24a7869b1b222cc2eae561421b7f0c83048ca4c157d44718102a3e674a412e99

Analysis

max time kernel
100s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows 7 IconPack By 2013Windows8.1.exe
Size

15.2MB
MD5

d54c644994f501358b6074a0ce2f331b
SHA1

863d56e70d675eab6e83909fb587ad9e802bcce2
SHA256

24a7869b1b222cc2eae561421b7f0c83048ca4c157d44718102a3e674a412e99
SHA512

404910ea4caad2d05d9a2292b62d46355d98fb9c9577c4fc5838c6507deb84aabde02ec6557fa36d25ce4829322ef8da315f2573268117da07490bee49f51d7a
SSDEEP

393216:sCBY2ekC/ialj+VaCVeNnCrPYFjvnfIlclildwvki/rsJwN1N:p7+iat+4CkNCEF7fIlldwPrsaTN

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

iPack_Installer.exe7z.exe

pid process

2352 iPack_Installer.exe
3608 7z.exe

pid	process
2352	iPack_Installer.exe
3608	7z.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4792-132-0x0000000000400000-0x0000000000447000-memory.dmp	upx
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe	upx
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe	upx
behavioral2/memory/3608-147-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3608-148-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4792-149-0x0000000000400000-0x0000000000447000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Windows 7 IconPack By 2013Windows8.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	iPack_Installer.exe

Drops file in Program Files directory 21 IoCs

Processes:

Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.exe7z.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.config	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPack	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files	7z.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.png	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txt	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.config	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.config	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPack	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\imageres.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\header.png	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.png	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7z	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\header.png	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.config	Windows 7 IconPack By 2013Windows8.1.exe
File created	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\imageres.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txt	Windows 7 IconPack By 2013Windows8.1.exe
File opened for modification	C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe	Windows 7 IconPack By 2013Windows8.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Windows 7 IconPack By 2013Windows8.1.exe

pid process

4792 Windows 7 IconPack By 2013Windows8.1.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iPack_Installer.exe

pid process

2352 iPack_Installer.exe
2352 iPack_Installer.exe

pid	process
4792	Windows 7 IconPack By 2013Windows8.1.exe

pid	process
2352	iPack_Installer.exe
2352	iPack_Installer.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.exe

description	pid	process	target process
PID 4792 wrote to memory of 2352	4792	Windows 7 IconPack By 2013Windows8.1.exe	iPack_Installer.exe
PID 4792 wrote to memory of 2352	4792	Windows 7 IconPack By 2013Windows8.1.exe	iPack_Installer.exe
PID 2352 wrote to memory of 3608	2352	iPack_Installer.exe	7z.exe
PID 2352 wrote to memory of 3608	2352	iPack_Installer.exe	7z.exe
PID 2352 wrote to memory of 3608	2352	iPack_Installer.exe	7z.exe

C:\Users\Admin\AppData\Local\Temp\Windows 7 IconPack By 2013Windows8.1.exe
"C:\Users\Admin\AppData\Local\Temp\Windows 7 IconPack By 2013Windows8.1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4792

C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe
"C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352

C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe
"C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe" x -y -bd "C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7z"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe
Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe
Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7z
Filesize
9.7MB

MD5
4ec5c7ca5206ae238d7a2f7b55aeed2e

SHA1
7c9445c8106682b1ce456243ce3c18b5abfe7c44

SHA256
31ca0230eda657fe8e6f209c9deb1571fc95512b893bfe0116bdc6d0f35802f1

SHA512
386d55a500df61d6dfb2830ce5ef6676411237ccfb3cdaeb24db4e409397c0d2965a72e0fe8c25917baf19fd15e92bb0a64e6bbf7c1e691bfede7e3021fe3a46

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPack
Filesize
9.7MB

MD5
dc6c5d162fae32d6229e4da762666798

SHA1
2f669cc75232fbeea5a1c4cc09f6397a150f507b

SHA256
d880ddb3ccb5c69157110261c07cc82fbfe20f27b3f0d90aa4188d896d7b8975

SHA512
b71f7f0588cc82e4f96b9e76bd6e385b7f6a222b597f71c48611639240e2b3e9fd6278a425524d6f7b7281ddce790918cfba41dcc47b037c30264b8b360873d2

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.config
Filesize
286B

MD5
c9e1b70c730db807d4e9924bbdea2573

SHA1
cff0d57521342679a25663c116da38e09535560a

SHA256
68027f8091caeab585f116a7bc4a65f189a606307c7d5d4e74ccb57ed168728b

SHA512
005a4a30c2d5953def563002d6ada28bdc098e83fb2a4c3a16ed8d4aa12f966a804344d83ac3f84ed9f26040b9edf3877545f510faad9121ae3363dc5ef09a21

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txt
Filesize
389B

MD5
0057dea0b6d12eef90b4186178543111

SHA1
0f645e97722d115730d51b77dae2b419dea88df5

SHA256
863d1d7a3f6f817466123ae55c786e55605939df4e88fdebf07431201557c7df

SHA512
8b141452a0332ff60d64d72aa8af3a99ef8671a6bd38b3b6eb260b6d9a98154ec7aae2f78e6e8c03acaf17ac6a0b1ff4b68c3000c4f032f88178685c25c0c696

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.png
Filesize
23.9MB

MD5
417da0345c8842aa733dadb90e385c46

SHA1
0ef8152a4e976f2588ce1e43f73e2fa23b72afa1

SHA256
2a146d4c1c2bfd115f76a094efaaaa871b47e2175b02f55ecbfb2e7c84684851

SHA512
9fb72b5cfa65e29c0b3ad8f51b2313782358fd326def7519d25991135495f94dad13dfc48e0db7a8a64d287caaa6ab7377d6ed682e8b0353683b59ac7eca6142

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe
Filesize
966KB

MD5
06582ed92cb413e0e26229b34d471a51

SHA1
9fbfc90fe44c5a80a0b41e4f7848aa7e7e5dc36e

SHA256
d8c6ce39d337a997133d7c3175e554b5615039ce12fde1014c284acf3bdb8893

SHA512
e122f88dbc9d0d2dbb9168fbc5fd1ab18b349acb8e327ac28a20f72d7ae74c846c6d00b32bed95570db6b00a220d4d17ad858487b15a82bae18fa5aa8d606363

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe
Filesize
966KB

MD5
06582ed92cb413e0e26229b34d471a51

SHA1
9fbfc90fe44c5a80a0b41e4f7848aa7e7e5dc36e

SHA256
d8c6ce39d337a997133d7c3175e554b5615039ce12fde1014c284acf3bdb8893

SHA512
e122f88dbc9d0d2dbb9168fbc5fd1ab18b349acb8e327ac28a20f72d7ae74c846c6d00b32bed95570db6b00a220d4d17ad858487b15a82bae18fa5aa8d606363

Download Submit
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.config
Filesize
171B

MD5
cb143eef30f7ad481e715926b63928f4

SHA1
4bb8ae8914d07d475c4c5bbf97abfa8c60544e00

SHA256
6105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17

SHA512
e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d

Download Submit
memory/2352-140-0x000000000120A000-0x000000000120F000-memory.dmp

Filesize
20KB

Download
memory/2352-137-0x00007FFF52240000-0x00007FFF52C76000-memory.dmp

Filesize
10.2MB

Download
memory/2352-133-0x0000000000000000-mapping.dmp

Download
memory/2352-150-0x000000000120A000-0x000000000120F000-memory.dmp

Filesize
20KB

Download
memory/3608-142-0x0000000000000000-mapping.dmp

Download
memory/3608-147-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3608-148-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4792-132-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4792-149-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download