Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
-
submitted
16-01-2023 20:49
General
-
Target
2. Pack Iconos/Aon - Gray.exe
-
Size
4.4MB
-
MD5
bff7417095395d262bec790273975d60
-
SHA1
eff00b178cb27f3710ebafde7cd53f14aa578ddf
-
SHA256
c41352f656666106081a6fe9fea78dca4d4c55ac3b96800f523d3cd2154ca2f9
-
SHA512
298d5e4f8654124ac443e193a958534377b67d90a02f3b0c1a15e181ee10e909b01b171d286619fca0053c4d2cab8b6bdf0a5084d024b56a8d81b0694d58b2ef
-
SSDEEP
98304:E0Y6JZd/pi/TZfeTP6SeM1lQkQF7h1ftDL1oiueCdc1MF+vUJSXLJasokc6:E0Y6T9wT4D65uuZhFJoiueScWF1JS7J1
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
Possible privilege escalation attempt 10 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 10 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 39 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 48 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2. Pack Iconos\Aon - Gray.exe"C:\Users\Admin\AppData\Local\Temp\2. Pack Iconos\Aon - Gray.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe"C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Aon - Gray\7z.exe"C:\Program Files (x86)\Aon - Gray\7z.exe" x -y -bd "C:\Program Files (x86)\Aon - Gray\Resource.7z"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\imageres.dll" /save "Resource Files\ACL\System32\imageres.dll.AclFile"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\System32\imageres.dll" && icacls "C:\Windows\System32\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F && exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /a /F "C:\Windows\System32\imageres.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\imageres.dll" /grant:r "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Aon - Gray\Patcher.exe"C:\Program Files (x86)\Aon - Gray\Patcher.exe" -addoverwrite "Resource Files\Patch\System32\imageres.dll", "Resource Files\Patch\System32\imageres.dll", "Resource Files\imageres.dll.res" ,,,3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\imageres.dll" /setowner "NT Service\TrustedInstaller" /T /C && icacls "C:\Windows\System32" /restore "Resource Files\ACL\System32\imageres.dll.AclFile" && exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\imageres.dll" /setowner "NT Service\TrustedInstaller" /T /C4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /restore "Resource Files\ACL\System32\imageres.dll.AclFile"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\imageres.dll.iPtemp" && exit3⤵
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\imageres.dll" /save "Resource Files\ACL\SysWOW64\imageres.dll.AclFile"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\SysWOW64\imageres.dll" && icacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "administrators":F && exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /a /F "C:\Windows\SysWOW64\imageres.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "administrators":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Aon - Gray\Patcher.exe"C:\Program Files (x86)\Aon - Gray\Patcher.exe" -addoverwrite "Resource Files\Patch\SysWOW64\imageres.dll", "Resource Files\Patch\SysWOW64\imageres.dll", "Resource Files\imageres.dll.res" ,,,3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000560" "000000000000005C"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Aon - Gray\7z.exeFilesize
148KB
MD5f3d2f74e271da7fa59d9a4c860e6f338
SHA196e9fa8808fbe176494a624b4a7b5afc9306f93a
SHA256d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3
SHA5121553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30
-
C:\Program Files (x86)\Aon - Gray\Patcher.exeFilesize
465KB
MD5e92786023781296f23db1d42be4148dc
SHA1f905ee76e91114db5278943a9b0db5493748dea5
SHA256908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8
SHA5122c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0
-
C:\Program Files (x86)\Aon - Gray\Patcher.exeFilesize
465KB
MD5e92786023781296f23db1d42be4148dc
SHA1f905ee76e91114db5278943a9b0db5493748dea5
SHA256908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8
SHA5122c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0
-
C:\Program Files (x86)\Aon - Gray\Patcher.iniFilesize
311B
MD5796935772ac839e1d1efe29ae87a87f8
SHA124fe87b39d5f0065584d9167bb2a0a534d200dce
SHA256c856b849708f175d087a09cd0b1fdf2b64e8a6de77f9dfdb9ae85640e642c62a
SHA5121f0d62370694c6216e0325d61446cd63247d1a64b0270d91f1e20eda6df6c577555c6611aa63a048f4ba2019e045af34c855340f9d07d164216c2ac56791fc76
-
C:\Program Files (x86)\Aon - Gray\Patcher.logFilesize
218B
MD548964b0c8e3756c2c252682ed14cbe50
SHA1dbdf46ca980092d7c6dee1779686163ae4abc533
SHA2567be7719f0e0bd11ec9c180b74907a484181ff43393b86b38240ee33ee890007f
SHA5127c40e82cc632c4e71075399490eff4d483b812cd7944dc98dc198b9eae9ef1c6305151dd0ba592c8c56301a3754c33dfa01eb37e77334fd17767a14643b32568
-
C:\Program Files (x86)\Aon - Gray\Resource Files\ACL\System32\imageres.dll.AclFileFilesize
302B
MD5e215cac62f4c9190a204172e06952ab0
SHA176837f17825e729cb2ccf4362d7fef00b00ed240
SHA2560a79f07fa1280e5cf07acef948aa6c3874fc5ad8e51d231cbc90a7ac05e779d5
SHA5125e63a1131b38e57b2f2ae4f76f1c149520cc41df2ae70ce1a2851aa0f219f299aba46b74efd5b4c5bf01a004901d46a06c7f97a37ecf829c7db19f5bad6af1c0
-
C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\SysWOW64\imageres.dllFilesize
19.3MB
MD5827cb0d6c3f8057ea037ff271f8e9795
SHA14f8385c0a9f37b5c3c3fd3e339b680fb08758570
SHA25682760dbddd38d2a31caaf51d065df4e7e1d0f0c22733a0af653776ebf7b79470
SHA5126e65491629717a260eca32e3f1b65baf16f70fede0717391af4acaf0e9c83da479d62e5de9734f9bbf7773b0904f5623df717a7ca9a0f6806ca4807fcfaa6a09
-
C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\System32\imageres.dllFilesize
19.3MB
MD55aa945234e9d4cce4f715276b9aa712c
SHA1dba3c8cecb3f8d4b1d96265d8519dbe0e911f446
SHA25665165bd131056816f009d987fc78ac86ffe0c3c38a27e73f873586b7ff4d59cf
SHA512acf0d5706662b3f4abb68b94aad9155c17dc74ccf3a92ed97c9bc2abdf4f8fd32705bb7692836452304301605561121b4ef2b82b81563f9bf2a9d1c71e8c6233
-
C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\System32\imageres.dllFilesize
21.5MB
MD55e1523ff85d086c59f57aaec8ea002fa
SHA1898326985a52913e2b4f5c31428b7f72bd220640
SHA256b575b79d859f8b9d7e25672a758c9fd3dfcaa9c46711a6749af8d00afcbe1deb
SHA512eeca13b0ca7d8c1b3af1effd677ea8e5beb50774323e3822a94616a7a74db6f4edbd9898afc15cae45d68aeedeca7a13ad68d91cb413d010e826f2cc4361b5f3
-
C:\Program Files (x86)\Aon - Gray\Resource Files\imageres.dll.resFilesize
18.1MB
MD58ed3dab9948b129cf90c091f7d275688
SHA117f1d1275a38d986846a61eb36a087cb6526cc3d
SHA2560903a63ad2e6ea65b0131520fcf29473294b57cd740c707637db66b347e43280
SHA512804f12f4423d8a96e3a9facd99ac752d7e9d85821fe22b2440f6b025aa1278a6e62a203cca95cde2f257dd16ee590e1dd808490fcd998af0f7702319eb8cb313
-
C:\Program Files (x86)\Aon - Gray\Resource.7zFilesize
3.5MB
MD587f305bcfa75d8a70bbb11735ea3edb0
SHA16ff92b7834506c5af99f881f0af50b8fc923aec0
SHA2568fc7c639bc114ce0ab497183ce368a9ede786896300f1a61eb9f13632b578dd8
SHA5129373f4d0084b004aecb814a3759f52efa63244a808ce0f8965e0d8dcae9b7f9ea66b4de5a8462e408190ea5f88037a233cbab4a4948d0714305c0d3ace026ddc
-
C:\Program Files (x86)\Aon - Gray\Resource.iPackFilesize
3.5MB
MD5b694032f47961b9559e23ab1d7a0a15c
SHA1841d8e112f7f3a81de78963ba964f2a839baac89
SHA2563a4a0cf23c21f8bbfa73d0c5a7c2baa9b8ab5b64bb6968a4a6f897fca97147fd
SHA51264bf3cec32035bc0af2b4f043cfbff9dec993c7a1a8663d2a4a1c6d3fbb1e5a3a2ecfa9cc8c2d63e94257aeeffb03732b88d62599831f0d8885c171cf7c30e83
-
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\Configuration.configFilesize
224B
MD50cdfb12465131d66540765c554d89352
SHA1ad21e927a53b04064df1b940f10f2418cc299c67
SHA256eea5f6428275ce65329a4f42a2219ad9c618195bf1735d3838d2aeee3eb53932
SHA51263ab0f9ada8ddcb6c462c3e70d13713541500c7d445ae2128141c5e5ce73d386292746818ad9dcdb265aa221df1734862e8a1537f7b4810c95cd37cd7f288fbd
-
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\License.txtFilesize
941B
MD5a12a2d3a14e3a6dc6250bd7ab5e399c0
SHA1a9eb44510c98d2a066875e4e09904f70333cf8b6
SHA2567893df543413869f797b5733498b2027b2d69b4d3ec3bc998ba9c28e1b633e8d
SHA512af79120051d625288b670d2dc97ed8dcac18410a5763e936c8410a7e752294bf1085cce84405093648204be07232fda38fcf89a1dce1f2fec94069304b626454
-
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\header.pngFilesize
18KB
MD505881c368816adce83f69ebe8cdd1e66
SHA1f96830c41d327e818c36662e1e08bee2b3fc30c7
SHA25695debde2e09114ccb0838aaa2a35dba65061c87cd3430bc1a1e0f05d14d930a2
SHA51228480acd811e0ef863b96aa141b5278f8ee16820c400359d70c6b2c8780f35a217c1e5f563aecbc6b4f80eddc399a3884835d1e63a03bc3a69c09d6cd26f573a
-
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\logo.pngFilesize
21KB
MD521da3154a1bc6d1d582ba74191f6756e
SHA12e48ce7cc1c888d2525750200e6dd21c14b7f59c
SHA256dea6f44854346692fc183119abed2de5848cadd47aa32d953a0b78ffa2a1868e
SHA512eb169f932b0741803f8f8d6adfac3253f86f57e103e8512d4da53775cca0d344fab8a83313c9014464d581210131b27c2170d1b198a17318c1090239a860d7b6
-
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exeFilesize
1.0MB
MD526c04ae4db6ba6a5db686ca2ed4ea4be
SHA1e39ea2198cb8a1a6b3a545ebdbbd576cf4dd3090
SHA256390157b7661eb35b8e6081e667a745c370d418f3dc23421eebce957a080ee580
SHA5126ecc03c7cacf680d650646e8823ab5cc3145918ac5b86aecf962bb1680863e2ecb6081ba32229b740752afd29c7d76069d75c572b51adb25105705095f29cb57
-
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exeFilesize
1.0MB
MD526c04ae4db6ba6a5db686ca2ed4ea4be
SHA1e39ea2198cb8a1a6b3a545ebdbbd576cf4dd3090
SHA256390157b7661eb35b8e6081e667a745c370d418f3dc23421eebce957a080ee580
SHA5126ecc03c7cacf680d650646e8823ab5cc3145918ac5b86aecf962bb1680863e2ecb6081ba32229b740752afd29c7d76069d75c572b51adb25105705095f29cb57
-
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe.configFilesize
171B
MD5cb143eef30f7ad481e715926b63928f4
SHA14bb8ae8914d07d475c4c5bbf97abfa8c60544e00
SHA2566105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17
SHA512e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d
-
\Program Files (x86)\Aon - Gray\iPack_Installer.exeFilesize
1.0MB
MD526c04ae4db6ba6a5db686ca2ed4ea4be
SHA1e39ea2198cb8a1a6b3a545ebdbbd576cf4dd3090
SHA256390157b7661eb35b8e6081e667a745c370d418f3dc23421eebce957a080ee580
SHA5126ecc03c7cacf680d650646e8823ab5cc3145918ac5b86aecf962bb1680863e2ecb6081ba32229b740752afd29c7d76069d75c572b51adb25105705095f29cb57
-
memory/360-81-0x0000000000000000-mapping.dmp
-
memory/624-96-0x0000000000000000-mapping.dmp
-
memory/716-101-0x0000000000000000-mapping.dmp
-
memory/812-71-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/812-70-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/812-66-0x0000000000000000-mapping.dmp
-
memory/860-99-0x0000000000000000-mapping.dmp
-
memory/900-80-0x0000000000000000-mapping.dmp
-
memory/1068-108-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1068-102-0x0000000000000000-mapping.dmp
-
memory/1248-78-0x0000000000000000-mapping.dmp
-
memory/1440-82-0x0000000000000000-mapping.dmp
-
memory/1496-92-0x0000000000000000-mapping.dmp
-
memory/1600-87-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1600-89-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1600-90-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1600-83-0x0000000000000000-mapping.dmp
-
memory/1660-100-0x0000000000000000-mapping.dmp
-
memory/1692-97-0x0000000000000000-mapping.dmp
-
memory/1696-77-0x0000000000000000-mapping.dmp
-
memory/1856-93-0x0000000000000000-mapping.dmp
-
memory/1860-94-0x0000000000000000-mapping.dmp
-
memory/1896-75-0x0000000001FA6000-0x0000000001FC5000-memory.dmpFilesize
124KB
-
memory/1896-69-0x0000000001FA6000-0x0000000001FC5000-memory.dmpFilesize
124KB
-
memory/1896-63-0x000007FEF3290000-0x000007FEF4326000-memory.dmpFilesize
16.6MB
-
memory/1896-62-0x000007FEF4570000-0x000007FEF4F93000-memory.dmpFilesize
10.1MB
-
memory/1896-58-0x0000000000000000-mapping.dmp
-
memory/1968-74-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1968-56-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1968-55-0x00000000745B1000-0x00000000745B3000-memory.dmpFilesize
8KB
-
memory/1968-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1980-98-0x0000000000000000-mapping.dmp
-
memory/2024-79-0x0000000000000000-mapping.dmp
