43c540de797db56cf1356b605a5c6ccf70f28b771a072ab3da913b9441d4635b

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aqvpn.exe
Size

484KB
MD5

95938c6c0c44959418a928bcbca7111d
SHA1

ab2b2fe5ff5ebcc7be946bd557cd0b792418db76
SHA256

43c540de797db56cf1356b605a5c6ccf70f28b771a072ab3da913b9441d4635b
SHA512

0fadfe4c652cad70acbc6d5579921d9efb5d0abfc1ca419be19c0396dd8ff9069d9ffd4d03519e52d1b08d6c9258d0ff15625bf1df9960fe6d11bb718c3043c6
SSDEEP

12288:lrH3bZ+EF68HVIGcg4Bot+ypGX4HBdYMP:l7LZ+EF6iVPcgQofpGXsBdn

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1856	cmstp.exe

Loads dropped DLL 7 IoCs

pid	Process
1520	aqvpn.exe
1520	aqvpn.exe
1520	aqvpn.exe
1520	aqvpn.exe
1520	aqvpn.exe
1856	cmstp.exe
1856	cmstp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	aqvpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aqvpn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1856	1520	aqvpn.exe	28
PID 1520 wrote to memory of 1856	1520	aqvpn.exe	28
PID 1520 wrote to memory of 1856	1520	aqvpn.exe	28
PID 1520 wrote to memory of 1856	1520	aqvpn.exe	28
PID 1520 wrote to memory of 1856	1520	aqvpn.exe	28
PID 1520 wrote to memory of 1856	1520	aqvpn.exe	28
PID 1520 wrote to memory of 1856	1520	aqvpn.exe	28
PID 1856 wrote to memory of 924	1856	cmstp.exe	29
PID 1856 wrote to memory of 924	1856	cmstp.exe	29
PID 1856 wrote to memory of 924	1856	cmstp.exe	29
PID 1856 wrote to memory of 924	1856	cmstp.exe	29
PID 1856 wrote to memory of 924	1856	cmstp.exe	29
PID 1856 wrote to memory of 924	1856	cmstp.exe	29
PID 1856 wrote to memory of 924	1856	cmstp.exe	29

C:\Users\Admin\AppData\Local\Temp\aqvpn.exe
"C:\Users\Admin\AppData\Local\Temp\aqvpn.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\.\cmstp.exe aqvpn.inf
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\SysWOW64\cmstp.exe
    "C:\Windows\system32\cmstp.exe" "C:\Users\Admin\AppData\Local\Temp\{044441A4-623B-43E0-8483-E6EF465938A7}\aqvpn.inf"
    3⤵
    PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.dll

Filesize
125KB

MD5
8fed1e0a491d4990853d23f21c59c730

SHA1
42aed9decc353e31b4de871fd1ea7137c3c2fff0

SHA256
4ba6c93bfd43baeb852b5cb9129522c97ddb542d7ef8ee34aecd8cdf1bf0fc38

SHA512
f5954d2849a6e6527241c97b584fac6ec984aede557b3c4b3f2b6c520b37a345a0fa92e9e50d5c5bd15be21284c01eaf37246f55d637fee23190c31c761edd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aqvpn.cmp

Filesize
78B

MD5
0103025fcf2da8a40253a56ea95a0a2a

SHA1
17e3616bb004aba58dc45c235b7b24442dcd0434

SHA256
12dc8fd3eb7a49c8c8846e135d97104f41f2005e1ac78b089f08cf82c43b9a97

SHA512
e6dc5cac3dc750912185e2275d20b693f7475873923fa0f9795ab2748ba3518669e5570e283289980a41f66841f6022cc631330b7115b29d5b105abd80cab525

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aqvpn.cms

Filesize
2KB

MD5
6d91c9015e3f8a6098fa52fa10e0e6e6

SHA1
1fbc29f49e327562c498b3b00ce621a21f9c74cf

SHA256
4f87f525676d3a4150f6c13aeb0278fd741439e47d24c2d797c56a75515b2165

SHA512
2d5fbed468ffc40f618fdfd15e3a20225d00044eed9b2dacf758b29b0d65f8c927042b4075c12771db4dd8adbcfaa2820acdf3471172a67bd2d9cec255919127

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aqvpn.inf

Filesize
9KB

MD5
22a5f4886eebd571497c8a0a08ad7a59

SHA1
5610b724f6bda7f5366a0aa6fa876b3be7c4660d

SHA256
9530732bb7d241774873e9379f4df28878150d162abb3ea92581521cdc15741d

SHA512
a3cc86a8881d7fa5281071bb94bf032ef4f1af43fc7be8b8d6ef611f7df0b1602ddfa258e0a094dc22af50f2b83bbb58428e2312411bd4d56edb7fd5edb5a400

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ccfg95.dll

Filesize
28KB

MD5
1fcb816813d29ce64904e9ca6515fc0c

SHA1
99aaec91ea2cac43c2d92bc9a2ddcb784d8c886c

SHA256
8e7b08504c9de7a3ef7c7702d5fd31483f2c5acca39dfde2b811dce4b062416b

SHA512
ff52c5fc39f2f798b3a77a59e502a3944097b6f805da011cf76d7df0f054e9e7592be1b363cb8777ee8ffd7e347d0fd693e20654ea6a00ceec168e54574dc6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmbins.exe

Filesize
313KB

MD5
63c14f2b2c12dcbeaa95e84293d84e50

SHA1
655d52ae76eddcf28b0a68f780d1c68adbd56067

SHA256
1de8e160901fa76f299e79311824da6b6b45b34d38ca9e19b4d6961cbe381a33

SHA512
a3d8f0c00e347c86c7c094e62be799d588cd2884cefde577960feb1d12e0ad675b11e635af177c13b411146e582747a1e6183d66dd6f8640178b5987ee69f392

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmexcept.cat

Filesize
12KB

MD5
9eaa743015f06960d0bcad1e28df47ba

SHA1
700ef5e730eeebb99a534627bc72580afe2368cc

SHA256
d1203c03952558d835adf11e993f2f546e47f39eb93881122cfe61c2d6963dd7

SHA512
747147ae37bd4c9814b43a02269c5cda9dead5cbc76ee2145cfa6451479961bd5b0516581aa94616bb4cfc0ea26b23db3db00202e0f1ae1a712a2844e715a109

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe

Filesize
60KB

MD5
9f7806c29164c370c71a89dc2382cc8a

SHA1
b8c3bdc95e1a4ffe7bdc01802e7a52fbe3bff98c

SHA256
46599b3bb282ceedab57d90174398b06460fff6f8de702107302524814821423

SHA512
79e89e1df100a3772620ba5dd7289c563df6b561952e0bca0dff6f2bb1ec367ffae2aff66cf3659cd45acc47962bc41e48755fd8a584b476bd537504a443fbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe

Filesize
60KB

MD5
9f7806c29164c370c71a89dc2382cc8a

SHA1
b8c3bdc95e1a4ffe7bdc01802e7a52fbe3bff98c

SHA256
46599b3bb282ceedab57d90174398b06460fff6f8de702107302524814821423

SHA512
79e89e1df100a3772620ba5dd7289c563df6b561952e0bca0dff6f2bb1ec367ffae2aff66cf3659cd45acc47962bc41e48755fd8a584b476bd537504a443fbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmutoa.dll

Filesize
58KB

MD5
0e32d2d1100719d8c8ee05d08d528ecf

SHA1
edc74168a63bf1282a1cbbd764bbacc83fb07cd2

SHA256
37eeb1df2c220ec65e86e60878f8c9aad6e72490a7e806d291ebfc2da41e04aa

SHA512
a4dbb12d29b5adce47ad5ddeca58d1b18e8b732addc8bd3cb6dae90ac1e6b62665d85c9bae296882286ccb740606be7881f11279174ca7f63178b4e1d4d655f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cnet16.dll

Filesize
43KB

MD5
45d33d4a695b7f584e4765a293807c86

SHA1
0aaeb1d43379b33b4b4e318659f5e6d188bc6286

SHA256
f24d399046595b007e0581c8af5670624becc366eb68d8a4a6e6cde12d758206

SHA512
95e6966e71627c32cb48f6a0462cb64503bf1c484ec95126dd944f0a138f5bb79f8e06eda329da7481020f5bb4f7950cbcb50b635044c07c6d405fcd04b52759

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\instcm.inf

Filesize
5KB

MD5
d50d9154c5c2baadcf9138bd9a47ab2f

SHA1
1ccf281b3f844738596b8a1fa021be9958f96f2f

SHA256
b40284078df9e51f2d794c583cf61b72812166bcfd68949e6ce1729389890d79

SHA512
827e551d6dc4958b913343d2845ebd36855cd9dc3f56bb40aa9c1b8d54047edd18d1dfd476e653c2ef2a9d0ef0618202f65ce260de64c0211a92d6e912f1586a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf16.dll

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf16.dll

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf32.dll

Filesize
4KB

MD5
e049c0349be088c62a0ac07de367fc21

SHA1
02763be0c91805e30ca4444e9bf79ec46bb618ab

SHA256
00e3a37df4428e2d3e62bac11ecea40a8494b9a0c4cb4e6723acad17835b21f5

SHA512
f90fa83d2732503ba02a1e25a257fa21dc6c525f8d011d2b7a12039c7d50f06ce3a5f58f1b30b5de6367b0ed09a6bc54d0a707f8229fdba0177f5185607bb585

Download Submit
C:\Users\Admin\AppData\Local\Temp\{044441A4-623B-43E0-8483-E6EF465938A7}\advpack.dll

Filesize
125KB

MD5
8fed1e0a491d4990853d23f21c59c730

SHA1
42aed9decc353e31b4de871fd1ea7137c3c2fff0

SHA256
4ba6c93bfd43baeb852b5cb9129522c97ddb542d7ef8ee34aecd8cdf1bf0fc38

SHA512
f5954d2849a6e6527241c97b584fac6ec984aede557b3c4b3f2b6c520b37a345a0fa92e9e50d5c5bd15be21284c01eaf37246f55d637fee23190c31c761edd88

Download Submit
C:\Users\Admin\AppData\Local\Temp\{044441A4-623B-43E0-8483-E6EF465938A7}\aqvpn.inf

Filesize
9KB

MD5
22a5f4886eebd571497c8a0a08ad7a59

SHA1
5610b724f6bda7f5366a0aa6fa876b3be7c4660d

SHA256
9530732bb7d241774873e9379f4df28878150d162abb3ea92581521cdc15741d

SHA512
a3cc86a8881d7fa5281071bb94bf032ef4f1af43fc7be8b8d6ef611f7df0b1602ddfa258e0a094dc22af50f2b83bbb58428e2312411bd4d56edb7fd5edb5a400

Download Submit
C:\Users\Admin\AppData\Local\Temp\{044441A4-623B-43E0-8483-E6EF465938A7}\cmstp.exe

Filesize
60KB

MD5
9f7806c29164c370c71a89dc2382cc8a

SHA1
b8c3bdc95e1a4ffe7bdc01802e7a52fbe3bff98c

SHA256
46599b3bb282ceedab57d90174398b06460fff6f8de702107302524814821423

SHA512
79e89e1df100a3772620ba5dd7289c563df6b561952e0bca0dff6f2bb1ec367ffae2aff66cf3659cd45acc47962bc41e48755fd8a584b476bd537504a443fbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{044441A4-623B-43E0-8483-E6EF465938A7}\w95inf32.dll

Filesize
4KB

MD5
e049c0349be088c62a0ac07de367fc21

SHA1
02763be0c91805e30ca4444e9bf79ec46bb618ab

SHA256
00e3a37df4428e2d3e62bac11ecea40a8494b9a0c4cb4e6723acad17835b21f5

SHA512
f90fa83d2732503ba02a1e25a257fa21dc6c525f8d011d2b7a12039c7d50f06ce3a5f58f1b30b5de6367b0ed09a6bc54d0a707f8229fdba0177f5185607bb585

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
125KB

MD5
8fed1e0a491d4990853d23f21c59c730

SHA1
42aed9decc353e31b4de871fd1ea7137c3c2fff0

SHA256
4ba6c93bfd43baeb852b5cb9129522c97ddb542d7ef8ee34aecd8cdf1bf0fc38

SHA512
f5954d2849a6e6527241c97b584fac6ec984aede557b3c4b3f2b6c520b37a345a0fa92e9e50d5c5bd15be21284c01eaf37246f55d637fee23190c31c761edd88

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
125KB

MD5
8fed1e0a491d4990853d23f21c59c730

SHA1
42aed9decc353e31b4de871fd1ea7137c3c2fff0

SHA256
4ba6c93bfd43baeb852b5cb9129522c97ddb542d7ef8ee34aecd8cdf1bf0fc38

SHA512
f5954d2849a6e6527241c97b584fac6ec984aede557b3c4b3f2b6c520b37a345a0fa92e9e50d5c5bd15be21284c01eaf37246f55d637fee23190c31c761edd88

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\advpack.dll

Filesize
125KB

MD5
8fed1e0a491d4990853d23f21c59c730

SHA1
42aed9decc353e31b4de871fd1ea7137c3c2fff0

SHA256
4ba6c93bfd43baeb852b5cb9129522c97ddb542d7ef8ee34aecd8cdf1bf0fc38

SHA512
f5954d2849a6e6527241c97b584fac6ec984aede557b3c4b3f2b6c520b37a345a0fa92e9e50d5c5bd15be21284c01eaf37246f55d637fee23190c31c761edd88

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe

Filesize
60KB

MD5
9f7806c29164c370c71a89dc2382cc8a

SHA1
b8c3bdc95e1a4ffe7bdc01802e7a52fbe3bff98c

SHA256
46599b3bb282ceedab57d90174398b06460fff6f8de702107302524814821423

SHA512
79e89e1df100a3772620ba5dd7289c563df6b561952e0bca0dff6f2bb1ec367ffae2aff66cf3659cd45acc47962bc41e48755fd8a584b476bd537504a443fbe4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\cmstp.exe

Filesize
60KB

MD5
9f7806c29164c370c71a89dc2382cc8a

SHA1
b8c3bdc95e1a4ffe7bdc01802e7a52fbe3bff98c

SHA256
46599b3bb282ceedab57d90174398b06460fff6f8de702107302524814821423

SHA512
79e89e1df100a3772620ba5dd7289c563df6b561952e0bca0dff6f2bb1ec367ffae2aff66cf3659cd45acc47962bc41e48755fd8a584b476bd537504a443fbe4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf32.dll

Filesize
4KB

MD5
e049c0349be088c62a0ac07de367fc21

SHA1
02763be0c91805e30ca4444e9bf79ec46bb618ab

SHA256
00e3a37df4428e2d3e62bac11ecea40a8494b9a0c4cb4e6723acad17835b21f5

SHA512
f90fa83d2732503ba02a1e25a257fa21dc6c525f8d011d2b7a12039c7d50f06ce3a5f58f1b30b5de6367b0ed09a6bc54d0a707f8229fdba0177f5185607bb585

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\w95inf32.dll

Filesize
4KB

MD5
e049c0349be088c62a0ac07de367fc21

SHA1
02763be0c91805e30ca4444e9bf79ec46bb618ab

SHA256
00e3a37df4428e2d3e62bac11ecea40a8494b9a0c4cb4e6723acad17835b21f5

SHA512
f90fa83d2732503ba02a1e25a257fa21dc6c525f8d011d2b7a12039c7d50f06ce3a5f58f1b30b5de6367b0ed09a6bc54d0a707f8229fdba0177f5185607bb585

Download Submit