Analysis
-
max time kernel
100s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2023 15:46
Behavioral task
behavioral1
Sample
Windows 7 IconPack By 2013Windows8.1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Windows 7 IconPack By 2013Windows8.1.exe
Resource
win10v2004-20221111-en
General
-
Target
Windows 7 IconPack By 2013Windows8.1.exe
-
Size
15.2MB
-
MD5
d54c644994f501358b6074a0ce2f331b
-
SHA1
863d56e70d675eab6e83909fb587ad9e802bcce2
-
SHA256
24a7869b1b222cc2eae561421b7f0c83048ca4c157d44718102a3e674a412e99
-
SHA512
404910ea4caad2d05d9a2292b62d46355d98fb9c9577c4fc5838c6507deb84aabde02ec6557fa36d25ce4829322ef8da315f2573268117da07490bee49f51d7a
-
SSDEEP
393216:sCBY2ekC/ialj+VaCVeNnCrPYFjvnfIlclildwvki/rsJwN1N:p7+iat+4CkNCEF7fIlldwPrsaTN
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
iPack_Installer.exe7z.exepid process 2352 iPack_Installer.exe 3608 7z.exe -
Processes:
resource yara_rule behavioral2/memory/4792-132-0x0000000000400000-0x0000000000447000-memory.dmp upx C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe upx C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe upx behavioral2/memory/3608-147-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/3608-148-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral2/memory/4792-149-0x0000000000400000-0x0000000000447000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Windows 7 IconPack By 2013Windows8.1.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation iPack_Installer.exe -
Drops file in Program Files directory 21 IoCs
Processes:
Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.exe7z.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.config Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPack Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe iPack_Installer.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files 7z.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.png Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txt Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.config Windows 7 IconPack By 2013Windows8.1.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.config Windows 7 IconPack By 2013Windows8.1.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPack Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\imageres.dll.res 7z.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\header.png Windows 7 IconPack By 2013Windows8.1.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.png Windows 7 IconPack By 2013Windows8.1.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7z iPack_Installer.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\header.png Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.config Windows 7 IconPack By 2013Windows8.1.exe File created C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Patcher.exe iPack_Installer.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource Files\imageres.dll.res 7z.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txt Windows 7 IconPack By 2013Windows8.1.exe File opened for modification C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe Windows 7 IconPack By 2013Windows8.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Windows 7 IconPack By 2013Windows8.1.exepid process 4792 Windows 7 IconPack By 2013Windows8.1.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
iPack_Installer.exepid process 2352 iPack_Installer.exe 2352 iPack_Installer.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Windows 7 IconPack By 2013Windows8.1.exeiPack_Installer.exedescription pid process target process PID 4792 wrote to memory of 2352 4792 Windows 7 IconPack By 2013Windows8.1.exe iPack_Installer.exe PID 4792 wrote to memory of 2352 4792 Windows 7 IconPack By 2013Windows8.1.exe iPack_Installer.exe PID 2352 wrote to memory of 3608 2352 iPack_Installer.exe 7z.exe PID 2352 wrote to memory of 3608 2352 iPack_Installer.exe 7z.exe PID 2352 wrote to memory of 3608 2352 iPack_Installer.exe 7z.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows 7 IconPack By 2013Windows8.1.exe"C:\Users\Admin\AppData\Local\Temp\Windows 7 IconPack By 2013Windows8.1.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe"C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe"C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exe" x -y -bd "C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7z"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exeFilesize
148KB
MD5f3d2f74e271da7fa59d9a4c860e6f338
SHA196e9fa8808fbe176494a624b4a7b5afc9306f93a
SHA256d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3
SHA5121553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\7z.exeFilesize
148KB
MD5f3d2f74e271da7fa59d9a4c860e6f338
SHA196e9fa8808fbe176494a624b4a7b5afc9306f93a
SHA256d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3
SHA5121553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.7zFilesize
9.7MB
MD54ec5c7ca5206ae238d7a2f7b55aeed2e
SHA17c9445c8106682b1ce456243ce3c18b5abfe7c44
SHA25631ca0230eda657fe8e6f209c9deb1571fc95512b893bfe0116bdc6d0f35802f1
SHA512386d55a500df61d6dfb2830ce5ef6676411237ccfb3cdaeb24db4e409397c0d2965a72e0fe8c25917baf19fd15e92bb0a64e6bbf7c1e691bfede7e3021fe3a46
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Resource.iPackFilesize
9.7MB
MD5dc6c5d162fae32d6229e4da762666798
SHA12f669cc75232fbeea5a1c4cc09f6397a150f507b
SHA256d880ddb3ccb5c69157110261c07cc82fbfe20f27b3f0d90aa4188d896d7b8975
SHA512b71f7f0588cc82e4f96b9e76bd6e385b7f6a222b597f71c48611639240e2b3e9fd6278a425524d6f7b7281ddce790918cfba41dcc47b037c30264b8b360873d2
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\Configuration.configFilesize
286B
MD5c9e1b70c730db807d4e9924bbdea2573
SHA1cff0d57521342679a25663c116da38e09535560a
SHA25668027f8091caeab585f116a7bc4a65f189a606307c7d5d4e74ccb57ed168728b
SHA512005a4a30c2d5953def563002d6ada28bdc098e83fb2a4c3a16ed8d4aa12f966a804344d83ac3f84ed9f26040b9edf3877545f510faad9121ae3363dc5ef09a21
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txtFilesize
389B
MD50057dea0b6d12eef90b4186178543111
SHA10f645e97722d115730d51b77dae2b419dea88df5
SHA256863d1d7a3f6f817466123ae55c786e55605939df4e88fdebf07431201557c7df
SHA5128b141452a0332ff60d64d72aa8af3a99ef8671a6bd38b3b6eb260b6d9a98154ec7aae2f78e6e8c03acaf17ac6a0b1ff4b68c3000c4f032f88178685c25c0c696
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.pngFilesize
23.9MB
MD5417da0345c8842aa733dadb90e385c46
SHA10ef8152a4e976f2588ce1e43f73e2fa23b72afa1
SHA2562a146d4c1c2bfd115f76a094efaaaa871b47e2175b02f55ecbfb2e7c84684851
SHA5129fb72b5cfa65e29c0b3ad8f51b2313782358fd326def7519d25991135495f94dad13dfc48e0db7a8a64d287caaa6ab7377d6ed682e8b0353683b59ac7eca6142
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exeFilesize
966KB
MD506582ed92cb413e0e26229b34d471a51
SHA19fbfc90fe44c5a80a0b41e4f7848aa7e7e5dc36e
SHA256d8c6ce39d337a997133d7c3175e554b5615039ce12fde1014c284acf3bdb8893
SHA512e122f88dbc9d0d2dbb9168fbc5fd1ab18b349acb8e327ac28a20f72d7ae74c846c6d00b32bed95570db6b00a220d4d17ad858487b15a82bae18fa5aa8d606363
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exeFilesize
966KB
MD506582ed92cb413e0e26229b34d471a51
SHA19fbfc90fe44c5a80a0b41e4f7848aa7e7e5dc36e
SHA256d8c6ce39d337a997133d7c3175e554b5615039ce12fde1014c284acf3bdb8893
SHA512e122f88dbc9d0d2dbb9168fbc5fd1ab18b349acb8e327ac28a20f72d7ae74c846c6d00b32bed95570db6b00a220d4d17ad858487b15a82bae18fa5aa8d606363
-
C:\Program Files (x86)\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.configFilesize
171B
MD5cb143eef30f7ad481e715926b63928f4
SHA14bb8ae8914d07d475c4c5bbf97abfa8c60544e00
SHA2566105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17
SHA512e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d
-
memory/2352-140-0x000000000120A000-0x000000000120F000-memory.dmpFilesize
20KB
-
memory/2352-137-0x00007FFF52240000-0x00007FFF52C76000-memory.dmpFilesize
10.2MB
-
memory/2352-133-0x0000000000000000-mapping.dmp
-
memory/2352-150-0x000000000120A000-0x000000000120F000-memory.dmpFilesize
20KB
-
memory/3608-142-0x0000000000000000-mapping.dmp
-
memory/3608-147-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3608-148-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4792-132-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/4792-149-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB