Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-es -
resource tags
arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows -
submitted
16-01-2023 20:49
Behavioral task
behavioral1
Sample
2. Pack Iconos/Aon - Gray.exe
Resource
win7-20221111-es
Behavioral task
behavioral2
Sample
2. Pack Iconos/Aon - Gray.exe
Resource
win10v2004-20220812-es
General
-
Target
2. Pack Iconos/Aon - Gray.exe
-
Size
4.4MB
-
MD5
bff7417095395d262bec790273975d60
-
SHA1
eff00b178cb27f3710ebafde7cd53f14aa578ddf
-
SHA256
c41352f656666106081a6fe9fea78dca4d4c55ac3b96800f523d3cd2154ca2f9
-
SHA512
298d5e4f8654124ac443e193a958534377b67d90a02f3b0c1a15e181ee10e909b01b171d286619fca0053c4d2cab8b6bdf0a5084d024b56a8d81b0694d58b2ef
-
SSDEEP
98304:E0Y6JZd/pi/TZfeTP6SeM1lQkQF7h1ftDL1oiueCdc1MF+vUJSXLJasokc6:E0Y6T9wT4D65uuZhFJoiueScWF1JS7J1
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
iPack_Installer.exe7z.exePatcher.exePatcher.exepid process 1896 iPack_Installer.exe 812 7z.exe 1600 Patcher.exe 1068 Patcher.exe -
Possible privilege escalation attempt 10 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 1860 icacls.exe 1692 icacls.exe 1248 icacls.exe 1440 icacls.exe 1856 icacls.exe 1660 icacls.exe 716 icacls.exe 900 takeown.exe 360 icacls.exe 860 takeown.exe -
Processes:
resource yara_rule behavioral1/memory/1968-56-0x0000000000400000-0x0000000000468000-memory.dmp upx C:\Program Files (x86)\Aon - Gray\7z.exe upx behavioral1/memory/812-70-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/812-71-0x0000000000400000-0x000000000045A000-memory.dmp upx behavioral1/memory/1968-74-0x0000000000400000-0x0000000000468000-memory.dmp upx C:\Program Files (x86)\Aon - Gray\Patcher.exe upx behavioral1/memory/1600-87-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/1600-89-0x0000000000400000-0x0000000000521000-memory.dmp upx behavioral1/memory/1600-90-0x0000000000400000-0x0000000000521000-memory.dmp upx C:\Program Files (x86)\Aon - Gray\Patcher.exe upx behavioral1/memory/1068-108-0x0000000000400000-0x0000000000521000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
Aon - Gray.exepid process 1968 Aon - Gray.exe -
Modifies file permissions 1 TTPs 10 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 716 icacls.exe 1248 icacls.exe 900 takeown.exe 1440 icacls.exe 1856 icacls.exe 1860 icacls.exe 1660 icacls.exe 360 icacls.exe 1692 icacls.exe 860 takeown.exe -
Drops file in System32 directory 1 IoCs
Processes:
DrvInst.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF DrvInst.exe -
Drops file in Program Files directory 39 IoCs
Processes:
7z.exeAon - Gray.exePatcher.exeicacls.exePatcher.exeiPack_Installer.exeicacls.exedescription ioc process File created C:\Program Files (x86)\Aon - Gray\Resource Files\zipfldr.dll.res 7z.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Setup files-iPack\header.png Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\Setup files-iPack\logo.png Aon - Gray.exe File opened for modification C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\Resource Files\imageres.dll.res 7z.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Resource Files\imagesp1.dll.res 7z.exe File created C:\Program Files (x86)\Aon - Gray\Patcher.ini Patcher.exe File created C:\Program Files (x86)\Aon - Gray\Resource Files\ACL\SysWOW64\imageres.dll.AclFile icacls.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Patcher.log Patcher.exe File created C:\Program Files (x86)\Aon - Gray\Setup files-iPack\header.png Aon - Gray.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Setup files-iPack\License.txt Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe.config Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\Resource.7z iPack_Installer.exe File created C:\Program Files (x86)\Aon - Gray\Setup files-iPack\License.txt Aon - Gray.exe File opened for modification C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe.config Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\Resource Files\ACL\System32\imageres.dll.AclFile icacls.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Setup files-iPack\Configuration.config Aon - Gray.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Setup files-iPack Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\Resource Files\imagesp1.dll.res 7z.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Resource Files\Backup\System32\imageres.dll iPack_Installer.exe File created C:\Program Files (x86)\Aon - Gray\Resource Files\Backup\SysWOW64\imageres.dll iPack_Installer.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\System32\imageres.dll Patcher.exe File created C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\SysWOW64\imageres.dll iPack_Installer.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Patcher.ini Patcher.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Setup files-iPack\logo.png Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\Setup files-iPack\Configuration.config Aon - Gray.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Resource.iPack Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\System32\imageres.dll iPack_Installer.exe File created C:\Program Files (x86)\Aon - Gray\Patcher.log Patcher.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Resource Files\zipfldr.dll.res 7z.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Aon - Gray.log iPack_Installer.exe File created C:\Program Files (x86)\Aon - Gray\Resource Files\Backup\System32\imageres.dll iPack_Installer.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Resource Files\imageres.dll.res 7z.exe File created C:\Program Files (x86)\Aon - Gray\Resource.iPack Aon - Gray.exe File created C:\Program Files (x86)\Aon - Gray\7z.exe iPack_Installer.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Resource Files 7z.exe File created C:\Program Files (x86)\Aon - Gray\Patcher.exe iPack_Installer.exe File opened for modification C:\Program Files (x86)\Aon - Gray\Patcher.ini Patcher.exe -
Drops file in Windows directory 4 IoCs
Processes:
DrvInst.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\volsnap.PNF DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1696 taskkill.exe -
Processes:
iPack_Installer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main iPack_Installer.exe -
Modifies data under HKEY_USERS 48 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Confianza de mismo nivel" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\dnsapi.dll,-103 = "Confianza en el servidor DNS (Sistema de nombres de dominio)" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\fveui.dll,-844 = "Agente de recuperación de datos BitLocker" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\qagentrt.dll,-10 = "Autenticación de mantenimiento del sistema" DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\fveui.dll,-843 = "Cifrado de unidad BitLocker" DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iPack_Installer.exepid process 1896 iPack_Installer.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
vssvc.exeDrvInst.exetaskkill.exetakeown.exeicacls.exeicacls.exetakeown.exedescription pid process Token: SeBackupPrivilege 1772 vssvc.exe Token: SeRestorePrivilege 1772 vssvc.exe Token: SeAuditPrivilege 1772 vssvc.exe Token: SeRestorePrivilege 908 DrvInst.exe Token: SeRestorePrivilege 908 DrvInst.exe Token: SeRestorePrivilege 908 DrvInst.exe Token: SeRestorePrivilege 908 DrvInst.exe Token: SeRestorePrivilege 908 DrvInst.exe Token: SeRestorePrivilege 908 DrvInst.exe Token: SeRestorePrivilege 908 DrvInst.exe Token: SeLoadDriverPrivilege 908 DrvInst.exe Token: SeLoadDriverPrivilege 908 DrvInst.exe Token: SeLoadDriverPrivilege 908 DrvInst.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeTakeOwnershipPrivilege 900 takeown.exe Token: SeRestorePrivilege 1856 icacls.exe Token: SeSecurityPrivilege 1860 icacls.exe Token: SeTakeOwnershipPrivilege 860 takeown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Aon - Gray.exepid process 1968 Aon - Gray.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
iPack_Installer.exepid process 1896 iPack_Installer.exe 1896 iPack_Installer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Aon - Gray.exeiPack_Installer.execmd.execmd.execmd.exedescription pid process target process PID 1968 wrote to memory of 1896 1968 Aon - Gray.exe iPack_Installer.exe PID 1968 wrote to memory of 1896 1968 Aon - Gray.exe iPack_Installer.exe PID 1968 wrote to memory of 1896 1968 Aon - Gray.exe iPack_Installer.exe PID 1968 wrote to memory of 1896 1968 Aon - Gray.exe iPack_Installer.exe PID 1896 wrote to memory of 812 1896 iPack_Installer.exe 7z.exe PID 1896 wrote to memory of 812 1896 iPack_Installer.exe 7z.exe PID 1896 wrote to memory of 812 1896 iPack_Installer.exe 7z.exe PID 1896 wrote to memory of 812 1896 iPack_Installer.exe 7z.exe PID 1896 wrote to memory of 1696 1896 iPack_Installer.exe taskkill.exe PID 1896 wrote to memory of 1696 1896 iPack_Installer.exe taskkill.exe PID 1896 wrote to memory of 1696 1896 iPack_Installer.exe taskkill.exe PID 1896 wrote to memory of 1248 1896 iPack_Installer.exe icacls.exe PID 1896 wrote to memory of 1248 1896 iPack_Installer.exe icacls.exe PID 1896 wrote to memory of 1248 1896 iPack_Installer.exe icacls.exe PID 1896 wrote to memory of 2024 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 2024 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 2024 1896 iPack_Installer.exe cmd.exe PID 2024 wrote to memory of 900 2024 cmd.exe takeown.exe PID 2024 wrote to memory of 900 2024 cmd.exe takeown.exe PID 2024 wrote to memory of 900 2024 cmd.exe takeown.exe PID 2024 wrote to memory of 360 2024 cmd.exe icacls.exe PID 2024 wrote to memory of 360 2024 cmd.exe icacls.exe PID 2024 wrote to memory of 360 2024 cmd.exe icacls.exe PID 2024 wrote to memory of 1440 2024 cmd.exe icacls.exe PID 2024 wrote to memory of 1440 2024 cmd.exe icacls.exe PID 2024 wrote to memory of 1440 2024 cmd.exe icacls.exe PID 1896 wrote to memory of 1600 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1600 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1600 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1600 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1600 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1600 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1600 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1496 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 1496 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 1496 1896 iPack_Installer.exe cmd.exe PID 1496 wrote to memory of 1856 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1856 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1856 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1860 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1860 1496 cmd.exe icacls.exe PID 1496 wrote to memory of 1860 1496 cmd.exe icacls.exe PID 1896 wrote to memory of 624 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 624 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 624 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 1692 1896 iPack_Installer.exe icacls.exe PID 1896 wrote to memory of 1692 1896 iPack_Installer.exe icacls.exe PID 1896 wrote to memory of 1692 1896 iPack_Installer.exe icacls.exe PID 1896 wrote to memory of 1980 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 1980 1896 iPack_Installer.exe cmd.exe PID 1896 wrote to memory of 1980 1896 iPack_Installer.exe cmd.exe PID 1980 wrote to memory of 860 1980 cmd.exe takeown.exe PID 1980 wrote to memory of 860 1980 cmd.exe takeown.exe PID 1980 wrote to memory of 860 1980 cmd.exe takeown.exe PID 1980 wrote to memory of 1660 1980 cmd.exe icacls.exe PID 1980 wrote to memory of 1660 1980 cmd.exe icacls.exe PID 1980 wrote to memory of 1660 1980 cmd.exe icacls.exe PID 1980 wrote to memory of 716 1980 cmd.exe icacls.exe PID 1980 wrote to memory of 716 1980 cmd.exe icacls.exe PID 1980 wrote to memory of 716 1980 cmd.exe icacls.exe PID 1896 wrote to memory of 1068 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1068 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1068 1896 iPack_Installer.exe Patcher.exe PID 1896 wrote to memory of 1068 1896 iPack_Installer.exe Patcher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2. Pack Iconos\Aon - Gray.exe"C:\Users\Admin\AppData\Local\Temp\2. Pack Iconos\Aon - Gray.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe"C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Aon - Gray\7z.exe"C:\Program Files (x86)\Aon - Gray\7z.exe" x -y -bd "C:\Program Files (x86)\Aon - Gray\Resource.7z"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\System32\imageres.dll" /save "Resource Files\ACL\System32\imageres.dll.AclFile"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\System32\imageres.dll" && icacls "C:\Windows\System32\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F && exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /a /F "C:\Windows\System32\imageres.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\imageres.dll" /grant:r "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Aon - Gray\Patcher.exe"C:\Program Files (x86)\Aon - Gray\Patcher.exe" -addoverwrite "Resource Files\Patch\System32\imageres.dll", "Resource Files\Patch\System32\imageres.dll", "Resource Files\imageres.dll.res" ,,,3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls "C:\Windows\System32\imageres.dll" /setowner "NT Service\TrustedInstaller" /T /C && icacls "C:\Windows\System32" /restore "Resource Files\ACL\System32\imageres.dll.AclFile" && exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\imageres.dll" /setowner "NT Service\TrustedInstaller" /T /C4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /restore "Resource Files\ACL\System32\imageres.dll.AclFile"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /f /q "C:\Windows\System32\imageres.dll.iPtemp" && exit3⤵
-
C:\Windows\System32\icacls.exe"C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\imageres.dll" /save "Resource Files\ACL\SysWOW64\imageres.dll.AclFile"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\SysWOW64\imageres.dll" && icacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "administrators":F && exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /a /F "C:\Windows\SysWOW64\imageres.dll"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "Admin":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\imageres.dll" /grant:r "administrators":F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Aon - Gray\Patcher.exe"C:\Program Files (x86)\Aon - Gray\Patcher.exe" -addoverwrite "Resource Files\Patch\SysWOW64\imageres.dll", "Resource Files\Patch\SysWOW64\imageres.dll", "Resource Files\imageres.dll.res" ,,,3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000560" "000000000000005C"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Aon - Gray\7z.exeFilesize
148KB
MD5f3d2f74e271da7fa59d9a4c860e6f338
SHA196e9fa8808fbe176494a624b4a7b5afc9306f93a
SHA256d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3
SHA5121553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30
-
C:\Program Files (x86)\Aon - Gray\Patcher.exeFilesize
465KB
MD5e92786023781296f23db1d42be4148dc
SHA1f905ee76e91114db5278943a9b0db5493748dea5
SHA256908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8
SHA5122c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0
-
C:\Program Files (x86)\Aon - Gray\Patcher.exeFilesize
465KB
MD5e92786023781296f23db1d42be4148dc
SHA1f905ee76e91114db5278943a9b0db5493748dea5
SHA256908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8
SHA5122c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0
-
C:\Program Files (x86)\Aon - Gray\Patcher.iniFilesize
311B
MD5796935772ac839e1d1efe29ae87a87f8
SHA124fe87b39d5f0065584d9167bb2a0a534d200dce
SHA256c856b849708f175d087a09cd0b1fdf2b64e8a6de77f9dfdb9ae85640e642c62a
SHA5121f0d62370694c6216e0325d61446cd63247d1a64b0270d91f1e20eda6df6c577555c6611aa63a048f4ba2019e045af34c855340f9d07d164216c2ac56791fc76
-
C:\Program Files (x86)\Aon - Gray\Patcher.logFilesize
218B
MD548964b0c8e3756c2c252682ed14cbe50
SHA1dbdf46ca980092d7c6dee1779686163ae4abc533
SHA2567be7719f0e0bd11ec9c180b74907a484181ff43393b86b38240ee33ee890007f
SHA5127c40e82cc632c4e71075399490eff4d483b812cd7944dc98dc198b9eae9ef1c6305151dd0ba592c8c56301a3754c33dfa01eb37e77334fd17767a14643b32568
-
C:\Program Files (x86)\Aon - Gray\Resource Files\ACL\System32\imageres.dll.AclFileFilesize
302B
MD5e215cac62f4c9190a204172e06952ab0
SHA176837f17825e729cb2ccf4362d7fef00b00ed240
SHA2560a79f07fa1280e5cf07acef948aa6c3874fc5ad8e51d231cbc90a7ac05e779d5
SHA5125e63a1131b38e57b2f2ae4f76f1c149520cc41df2ae70ce1a2851aa0f219f299aba46b74efd5b4c5bf01a004901d46a06c7f97a37ecf829c7db19f5bad6af1c0
-
C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\SysWOW64\imageres.dllFilesize
19.3MB
MD5827cb0d6c3f8057ea037ff271f8e9795
SHA14f8385c0a9f37b5c3c3fd3e339b680fb08758570
SHA25682760dbddd38d2a31caaf51d065df4e7e1d0f0c22733a0af653776ebf7b79470
SHA5126e65491629717a260eca32e3f1b65baf16f70fede0717391af4acaf0e9c83da479d62e5de9734f9bbf7773b0904f5623df717a7ca9a0f6806ca4807fcfaa6a09
-
C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\System32\imageres.dllFilesize
19.3MB
MD55aa945234e9d4cce4f715276b9aa712c
SHA1dba3c8cecb3f8d4b1d96265d8519dbe0e911f446
SHA25665165bd131056816f009d987fc78ac86ffe0c3c38a27e73f873586b7ff4d59cf
SHA512acf0d5706662b3f4abb68b94aad9155c17dc74ccf3a92ed97c9bc2abdf4f8fd32705bb7692836452304301605561121b4ef2b82b81563f9bf2a9d1c71e8c6233
-
C:\Program Files (x86)\Aon - Gray\Resource Files\Patch\System32\imageres.dllFilesize
21.5MB
MD55e1523ff85d086c59f57aaec8ea002fa
SHA1898326985a52913e2b4f5c31428b7f72bd220640
SHA256b575b79d859f8b9d7e25672a758c9fd3dfcaa9c46711a6749af8d00afcbe1deb
SHA512eeca13b0ca7d8c1b3af1effd677ea8e5beb50774323e3822a94616a7a74db6f4edbd9898afc15cae45d68aeedeca7a13ad68d91cb413d010e826f2cc4361b5f3
-
C:\Program Files (x86)\Aon - Gray\Resource Files\imageres.dll.resFilesize
18.1MB
MD58ed3dab9948b129cf90c091f7d275688
SHA117f1d1275a38d986846a61eb36a087cb6526cc3d
SHA2560903a63ad2e6ea65b0131520fcf29473294b57cd740c707637db66b347e43280
SHA512804f12f4423d8a96e3a9facd99ac752d7e9d85821fe22b2440f6b025aa1278a6e62a203cca95cde2f257dd16ee590e1dd808490fcd998af0f7702319eb8cb313
-
C:\Program Files (x86)\Aon - Gray\Resource.7zFilesize
3.5MB
MD587f305bcfa75d8a70bbb11735ea3edb0
SHA16ff92b7834506c5af99f881f0af50b8fc923aec0
SHA2568fc7c639bc114ce0ab497183ce368a9ede786896300f1a61eb9f13632b578dd8
SHA5129373f4d0084b004aecb814a3759f52efa63244a808ce0f8965e0d8dcae9b7f9ea66b4de5a8462e408190ea5f88037a233cbab4a4948d0714305c0d3ace026ddc
-
C:\Program Files (x86)\Aon - Gray\Resource.iPackFilesize
3.5MB
MD5b694032f47961b9559e23ab1d7a0a15c
SHA1841d8e112f7f3a81de78963ba964f2a839baac89
SHA2563a4a0cf23c21f8bbfa73d0c5a7c2baa9b8ab5b64bb6968a4a6f897fca97147fd
SHA51264bf3cec32035bc0af2b4f043cfbff9dec993c7a1a8663d2a4a1c6d3fbb1e5a3a2ecfa9cc8c2d63e94257aeeffb03732b88d62599831f0d8885c171cf7c30e83
-
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\Configuration.configFilesize
224B
MD50cdfb12465131d66540765c554d89352
SHA1ad21e927a53b04064df1b940f10f2418cc299c67
SHA256eea5f6428275ce65329a4f42a2219ad9c618195bf1735d3838d2aeee3eb53932
SHA51263ab0f9ada8ddcb6c462c3e70d13713541500c7d445ae2128141c5e5ce73d386292746818ad9dcdb265aa221df1734862e8a1537f7b4810c95cd37cd7f288fbd
-
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\License.txtFilesize
941B
MD5a12a2d3a14e3a6dc6250bd7ab5e399c0
SHA1a9eb44510c98d2a066875e4e09904f70333cf8b6
SHA2567893df543413869f797b5733498b2027b2d69b4d3ec3bc998ba9c28e1b633e8d
SHA512af79120051d625288b670d2dc97ed8dcac18410a5763e936c8410a7e752294bf1085cce84405093648204be07232fda38fcf89a1dce1f2fec94069304b626454
-
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\header.pngFilesize
18KB
MD505881c368816adce83f69ebe8cdd1e66
SHA1f96830c41d327e818c36662e1e08bee2b3fc30c7
SHA25695debde2e09114ccb0838aaa2a35dba65061c87cd3430bc1a1e0f05d14d930a2
SHA51228480acd811e0ef863b96aa141b5278f8ee16820c400359d70c6b2c8780f35a217c1e5f563aecbc6b4f80eddc399a3884835d1e63a03bc3a69c09d6cd26f573a
-
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\logo.pngFilesize
21KB
MD521da3154a1bc6d1d582ba74191f6756e
SHA12e48ce7cc1c888d2525750200e6dd21c14b7f59c
SHA256dea6f44854346692fc183119abed2de5848cadd47aa32d953a0b78ffa2a1868e
SHA512eb169f932b0741803f8f8d6adfac3253f86f57e103e8512d4da53775cca0d344fab8a83313c9014464d581210131b27c2170d1b198a17318c1090239a860d7b6
-
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exeFilesize
1.0MB
MD526c04ae4db6ba6a5db686ca2ed4ea4be
SHA1e39ea2198cb8a1a6b3a545ebdbbd576cf4dd3090
SHA256390157b7661eb35b8e6081e667a745c370d418f3dc23421eebce957a080ee580
SHA5126ecc03c7cacf680d650646e8823ab5cc3145918ac5b86aecf962bb1680863e2ecb6081ba32229b740752afd29c7d76069d75c572b51adb25105705095f29cb57
-
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exeFilesize
1.0MB
MD526c04ae4db6ba6a5db686ca2ed4ea4be
SHA1e39ea2198cb8a1a6b3a545ebdbbd576cf4dd3090
SHA256390157b7661eb35b8e6081e667a745c370d418f3dc23421eebce957a080ee580
SHA5126ecc03c7cacf680d650646e8823ab5cc3145918ac5b86aecf962bb1680863e2ecb6081ba32229b740752afd29c7d76069d75c572b51adb25105705095f29cb57
-
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe.configFilesize
171B
MD5cb143eef30f7ad481e715926b63928f4
SHA14bb8ae8914d07d475c4c5bbf97abfa8c60544e00
SHA2566105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17
SHA512e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d
-
\Program Files (x86)\Aon - Gray\iPack_Installer.exeFilesize
1.0MB
MD526c04ae4db6ba6a5db686ca2ed4ea4be
SHA1e39ea2198cb8a1a6b3a545ebdbbd576cf4dd3090
SHA256390157b7661eb35b8e6081e667a745c370d418f3dc23421eebce957a080ee580
SHA5126ecc03c7cacf680d650646e8823ab5cc3145918ac5b86aecf962bb1680863e2ecb6081ba32229b740752afd29c7d76069d75c572b51adb25105705095f29cb57
-
memory/360-81-0x0000000000000000-mapping.dmp
-
memory/624-96-0x0000000000000000-mapping.dmp
-
memory/716-101-0x0000000000000000-mapping.dmp
-
memory/812-71-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/812-70-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/812-66-0x0000000000000000-mapping.dmp
-
memory/860-99-0x0000000000000000-mapping.dmp
-
memory/900-80-0x0000000000000000-mapping.dmp
-
memory/1068-108-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1068-102-0x0000000000000000-mapping.dmp
-
memory/1248-78-0x0000000000000000-mapping.dmp
-
memory/1440-82-0x0000000000000000-mapping.dmp
-
memory/1496-92-0x0000000000000000-mapping.dmp
-
memory/1600-87-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1600-89-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1600-90-0x0000000000400000-0x0000000000521000-memory.dmpFilesize
1.1MB
-
memory/1600-83-0x0000000000000000-mapping.dmp
-
memory/1660-100-0x0000000000000000-mapping.dmp
-
memory/1692-97-0x0000000000000000-mapping.dmp
-
memory/1696-77-0x0000000000000000-mapping.dmp
-
memory/1856-93-0x0000000000000000-mapping.dmp
-
memory/1860-94-0x0000000000000000-mapping.dmp
-
memory/1896-75-0x0000000001FA6000-0x0000000001FC5000-memory.dmpFilesize
124KB
-
memory/1896-69-0x0000000001FA6000-0x0000000001FC5000-memory.dmpFilesize
124KB
-
memory/1896-63-0x000007FEF3290000-0x000007FEF4326000-memory.dmpFilesize
16.6MB
-
memory/1896-62-0x000007FEF4570000-0x000007FEF4F93000-memory.dmpFilesize
10.1MB
-
memory/1896-58-0x0000000000000000-mapping.dmp
-
memory/1968-74-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1968-56-0x0000000000400000-0x0000000000468000-memory.dmpFilesize
416KB
-
memory/1968-55-0x00000000745B1000-0x00000000745B3000-memory.dmpFilesize
8KB
-
memory/1968-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1980-98-0x0000000000000000-mapping.dmp
-
memory/2024-79-0x0000000000000000-mapping.dmp