26b42ee65f7497b02efa5045ed9e0c4046586aec8c358ecf2547889891d8b26c

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
16-01-2023 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2. Pack Iconos/Aon - Gray.exe
Size

4.4MB
MD5

bff7417095395d262bec790273975d60
SHA1

eff00b178cb27f3710ebafde7cd53f14aa578ddf
SHA256

c41352f656666106081a6fe9fea78dca4d4c55ac3b96800f523d3cd2154ca2f9
SHA512

298d5e4f8654124ac443e193a958534377b67d90a02f3b0c1a15e181ee10e909b01b171d286619fca0053c4d2cab8b6bdf0a5084d024b56a8d81b0694d58b2ef
SSDEEP

98304:E0Y6JZd/pi/TZfeTP6SeM1lQkQF7h1ftDL1oiueCdc1MF+vUJSXLJasokc6:E0Y6T9wT4D65uuZhFJoiueScWF1JS7J1

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

iPack_Installer.exe7z.exe

pid process

5004 iPack_Installer.exe
4408 7z.exe

pid	process
5004	iPack_Installer.exe
4408	7z.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3112-132-0x0000000000400000-0x0000000000468000-memory.dmp	upx
C:\Program Files (x86)\Aon - Gray\7z.exe	upx
C:\Program Files (x86)\Aon - Gray\7z.exe	upx
behavioral2/memory/4408-146-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4408-148-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3112-149-0x0000000000400000-0x0000000000468000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Aon - Gray.exeiPack_Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Aon - Gray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	iPack_Installer.exe

Drops file in Program Files directory 25 IoCs

Processes:

Aon - Gray.exeiPack_Installer.exe7z.exe

description	ioc	process
File created	C:\Program Files (x86)\Aon - Gray\Setup files-iPack\logo.png	Aon - Gray.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Resource.iPack	Aon - Gray.exe
File created	C:\Program Files (x86)\Aon - Gray\Patcher.exe	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Setup files-iPack	Aon - Gray.exe
File created	C:\Program Files (x86)\Aon - Gray\Setup files-iPack\header.png	Aon - Gray.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Setup files-iPack\header.png	Aon - Gray.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Setup files-iPack\logo.png	Aon - Gray.exe
File created	C:\Program Files (x86)\Aon - Gray\Setup files-iPack\License.txt	Aon - Gray.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe.config	Aon - Gray.exe
File created	C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe	Aon - Gray.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe	Aon - Gray.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Resource Files\imagesp1.dll.res	7z.exe
File created	C:\Program Files (x86)\Aon - Gray\Resource Files\zipfldr.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Resource Files\zipfldr.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Resource Files	7z.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Setup files-iPack\License.txt	Aon - Gray.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Setup files-iPack\Configuration.config	Aon - Gray.exe
File created	C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe.config	Aon - Gray.exe
File created	C:\Program Files (x86)\Aon - Gray\Resource.7z	iPack_Installer.exe
File created	C:\Program Files (x86)\Aon - Gray\Resource Files\imagesp1.dll.res	7z.exe
File created	C:\Program Files (x86)\Aon - Gray\Setup files-iPack\Configuration.config	Aon - Gray.exe
File created	C:\Program Files (x86)\Aon - Gray\Resource.iPack	Aon - Gray.exe
File created	C:\Program Files (x86)\Aon - Gray\7z.exe	iPack_Installer.exe
File created	C:\Program Files (x86)\Aon - Gray\Resource Files\imageres.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Aon - Gray\Resource Files\imageres.dll.res	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Aon - Gray.exe

pid process

3112 Aon - Gray.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iPack_Installer.exe

pid process

5004 iPack_Installer.exe
5004 iPack_Installer.exe

pid	process
3112	Aon - Gray.exe

pid	process
5004	iPack_Installer.exe
5004	iPack_Installer.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Aon - Gray.exeiPack_Installer.exe

description	pid	process	target process
PID 3112 wrote to memory of 5004	3112	Aon - Gray.exe	iPack_Installer.exe
PID 3112 wrote to memory of 5004	3112	Aon - Gray.exe	iPack_Installer.exe
PID 5004 wrote to memory of 4408	5004	iPack_Installer.exe	7z.exe
PID 5004 wrote to memory of 4408	5004	iPack_Installer.exe	7z.exe
PID 5004 wrote to memory of 4408	5004	iPack_Installer.exe	7z.exe

C:\Users\Admin\AppData\Local\Temp\2. Pack Iconos\Aon - Gray.exe
"C:\Users\Admin\AppData\Local\Temp\2. Pack Iconos\Aon - Gray.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3112

C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe
"C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\Program Files (x86)\Aon - Gray\7z.exe
"C:\Program Files (x86)\Aon - Gray\7z.exe" x -y -bd "C:\Program Files (x86)\Aon - Gray\Resource.7z"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Aon - Gray\7z.exe
Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Aon - Gray\7z.exe
Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Aon - Gray\Resource.7z
Filesize
3.5MB

MD5
87f305bcfa75d8a70bbb11735ea3edb0

SHA1
6ff92b7834506c5af99f881f0af50b8fc923aec0

SHA256
8fc7c639bc114ce0ab497183ce368a9ede786896300f1a61eb9f13632b578dd8

SHA512
9373f4d0084b004aecb814a3759f52efa63244a808ce0f8965e0d8dcae9b7f9ea66b4de5a8462e408190ea5f88037a233cbab4a4948d0714305c0d3ace026ddc

Download Submit
C:\Program Files (x86)\Aon - Gray\Resource.iPack
Filesize
3.5MB

MD5
b694032f47961b9559e23ab1d7a0a15c

SHA1
841d8e112f7f3a81de78963ba964f2a839baac89

SHA256
3a4a0cf23c21f8bbfa73d0c5a7c2baa9b8ab5b64bb6968a4a6f897fca97147fd

SHA512
64bf3cec32035bc0af2b4f043cfbff9dec993c7a1a8663d2a4a1c6d3fbb1e5a3a2ecfa9cc8c2d63e94257aeeffb03732b88d62599831f0d8885c171cf7c30e83

Download Submit
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\Configuration.config
Filesize
224B

MD5
0cdfb12465131d66540765c554d89352

SHA1
ad21e927a53b04064df1b940f10f2418cc299c67

SHA256
eea5f6428275ce65329a4f42a2219ad9c618195bf1735d3838d2aeee3eb53932

SHA512
63ab0f9ada8ddcb6c462c3e70d13713541500c7d445ae2128141c5e5ce73d386292746818ad9dcdb265aa221df1734862e8a1537f7b4810c95cd37cd7f288fbd

Download Submit
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\License.txt
Filesize
941B

MD5
a12a2d3a14e3a6dc6250bd7ab5e399c0

SHA1
a9eb44510c98d2a066875e4e09904f70333cf8b6

SHA256
7893df543413869f797b5733498b2027b2d69b4d3ec3bc998ba9c28e1b633e8d

SHA512
af79120051d625288b670d2dc97ed8dcac18410a5763e936c8410a7e752294bf1085cce84405093648204be07232fda38fcf89a1dce1f2fec94069304b626454

Download Submit
C:\Program Files (x86)\Aon - Gray\Setup files-iPack\logo.png
Filesize
21KB

MD5
21da3154a1bc6d1d582ba74191f6756e

SHA1
2e48ce7cc1c888d2525750200e6dd21c14b7f59c

SHA256
dea6f44854346692fc183119abed2de5848cadd47aa32d953a0b78ffa2a1868e

SHA512
eb169f932b0741803f8f8d6adfac3253f86f57e103e8512d4da53775cca0d344fab8a83313c9014464d581210131b27c2170d1b198a17318c1090239a860d7b6

Download Submit
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe
Filesize
1.0MB

MD5
26c04ae4db6ba6a5db686ca2ed4ea4be

SHA1
e39ea2198cb8a1a6b3a545ebdbbd576cf4dd3090

SHA256
390157b7661eb35b8e6081e667a745c370d418f3dc23421eebce957a080ee580

SHA512
6ecc03c7cacf680d650646e8823ab5cc3145918ac5b86aecf962bb1680863e2ecb6081ba32229b740752afd29c7d76069d75c572b51adb25105705095f29cb57

Download Submit
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe
Filesize
1.0MB

MD5
26c04ae4db6ba6a5db686ca2ed4ea4be

SHA1
e39ea2198cb8a1a6b3a545ebdbbd576cf4dd3090

SHA256
390157b7661eb35b8e6081e667a745c370d418f3dc23421eebce957a080ee580

SHA512
6ecc03c7cacf680d650646e8823ab5cc3145918ac5b86aecf962bb1680863e2ecb6081ba32229b740752afd29c7d76069d75c572b51adb25105705095f29cb57

Download Submit
C:\Program Files (x86)\Aon - Gray\iPack_Installer.exe.config
Filesize
171B

MD5
cb143eef30f7ad481e715926b63928f4

SHA1
4bb8ae8914d07d475c4c5bbf97abfa8c60544e00

SHA256
6105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17

SHA512
e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d

Download Submit
memory/3112-132-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3112-149-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4408-141-0x0000000000000000-mapping.dmp

Download
memory/4408-146-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4408-148-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5004-133-0x0000000000000000-mapping.dmp

Download
memory/5004-139-0x0000000000C7A000-0x0000000000C7F000-memory.dmp

Filesize
20KB

Download
memory/5004-137-0x00007FF868EE0000-0x00007FF869916000-memory.dmp

Filesize
10.2MB

Download
memory/5004-150-0x0000000000C7A000-0x0000000000C7F000-memory.dmp

Filesize
20KB

Download