f06168a26529e8c511b04f40aea36366cc48aeeb0bd620196e38fafc

SHA512
59989294fa6878994bf0745d527d8a76ee28aa6ca2597fd45ec1ed896ced85280cbfd6c21b833aea23433c5cda096fb1efc21941372e7d5810aacd2b80c12b19

Download Submit
C:\Windows\SysWOW64\VOneNAinst.exe

Filesize
89KB

MD5
c4ecb92afc6c267609c50b1eebee5808

SHA1
5d9e2eca5163583c2371cbf7140ad17cbd5d5993

SHA256
71add034729e922cda4d61ed49630254dc8de48c4e05f6e8e861b2611d3a36a7

SHA512
3a2a34532762236f5b6317f64f2fcaf1a546653d0556ed3499e4a5661774fb45f991356ddb9ff6d876df129ca82e9b29ced4fc4450f1c6f6dd4929213f76f3ac

Download Submit
C:\Windows\SysWOW64\topvdev.inf

Filesize
3KB

MD5
1e02e83db73fb040c0368d571a1df5ff

SHA1
2169432f965e9eb5fc9bacc04acc774990a0f32d

SHA256
ef54dc00dd1e1b7d4449bb659d42b80956883081fd63d95e01693f81f720626d

SHA512
694c84f2f59d2cda6fc3663f74f6e0d5178d81b775fc165250dad97112b54baeffde40a0636ff4e7dca78c626c54467d80292064f44cf37708270584a877fc51

Download Submit
\Windows\SysWOW64\AxService.exe

Filesize
370KB

MD5
4b98e4b2741ed0b110bdc18f2e8c4593

SHA1
643ccff6b1657f8e12bac341aadd647ad0392e77

SHA256
f452699a41517d85a34b0e7d549b3675d8722eecc27f75fc79595723bc941c83

SHA512
0ad2f55dd46c2b4d199afcd270c13ebfe84dc9f4761867d21be7fcc45a3c5e0b09b9f6ddc6bd1e5c0a8312f0811438364b8eb5bcf7de86947ddbc2bd245cb6ea

Download Submit
\Windows\SysWOW64\AxSvrLoader.exe

Filesize
86KB

MD5
12aed48068521b7092119f0d4ae83f15

SHA1
f6a2114a099af856c5b15c550471ddb0db8557b2

SHA256
2a51e0c2e09ad8fc90e2bf142cf0d4b49062398d58e4295346c125dc665d15b6

SHA512
cd17542cdccab0ba4a292b08eaeb6d0b80a2c4c615feff6e3b61a337945b46ae83c668c11e64ab0c752841dca569e0a713b6b79fe3c44d3e6f6256479d19c0fd

Download Submit
\Windows\SysWOW64\AxSvrLoader.exe

Filesize
86KB

MD5
12aed48068521b7092119f0d4ae83f15

SHA1
f6a2114a099af856c5b15c550471ddb0db8557b2

SHA256
2a51e0c2e09ad8fc90e2bf142cf0d4b49062398d58e4295346c125dc665d15b6

SHA512
cd17542cdccab0ba4a292b08eaeb6d0b80a2c4c615feff6e3b61a337945b46ae83c668c11e64ab0c752841dca569e0a713b6b79fe3c44d3e6f6256479d19c0fd

Download Submit
\Windows\SysWOW64\VOneNAinst.exe

Filesize
89KB

MD5
c4ecb92afc6c267609c50b1eebee5808

SHA1
5d9e2eca5163583c2371cbf7140ad17cbd5d5993

SHA256
71add034729e922cda4d61ed49630254dc8de48c4e05f6e8e861b2611d3a36a7

SHA512
3a2a34532762236f5b6317f64f2fcaf1a546653d0556ed3499e4a5661774fb45f991356ddb9ff6d876df129ca82e9b29ced4fc4450f1c6f6dd4929213f76f3ac

Download Submit
memory/604-64-0x0000000000000000-mapping.dmp

Download
memory/664-73-0x0000000000000000-mapping.dmp

Download
memory/800-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/1524-61-0x0000000000000000-mapping.dmp

Download
memory/1928-56-0x0000000000000000-mapping.dmp

Download