hxxps://download2391[.]mediafire[.]com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack[.]exe

Resubmissions

02/04/2023, 07:26

230402-h9svnsfb86 8

02/04/2023, 07:25

230402-h8859sfb84 8

02/04/2023, 07:20

230402-h6jgtsfb69 8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2023, 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2391.mediafire.com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack.exe

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Downloads MZ/PE file

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
4772	icacls.exe
4640	takeown.exe
3752	icacls.exe
3148	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Win_Icon_Pack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	iPack_Installer.exe

Executes dropped EXE 4 IoCs

pid	Process
1816	Win_Icon_Pack.exe
1960	iPack_Installer.exe
1820	7z.exe
4332	Patcher.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3752	icacls.exe
3148	icacls.exe
4772	icacls.exe
4640	takeown.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001db2d-147.dat	upx
behavioral1/files/0x000600000001db2d-148.dat	upx
behavioral1/memory/1816-149-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1816-183-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/files/0x000200000001e701-197.dat	upx
behavioral1/files/0x000200000001e701-202.dat	upx
behavioral1/files/0x000200000001e701-204.dat	upx
behavioral1/memory/1820-206-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1820-216-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000200000001e703-264.dat	upx
behavioral1/files/0x000200000001e703-269.dat	upx
behavioral1/files/0x000200000001e703-270.dat	upx
behavioral1/memory/4332-274-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4332-279-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4332-280-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4332-284-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4332-287-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4332-291-0x0000000000400000-0x0000000000521000-memory.dmp	upx

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource.iPack	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Backup\System32\imageres.dll	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource.iPack	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource.7z	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\zipfldr.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Windows 10 Insider.log	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imagesp1.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\ACL\System32\imageres.dll.AclFile	icacls.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Patch\System32\imageres.dll	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.exe	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Backup\System32\imageres.dll	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.ini	Patcher.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\zipfldr.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\7z.exe	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imagesp1.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.log	Patcher.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config	Win_Icon_Pack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009865abc95f2d4b980000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009865abc90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809009865abc9000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009865abc900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2672	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d42e80ebae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2330232855"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387192247"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{72383A60-A601-4D75-834F-1B0CC82BE83C}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024452"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024452"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2330232855"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B4C01E01-D137-11ED-9EF6-FA48AF8140A7} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	4492	vssvc.exe
Token: SeRestorePrivilege	4492	vssvc.exe
Token: SeAuditPrivilege	4492	vssvc.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeTakeOwnershipPrivilege	4640	takeown.exe
Token: SeBackupPrivilege	4884	srtasks.exe
Token: SeRestorePrivilege	4884	srtasks.exe
Token: SeSecurityPrivilege	4884	srtasks.exe
Token: SeTakeOwnershipPrivilege	4884	srtasks.exe
Token: SeBackupPrivilege	4884	srtasks.exe
Token: SeRestorePrivilege	4884	srtasks.exe
Token: SeSecurityPrivilege	4884	srtasks.exe
Token: SeTakeOwnershipPrivilege	4884	srtasks.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
5056	iexplore.exe
5056	iexplore.exe
1816	Win_Icon_Pack.exe
5056	iexplore.exe
1960	iPack_Installer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5056	iexplore.exe
5056	iexplore.exe
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
1816	Win_Icon_Pack.exe
1960	iPack_Installer.exe
1960	iPack_Installer.exe
1820	7z.exe
4332	Patcher.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1280	5056	iexplore.exe	85
PID 5056 wrote to memory of 1280	5056	iexplore.exe	85
PID 5056 wrote to memory of 1280	5056	iexplore.exe	85
PID 5056 wrote to memory of 1816	5056	iexplore.exe	93
PID 5056 wrote to memory of 1816	5056	iexplore.exe	93
PID 5056 wrote to memory of 1816	5056	iexplore.exe	93
PID 1816 wrote to memory of 1960	1816	Win_Icon_Pack.exe	95
PID 1816 wrote to memory of 1960	1816	Win_Icon_Pack.exe	95
PID 1960 wrote to memory of 1820	1960	iPack_Installer.exe	96
PID 1960 wrote to memory of 1820	1960	iPack_Installer.exe	96
PID 1960 wrote to memory of 1820	1960	iPack_Installer.exe	96
PID 1960 wrote to memory of 2672	1960	iPack_Installer.exe	107
PID 1960 wrote to memory of 2672	1960	iPack_Installer.exe	107
PID 1960 wrote to memory of 4772	1960	iPack_Installer.exe	109
PID 1960 wrote to memory of 4772	1960	iPack_Installer.exe	109
PID 1960 wrote to memory of 4852	1960	iPack_Installer.exe	111
PID 1960 wrote to memory of 4852	1960	iPack_Installer.exe	111
PID 4852 wrote to memory of 4640	4852	cmd.exe	113
PID 4852 wrote to memory of 4640	4852	cmd.exe	113
PID 4852 wrote to memory of 3752	4852	cmd.exe	114
PID 4852 wrote to memory of 3752	4852	cmd.exe	114
PID 4852 wrote to memory of 3148	4852	cmd.exe	115
PID 4852 wrote to memory of 3148	4852	cmd.exe	115
PID 1960 wrote to memory of 4332	1960	iPack_Installer.exe	116
PID 1960 wrote to memory of 4332	1960	iPack_Installer.exe	116
PID 1960 wrote to memory of 4332	1960	iPack_Installer.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://download2391.mediafire.com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5056 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1280
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\Win_Icon_Pack.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\Win_Icon_Pack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe
    "C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Program Files (x86)\Windows 10 Insider\7z.exe
      "C:\Program Files (x86)\Windows 10 Insider\7z.exe" x -y -bd "C:\Program Files (x86)\Windows 10 Insider\Resource.7z"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:1820
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2672
  - - C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\System32\imageres.dll" /save "Resource Files\ACL\System32\imageres.dll.AclFile"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Drops file in Program Files directory
      PID:4772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\System32\imageres.dll" && icacls "C:\Windows\System32\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F && exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Windows\system32\takeown.exe
        
        takeown /a /F "C:\Windows\System32\imageres.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\imageres.dll" /grant:r "Admin":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3752
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3148
  - - C:\Program Files (x86)\Windows 10 Insider\Patcher.exe
      "C:\Program Files (x86)\Windows 10 Insider\Patcher.exe" -addoverwrite "Resource Files\Patch\System32\imageres.dll", "Resource Files\Patch\System32\imageres.dll", "Resource Files\imageres.dll.res" ,,,
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows 10 Insider\7z.exe

Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 10 Insider\7z.exe

Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 10 Insider\7z.exe

Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe

Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe

Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe

Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource Files\Patch\System32\imageres.dll

Filesize
2KB

MD5
620c454d6138083f146cd718cf3003e2

SHA1
155c86d26602058d21ce2cb0ba097292f4374d4a

SHA256
67c93e5c99187db024be2ddbf26020911d1f6e8836ddb2da2e51a87228c3182b

SHA512
c5cc55a32d29ed228982b16c1599e3293cd4540c67307837aab3dd5b7f46d5f858c60a7dc205fd2ef62e2464ffc1da22a0949dd6cd861cccd477e1cc2596b258

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res

Filesize
36.1MB

MD5
cdcf3c73452336ef09c2d6b149e00dc3

SHA1
50fef89141c4912e58ba8acf625b1274fd8129f8

SHA256
8015634f7a794831793baceea236a771d3edeaf1251be0beee67e03327692661

SHA512
1069e30ceaa4e098d3cc9b022a77a8ed2c4316c1d1394b729a01b9fbaed90d040d3138439c4cae1548f05be9270f2f9bea29f10f223f65ad4c1fdb861f95ef3f

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource.7z

Filesize
11.0MB

MD5
dab17c10540ea981f10b4748105a3d77

SHA1
a519f703f27e9b854e2abaa6547613851b107d68

SHA256
20ae9faeac4e7940a444728a349706822b22bde7194e228167cc0424cb861165

SHA512
4b45cc7f4ed50db62d829c0070da009611dc3838958e9365c51549f4d6111c83ec1aa399366c6fdb5f51fff644f1b8c686f5c49ca1e01daad0fe3ebc1f0ed91d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource.iPack

Filesize
11.0MB

MD5
c78e3a380550933edf0c910d164b2722

SHA1
c6c4245da1b27ecb559f547c76e3a9d97d4ad50c

SHA256
2418dfbdb9c97e90cf7eb63d249cef3c6efec5c183557ea131166baf5db1dc09

SHA512
2aa4fa14b0e4c4db3aa506398cb7d7470136df9d95869aa998f1b9ce42023d7763055821b65ec8eb97567e5c36baae42613a521f2dc5e4901eec2e71c484942d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config

Filesize
249B

MD5
d02ca78c6eefd91f71c7a7622e796370

SHA1
fb6d069345127acba59038030083742d2236a3d1

SHA256
cece5ea9e14a2821ee8fbd6616f6f93f73e7641f4715bc24e8a4dbeaeff1ef81

SHA512
e82b4cd02ffd0199068292d9fdb57d70bef29bc33eaef5e327293268d14ce7cebb03997a8048e93c8bb4fe4b2d5096608c17ffdeab98d09b60771c84665f023d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt

Filesize
941B

MD5
a12a2d3a14e3a6dc6250bd7ab5e399c0

SHA1
a9eb44510c98d2a066875e4e09904f70333cf8b6

SHA256
7893df543413869f797b5733498b2027b2d69b4d3ec3bc998ba9c28e1b633e8d

SHA512
af79120051d625288b670d2dc97ed8dcac18410a5763e936c8410a7e752294bf1085cce84405093648204be07232fda38fcf89a1dce1f2fec94069304b626454

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png

Filesize
18KB

MD5
05881c368816adce83f69ebe8cdd1e66

SHA1
f96830c41d327e818c36662e1e08bee2b3fc30c7

SHA256
95debde2e09114ccb0838aaa2a35dba65061c87cd3430bc1a1e0f05d14d930a2

SHA512
28480acd811e0ef863b96aa141b5278f8ee16820c400359d70c6b2c8780f35a217c1e5f563aecbc6b4f80eddc399a3884835d1e63a03bc3a69c09d6cd26f573a

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png

Filesize
21KB

MD5
21da3154a1bc6d1d582ba74191f6756e

SHA1
2e48ce7cc1c888d2525750200e6dd21c14b7f59c

SHA256
dea6f44854346692fc183119abed2de5848cadd47aa32d953a0b78ffa2a1868e

SHA512
eb169f932b0741803f8f8d6adfac3253f86f57e103e8512d4da53775cca0d344fab8a83313c9014464d581210131b27c2170d1b198a17318c1090239a860d7b6

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe

Filesize
988KB

MD5
028a0537a0f1ac78babb11d034d660cc

SHA1
6f0965382aab3b823c36b02a8be409be27cb09dc

SHA256
2cd7fabd158d1cd32de6063d03ca6aac3b3b1b877c64dffeed9c7255828d46b4

SHA512
1262ce416e62aa88c64ed01acb593786800487108d94ff48d2c2f69fba4f5cd8b66277a93954bb31911614cfff56eb9474ce992f4e176f4a215f010fdcdfd243

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe

Filesize
988KB

MD5
028a0537a0f1ac78babb11d034d660cc

SHA1
6f0965382aab3b823c36b02a8be409be27cb09dc

SHA256
2cd7fabd158d1cd32de6063d03ca6aac3b3b1b877c64dffeed9c7255828d46b4

SHA512
1262ce416e62aa88c64ed01acb593786800487108d94ff48d2c2f69fba4f5cd8b66277a93954bb31911614cfff56eb9474ce992f4e176f4a215f010fdcdfd243

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe

Filesize
988KB

MD5
028a0537a0f1ac78babb11d034d660cc

SHA1
6f0965382aab3b823c36b02a8be409be27cb09dc

SHA256
2cd7fabd158d1cd32de6063d03ca6aac3b3b1b877c64dffeed9c7255828d46b4

SHA512
1262ce416e62aa88c64ed01acb593786800487108d94ff48d2c2f69fba4f5cd8b66277a93954bb31911614cfff56eb9474ce992f4e176f4a215f010fdcdfd243

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config

Filesize
171B

MD5
cb143eef30f7ad481e715926b63928f4

SHA1
4bb8ae8914d07d475c4c5bbf97abfa8c60544e00

SHA256
6105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17

SHA512
e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6K3GJRJ1\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\Win_Icon_Pack.exe

Filesize
11.9MB

MD5
31214ab9b12c4185a07da2331b2e09db

SHA1
8a6d6275c564c3098d4346f915b365f23ce16b8b

SHA256
f70bd9ffc1c5f7e0b55dcdfea45c15a2febd1709f1ef1d8b6d3d88f37755d2b3

SHA512
a649c7d9090682016fc2247b9072bf9f84bb2d56db8b83baa75c80a9ccf0debd9d324d4b4577c0b0f0c720e1375fdda20ad69edb4fe2cf212e36377d74d62868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUIKWEAJ\Win_Icon_Pack.exe.shuppe6.partial

Filesize
11.9MB

MD5
31214ab9b12c4185a07da2331b2e09db

SHA1
8a6d6275c564c3098d4346f915b365f23ce16b8b

SHA256
f70bd9ffc1c5f7e0b55dcdfea45c15a2febd1709f1ef1d8b6d3d88f37755d2b3

SHA512
a649c7d9090682016fc2247b9072bf9f84bb2d56db8b83baa75c80a9ccf0debd9d324d4b4577c0b0f0c720e1375fdda20ad69edb4fe2cf212e36377d74d62868

Download Submit
memory/1816-183-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1816-149-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1820-216-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1820-206-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1960-181-0x000000001D530000-0x000000001D57C000-memory.dmp

Filesize
304KB

Download
memory/1960-180-0x0000000001270000-0x0000000001278000-memory.dmp

Filesize
32KB

Download
memory/1960-187-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-186-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-185-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-209-0x0000000020B50000-0x00000000221C7000-memory.dmp

Filesize
22.5MB

Download
memory/1960-184-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-217-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-225-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-226-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-228-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-229-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-230-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-231-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-182-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-192-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-252-0x0000000000FE0000-0x00000000010E0000-memory.dmp

Filesize
1024KB

Download
memory/1960-255-0x0000000000FE0000-0x00000000010E0000-memory.dmp

Filesize
1024KB

Download
memory/1960-179-0x000000001D2D0000-0x000000001D36C000-memory.dmp

Filesize
624KB

Download
memory/1960-178-0x000000001CCC0000-0x000000001D18E000-memory.dmp

Filesize
4.8MB

Download
memory/1960-177-0x000000001C740000-0x000000001C7E6000-memory.dmp

Filesize
664KB

Download
memory/1960-176-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/1960-175-0x00000000008F0000-0x00000000009EE000-memory.dmp

Filesize
1016KB

Download
memory/1960-281-0x0000000000FE0000-0x00000000010E0000-memory.dmp

Filesize
1024KB

Download
memory/1960-276-0x0000000000FE0000-0x00000000010E0000-memory.dmp

Filesize
1024KB

Download
memory/4332-275-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4332-279-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4332-280-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4332-274-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4332-284-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4332-287-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4332-291-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads