hxxps://download2391[.]mediafire[.]com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack[.]exe

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
02-04-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2391.mediafire.com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack.exe

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Downloads MZ/PE file
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exe

pid process

4324 icacls.exe
4252 takeown.exe
5044 icacls.exe
3324 icacls.exe
Executes dropped EXE 4 IoCs

Processes:

Win_Icon_Pack.exeiPack_Installer.exe7z.exePatcher.exe

pid process

4664 Win_Icon_Pack.exe
1164 iPack_Installer.exe
3336 7z.exe
4012 Patcher.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exe

pid process

4324 icacls.exe
4252 takeown.exe
5044 icacls.exe
3324 icacls.exe

pid	process
4324	icacls.exe
4252	takeown.exe
5044	icacls.exe
3324	icacls.exe

pid	process
4664	Win_Icon_Pack.exe
1164	iPack_Installer.exe
3336	7z.exe
4012	Patcher.exe

pid	process
4324	icacls.exe
4252	takeown.exe
5044	icacls.exe
3324	icacls.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\Win_Icon_Pack.exe.xokjxb1.partial	upx
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\Win_Icon_Pack.exe	upx
behavioral1/memory/4664-141-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/4664-168-0x0000000000400000-0x0000000000453000-memory.dmp	upx
C:\Program Files (x86)\Windows 10 Insider\7z.exe	upx
C:\Program Files (x86)\Windows 10 Insider\7z.exe	upx
behavioral1/memory/3336-189-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/3336-196-0x0000000000400000-0x000000000045A000-memory.dmp	upx
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe	upx
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe	upx
behavioral1/memory/4012-223-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-229-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-231-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-233-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-266-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-268-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-270-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-272-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-274-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-276-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-278-0x0000000000400000-0x0000000000521000-memory.dmp	upx
behavioral1/memory/4012-280-0x0000000000400000-0x0000000000521000-memory.dmp	upx

Drops file in Program Files directory 32 IoCs

Processes:

Win_Icon_Pack.exeiPack_Installer.exe7z.exeicacls.exePatcher.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.exe	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\zipfldr.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\ACL\System32\imageres.dll.AclFile	icacls.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Windows 10 Insider.log	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\zipfldr.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Backup\System32\imageres.dll	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\7z.exe	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imagesp1.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Backup\System32\imageres.dll	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.log	Patcher.exe
File created	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource.7z	iPack_Installer.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource.iPack	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imagesp1.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\Patch\System32\imageres.dll	iPack_Installer.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource.iPack	Win_Icon_Pack.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res	7z.exe
File created	C:\Program Files (x86)\Windows 10 Insider\Patcher.ini	Patcher.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt	Win_Icon_Pack.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Resource Files	7z.exe
File opened for modification	C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack	Win_Icon_Pack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4820 taskkill.exe

pid	process
4820	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 448d7bd89445d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3DA81BF8-D12D-11ED-9346-FEBD14D28120} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "387187751"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31024442"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "311551160"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "387204345"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024442"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "323113907"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31024442"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{31E9F18E-B160-48AF-A3C2-A417A305C0C7}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "311551160"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "387236337"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iPack_Installer.exe

pid process

1164 iPack_Installer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetakeown.exe

description pid process

Token: SeDebugPrivilege 4820 taskkill.exe
Token: SeTakeOwnershipPrivilege 4252 takeown.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeWin_Icon_Pack.exe

pid process

2456 iexplore.exe
2456 iexplore.exe
4664 Win_Icon_Pack.exe

pid	process
1164	iPack_Installer.exe

description	pid	process
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeTakeOwnershipPrivilege	4252	takeown.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXEWin_Icon_Pack.exeiPack_Installer.exe7z.exePatcher.exe

pid	process
2456	iexplore.exe
2456	iexplore.exe
2948	IEXPLORE.EXE
2948	IEXPLORE.EXE
4664	Win_Icon_Pack.exe
1164	iPack_Installer.exe
1164	iPack_Installer.exe
3336	7z.exe
4012	Patcher.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

iexplore.exeWin_Icon_Pack.exeiPack_Installer.execmd.exe

description	pid	process	target process
PID 2456 wrote to memory of 2948	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2948	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 2948	2456	iexplore.exe	IEXPLORE.EXE
PID 2456 wrote to memory of 4664	2456	iexplore.exe	Win_Icon_Pack.exe
PID 2456 wrote to memory of 4664	2456	iexplore.exe	Win_Icon_Pack.exe
PID 2456 wrote to memory of 4664	2456	iexplore.exe	Win_Icon_Pack.exe
PID 4664 wrote to memory of 1164	4664	Win_Icon_Pack.exe	iPack_Installer.exe
PID 4664 wrote to memory of 1164	4664	Win_Icon_Pack.exe	iPack_Installer.exe
PID 1164 wrote to memory of 3336	1164	iPack_Installer.exe	7z.exe
PID 1164 wrote to memory of 3336	1164	iPack_Installer.exe	7z.exe
PID 1164 wrote to memory of 3336	1164	iPack_Installer.exe	7z.exe
PID 1164 wrote to memory of 4820	1164	iPack_Installer.exe	taskkill.exe
PID 1164 wrote to memory of 4820	1164	iPack_Installer.exe	taskkill.exe
PID 1164 wrote to memory of 4324	1164	iPack_Installer.exe	icacls.exe
PID 1164 wrote to memory of 4324	1164	iPack_Installer.exe	icacls.exe
PID 1164 wrote to memory of 4884	1164	iPack_Installer.exe	cmd.exe
PID 1164 wrote to memory of 4884	1164	iPack_Installer.exe	cmd.exe
PID 4884 wrote to memory of 4252	4884	cmd.exe	takeown.exe
PID 4884 wrote to memory of 4252	4884	cmd.exe	takeown.exe
PID 4884 wrote to memory of 5044	4884	cmd.exe	icacls.exe
PID 4884 wrote to memory of 5044	4884	cmd.exe	icacls.exe
PID 4884 wrote to memory of 3324	4884	cmd.exe	icacls.exe
PID 4884 wrote to memory of 3324	4884	cmd.exe	icacls.exe
PID 1164 wrote to memory of 4012	1164	iPack_Installer.exe	Patcher.exe
PID 1164 wrote to memory of 4012	1164	iPack_Installer.exe	Patcher.exe
PID 1164 wrote to memory of 4012	1164	iPack_Installer.exe	Patcher.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://download2391.mediafire.com/dwrifu0d8gngU1esXtH9eVSh1KCRcInDOWqTuzPxia5JviSSG4y4G0r5nZRgM5q6ZIvWFgwR9uIt89n4tNwmhEHZr6M8/edxrydvanz0j7ac/Win_Icon_Pack.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\Win_Icon_Pack.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\Win_Icon_Pack.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe
"C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164

C:\Program Files (x86)\Windows 10 Insider\7z.exe
"C:\Program Files (x86)\Windows 10 Insider\7z.exe" x -y -bd "C:\Program Files (x86)\Windows 10 Insider\Resource.7z"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3336

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\Windows\System32\imageres.dll" /save "Resource Files\ACL\System32\imageres.dll.AclFile"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in Program Files directory
PID:4324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\System32\imageres.dll" && icacls "C:\Windows\System32\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F && exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\takeown.exe
takeown /a /F "C:\Windows\System32\imageres.dll"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\imageres.dll" /grant:r "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5044

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3324

C:\Program Files (x86)\Windows 10 Insider\Patcher.exe
"C:\Program Files (x86)\Windows 10 Insider\Patcher.exe" -addoverwrite "Resource Files\Patch\System32\imageres.dll", "Resource Files\Patch\System32\imageres.dll", "Resource Files\imageres.dll.res" ,,,
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows 10 Insider\7z.exe
Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 10 Insider\7z.exe
Filesize
148KB

MD5
f3d2f74e271da7fa59d9a4c860e6f338

SHA1
96e9fa8808fbe176494a624b4a7b5afc9306f93a

SHA256
d2c632a87f70039f8812f0bd5602379e288bfac237b0fce41cb5d8c757c70be3

SHA512
1553ba5d27ef59015ee4ff05e37d79a3da5d2257de193e61800f587917dbc5ba97e1d499448b41e370962b977570a4ea1c936e791d886e71384edaba39d5fe30

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe
Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Patcher.exe
Filesize
465KB

MD5
e92786023781296f23db1d42be4148dc

SHA1
f905ee76e91114db5278943a9b0db5493748dea5

SHA256
908a411ec3b024b1af6538a6ed00dd0ffc98c9337a657cc4c9531a24e852ede8

SHA512
2c5e78e5fe3b63db4919976e2273f398a04928f0ed7f1538aadba82de98b862bc0cef2ee4607be139169d4f1d6ae5a0388f2f88f9d5ec30331eb95a4da0082e0

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource Files\Patch\System32\imageres.dll
Filesize
22.5MB

MD5
ef790f21def0d06d9bc23978de3d8cd4

SHA1
a34367b94b0095cd12528a00e5cc07a57c20269a

SHA256
078d93433a113e458677df1cb6c323c27f33fc641bb1307ba7eb75ba5724037e

SHA512
bfe5a0018d5f4490fdec0190005e70762dd0d6745dae68d16494b4b574f11098dab1687a45f248415ed219a96a0d1a11e9e8c34d25c49da7ccacb2dabfeccbfc

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource Files\imageres.dll.res
Filesize
36.1MB

MD5
cdcf3c73452336ef09c2d6b149e00dc3

SHA1
50fef89141c4912e58ba8acf625b1274fd8129f8

SHA256
8015634f7a794831793baceea236a771d3edeaf1251be0beee67e03327692661

SHA512
1069e30ceaa4e098d3cc9b022a77a8ed2c4316c1d1394b729a01b9fbaed90d040d3138439c4cae1548f05be9270f2f9bea29f10f223f65ad4c1fdb861f95ef3f

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource.7z
Filesize
11.0MB

MD5
dab17c10540ea981f10b4748105a3d77

SHA1
a519f703f27e9b854e2abaa6547613851b107d68

SHA256
20ae9faeac4e7940a444728a349706822b22bde7194e228167cc0424cb861165

SHA512
4b45cc7f4ed50db62d829c0070da009611dc3838958e9365c51549f4d6111c83ec1aa399366c6fdb5f51fff644f1b8c686f5c49ca1e01daad0fe3ebc1f0ed91d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Resource.iPack
Filesize
11.0MB

MD5
c78e3a380550933edf0c910d164b2722

SHA1
c6c4245da1b27ecb559f547c76e3a9d97d4ad50c

SHA256
2418dfbdb9c97e90cf7eb63d249cef3c6efec5c183557ea131166baf5db1dc09

SHA512
2aa4fa14b0e4c4db3aa506398cb7d7470136df9d95869aa998f1b9ce42023d7763055821b65ec8eb97567e5c36baae42613a521f2dc5e4901eec2e71c484942d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\Configuration.config
Filesize
249B

MD5
d02ca78c6eefd91f71c7a7622e796370

SHA1
fb6d069345127acba59038030083742d2236a3d1

SHA256
cece5ea9e14a2821ee8fbd6616f6f93f73e7641f4715bc24e8a4dbeaeff1ef81

SHA512
e82b4cd02ffd0199068292d9fdb57d70bef29bc33eaef5e327293268d14ce7cebb03997a8048e93c8bb4fe4b2d5096608c17ffdeab98d09b60771c84665f023d

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\License.txt
Filesize
941B

MD5
a12a2d3a14e3a6dc6250bd7ab5e399c0

SHA1
a9eb44510c98d2a066875e4e09904f70333cf8b6

SHA256
7893df543413869f797b5733498b2027b2d69b4d3ec3bc998ba9c28e1b633e8d

SHA512
af79120051d625288b670d2dc97ed8dcac18410a5763e936c8410a7e752294bf1085cce84405093648204be07232fda38fcf89a1dce1f2fec94069304b626454

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\header.png
Filesize
18KB

MD5
05881c368816adce83f69ebe8cdd1e66

SHA1
f96830c41d327e818c36662e1e08bee2b3fc30c7

SHA256
95debde2e09114ccb0838aaa2a35dba65061c87cd3430bc1a1e0f05d14d930a2

SHA512
28480acd811e0ef863b96aa141b5278f8ee16820c400359d70c6b2c8780f35a217c1e5f563aecbc6b4f80eddc399a3884835d1e63a03bc3a69c09d6cd26f573a

Download Submit
C:\Program Files (x86)\Windows 10 Insider\Setup files-iPack\logo.png
Filesize
21KB

MD5
21da3154a1bc6d1d582ba74191f6756e

SHA1
2e48ce7cc1c888d2525750200e6dd21c14b7f59c

SHA256
dea6f44854346692fc183119abed2de5848cadd47aa32d953a0b78ffa2a1868e

SHA512
eb169f932b0741803f8f8d6adfac3253f86f57e103e8512d4da53775cca0d344fab8a83313c9014464d581210131b27c2170d1b198a17318c1090239a860d7b6

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe
Filesize
988KB

MD5
028a0537a0f1ac78babb11d034d660cc

SHA1
6f0965382aab3b823c36b02a8be409be27cb09dc

SHA256
2cd7fabd158d1cd32de6063d03ca6aac3b3b1b877c64dffeed9c7255828d46b4

SHA512
1262ce416e62aa88c64ed01acb593786800487108d94ff48d2c2f69fba4f5cd8b66277a93954bb31911614cfff56eb9474ce992f4e176f4a215f010fdcdfd243

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe
Filesize
988KB

MD5
028a0537a0f1ac78babb11d034d660cc

SHA1
6f0965382aab3b823c36b02a8be409be27cb09dc

SHA256
2cd7fabd158d1cd32de6063d03ca6aac3b3b1b877c64dffeed9c7255828d46b4

SHA512
1262ce416e62aa88c64ed01acb593786800487108d94ff48d2c2f69fba4f5cd8b66277a93954bb31911614cfff56eb9474ce992f4e176f4a215f010fdcdfd243

Download Submit
C:\Program Files (x86)\Windows 10 Insider\iPack_Installer.exe.config
Filesize
171B

MD5
cb143eef30f7ad481e715926b63928f4

SHA1
4bb8ae8914d07d475c4c5bbf97abfa8c60544e00

SHA256
6105a59eaa1401813a363239fb193a79179d3abc93abc4f65f180e60770b6e17

SHA512
e3067b72b255772a73d8ea4564e4874008fb52de9e18cfcdfda547408288826629f1f2ce7c0efb07b9528d34e0efd0635b91560df50f12edd4b5c19cef5af19d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
c5f20d91cc08608a86cdf45c1e06e8b5

SHA1
c0fce1c4a306dc0bf372ed0907cf8b7f4a2d4d37

SHA256
48506ee2253275198c9205a541e4fc2a20a31c359ad3206550a678d1cc267a95

SHA512
3f2a0dff529fab989e0afaf3c4c43f9d1f847f8569006f5afa3ea50245e364b363fd2d8b6c9dfa8837d8cf59c1a56ec41f03f0ff6acb82e5df9980c0be3e3da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
0a7768c6c6bee365d333c622139f08fe

SHA1
ba71b1ee068ffdd3e74721b39dabdcdadcfd0b55

SHA256
d47e0b875a372922e7c5647459dacedc5b06f4d008bb777bc2c1029da5e35ab6

SHA512
bf0aa9b1bed6d4c5b125464d6dbafdefb473c89fab3ab0e4028319181b2fde5d1b050ccc0b5f0132c469184920c20efd830d4ae245ead62dbc6e2324a631ab85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F0WVC1MM\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\Win_Icon_Pack.exe
Filesize
11.9MB

MD5
31214ab9b12c4185a07da2331b2e09db

SHA1
8a6d6275c564c3098d4346f915b365f23ce16b8b

SHA256
f70bd9ffc1c5f7e0b55dcdfea45c15a2febd1709f1ef1d8b6d3d88f37755d2b3

SHA512
a649c7d9090682016fc2247b9072bf9f84bb2d56db8b83baa75c80a9ccf0debd9d324d4b4577c0b0f0c720e1375fdda20ad69edb4fe2cf212e36377d74d62868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\Win_Icon_Pack.exe.xokjxb1.partial
Filesize
11.9MB

MD5
31214ab9b12c4185a07da2331b2e09db

SHA1
8a6d6275c564c3098d4346f915b365f23ce16b8b

SHA256
f70bd9ffc1c5f7e0b55dcdfea45c15a2febd1709f1ef1d8b6d3d88f37755d2b3

SHA512
a649c7d9090682016fc2247b9072bf9f84bb2d56db8b83baa75c80a9ccf0debd9d324d4b4577c0b0f0c720e1375fdda20ad69edb4fe2cf212e36377d74d62868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\UOHHMW4N.cookie
Filesize
608B

MD5
9a6c565164c1f6da60051e46073e57e6

SHA1
4b41be2a66774b576c35914d2081e2417596fbd4

SHA256
ee5f21b02bd30fc6f05d84e182ac0651a6aab65dfcf691c936fe7f5f0e64646a

SHA512
64f874ecd287ec2749da6c075c69aa060452fc118657e2fa0c13e6cc3f17b261b3c5cd2afea34731ee502cea3b980d6c62aa6a661c0f26c66614036b1c689875

Download Submit
memory/1164-169-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-218-0x0000000020C90000-0x0000000020D90000-memory.dmp

Filesize
1024KB

Download
memory/1164-178-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-176-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-175-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-171-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-170-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-163-0x000000001B540000-0x000000001B5E6000-memory.dmp

Filesize
664KB

Download
memory/1164-230-0x0000000020C90000-0x0000000020D90000-memory.dmp

Filesize
1024KB

Download
memory/1164-197-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-161-0x0000000000560000-0x000000000065E000-memory.dmp

Filesize
1016KB

Download
memory/1164-167-0x000000001C290000-0x000000001C2DC000-memory.dmp

Filesize
304KB

Download
memory/1164-166-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/1164-209-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-210-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-211-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-212-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-213-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-214-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-162-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/1164-165-0x000000001C030000-0x000000001C0CC000-memory.dmp

Filesize
624KB

Download
memory/1164-164-0x000000001BAC0000-0x000000001BF8E000-memory.dmp

Filesize
4.8MB

Download
memory/1164-179-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/3336-196-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3336-189-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4012-231-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-266-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-224-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4012-223-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-233-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-280-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-278-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-229-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-268-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-270-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-272-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-274-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4012-276-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/4664-141-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4664-168-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download