44e30d499a2977f70f0cd11411cfde8a26ff4f63c476740f4d8e4a461f9e753e

Analysis

max time kernel
141s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-06-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Winbox.exe
Size

3.5MB
MD5

81f583de2d16e2f451a0be9b8a7dd96c
SHA1

90e7b57b50302f60b4294b54f7f9e2bddd279747
SHA256

44e30d499a2977f70f0cd11411cfde8a26ff4f63c476740f4d8e4a461f9e753e
SHA512

171f353a2ca289af5e925392b6ac53c136bb9860e0bcb1697362fe0a75deff1d84f2128a3b0d711ae2a603f0d4af8dd44ab4cc5d39aa38e482e69ed11d5bff3f
SSDEEP

98304:lfLcWEe08s9qCzeDBsdGExhSrIClK7GE5PBl:N0h8cD5DxKWV5b

Score

7^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe	aspack_v212_v242
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe	aspack_v212_v242
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe	aspack_v212_v242
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe	aspack_v212_v242
C:\Users\Admin\AppData\Roaming\Mikrotik\winbox.exe	aspack_v212_v242
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe	aspack_v212_v242
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe	aspack_v212_v242
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe	aspack_v212_v242
behavioral1/memory/1460-311-0x0000000000330000-0x0000000000351000-memory.dmp	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

winbox.exe

pid process

1460 winbox.exe
Loads dropped DLL 5 IoCs

Processes:

Winbox.exewinbox.exe

pid process

1324 Winbox.exe
1324 Winbox.exe
1460 winbox.exe
1460 winbox.exe
1460 winbox.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Winbox.exe

description pid process

Token: SeRestorePrivilege 1324 Winbox.exe
Token: SeBackupPrivilege 1324 Winbox.exe

pid	process
1460	winbox.exe

pid	process
1324	Winbox.exe
1324	Winbox.exe
1460	winbox.exe
1460	winbox.exe
1460	winbox.exe

description	pid	process
Token: SeRestorePrivilege	1324	Winbox.exe
Token: SeBackupPrivilege	1324	Winbox.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Winbox.exe

description	pid	process	target process
PID 1324 wrote to memory of 1460	1324	Winbox.exe	winbox.exe
PID 1324 wrote to memory of 1460	1324	Winbox.exe	winbox.exe
PID 1324 wrote to memory of 1460	1324	Winbox.exe	winbox.exe
PID 1324 wrote to memory of 1460	1324	Winbox.exe	winbox.exe
PID 1324 wrote to memory of 1460	1324	Winbox.exe	winbox.exe
PID 1324 wrote to memory of 1460	1324	Winbox.exe	winbox.exe
PID 1324 wrote to memory of 1460	1324	Winbox.exe	winbox.exe

C:\Users\Admin\AppData\Local\Temp\Winbox.exe
"C:\Users\Admin\AppData\Local\Temp\Winbox.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Users\Admin\AppData\Roaming\Mikrotik\winbox.exe
"C:\Users\Admin\AppData\Roaming\Mikrotik\winbox.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe
Filesize
40KB

MD5
c6d6860bf26d5b1c8e736589b8ae075f

SHA1
fb92cee6a51fe1b50266e13d2ca4ab21b9d26715

SHA256
d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67

SHA512
d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe
Filesize
40KB

MD5
c6d6860bf26d5b1c8e736589b8ae075f

SHA1
fb92cee6a51fe1b50266e13d2ca4ab21b9d26715

SHA256
d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67

SHA512
d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\advtool.dll
Filesize
72KB

MD5
af27b422f99c88971ac8303e98454382

SHA1
f34867dfdbc10b68fbaf4554114d83a5a658d79f

SHA256
4b34e70d92f1b1e4cc13976e3cd1b74703c0b518af17a2edb5b3ec1a5659fcb6

SHA512
c2a81a54ce96110b2a85c449c580815e5a3e1d75f4d10ef491752d4f128e4428d9cf871090ebf74eadd5acf6a45fc239732f07e28e3854cc9f70f3b02cd98e22

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\arlan.dll
Filesize
55KB

MD5
24b90688277d19619af843382eedf097

SHA1
e44553b1ee609ce588a3190b6d6e47df5ad9781c

SHA256
d9f225d7c3a506a7b5ce172ad20763a91d50d5d264f992543cc5ed3e5f362e2a

SHA512
7ba0b59ff123bdfcd25fc5eb33155f83a1f402bd0049075ce1fd1b696e5096615d10531041f109c61848145b5d637f1398cad1a17f0017eeb00a939ad8216611

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\dhcp.dll
Filesize
90KB

MD5
1a82b6af1821b7605986654f1383bf15

SHA1
80c1026e17adbc53a3da85605f3048ad68da183f

SHA256
8bf3c021709508687eb43bf1d2157e53173227ac25ec4a62f536b70e518e9d2a

SHA512
5152c03456869d6ab1672d2fb91e6a7163fa68c3ab3673577a6664fcd96b0b40e35e89e9b6a611e71675735934b82f3139d192e2ef249aa59930338c77249fc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\hotspot.dll
Filesize
121KB

MD5
33af77c5d77a44a04191769d3b918493

SHA1
e0991a37c86dc72ce8653c6ed33b1953ac308148

SHA256
2bb4bfd054d632783ddc9a5583373334ca8be7b29e174af72bb1abc6f0b841b2

SHA512
ff8167d2ac2e416fd8cbd83acb9c027ad7c6018eba61a21e9350606c3fd807676786d6665ee5055defcf2e0302627ebde3d3173680b5be95eff021958766f720

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\isdn.dll
Filesize
52KB

MD5
2268343e66cb885b8378932d30f59d16

SHA1
ae54a196035ed0250ce334b5c79bf92758d0cf05

SHA256
11120851788248cc9d1513584d0994e3e80717fa8d2983c7035a8d2587669912

SHA512
b5f10c9138693f9b14cd26797248b4471fcf851334673f897a5c3e8a5c209ee07243dc2423b638bf6106053133f1def0bb50fa6d1172e652413d96344e1a7bb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\lcd.dll
Filesize
54KB

MD5
b697e89bf476d5ac996279adb1ec1b16

SHA1
6177ecc6699fe2c12cb9a9591b51979296957fa0

SHA256
c67ac4878d980033a713806780074a19b9e8f7beb6050a9b792c482a9d2fa956

SHA512
9dc6bbb80946fb1af328c5b828cd0ddefc932496957cba382d802b8c15b700b994abaa3c901659ca1af535ffe5b701909420ba36e499a105232903075ee07e45

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\ntp.dll
Filesize
54KB

MD5
d4765f3c0d1997668a2def84b41a84fb

SHA1
b77e59b443f0f490c6ec04f746cff712c1f4748a

SHA256
c8301643390123f3155c47766ed9dfdada55c7e815b57a02de3251b5e371a7cf

SHA512
f80afbd0495e8b0a07a158f460f9006e30aaa89f30c03d4c0ea1a0b6e867c0800d922e38c278fbe817db8c105219fca699845bbe799e5b6e90f5ee571568d3e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\phone.dll
Filesize
93KB

MD5
81bc614ddd4cf2d639e2c6aaad007d85

SHA1
ed7d582a09e66a4a7475d82a4ce6698828b254e7

SHA256
a2d7f0e1fc5709bd770cdfd24b9cb0d750ec49090a335754b73d22c0317b7c41

SHA512
47cf7d848f31b2a849c8318f12e7347c613bee2150a3bcaf7c4ce5267f770359df0b8f0a25c898a8e2690ec47968766ebf0a2a98d1ed8d2250dd1f7ffb2fb18d

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\ppp.dll
Filesize
122KB

MD5
ff1bc8ea8566dbc1dc0c28ae2ec11b5b

SHA1
6de341785246055040e5487d87afc05c3eaf02b8

SHA256
c48405d7cc96897defd625053059d2b88832a0d02d3848575171fe7cb81bfb96

SHA512
c85f3c479df391fcd47d7a4d8bcdbf4343063fc95e448732dae375bb6725ad25ad1f6a38d8347ae76ceb35b7ec0ab141427268de62174097bedbdd89c9ebe7a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\radlan.dll
Filesize
63KB

MD5
227df0f4a728464d86fc96b7e87bef44

SHA1
7321bedef53ddd283b68fdd984d9da5b7eb141dd

SHA256
b760273719d23c23de5bb8825273fcb778441c084527a1324125c7c42c7e7516

SHA512
1c21099beae78b00be0ad96a3c064b4942914bdfe35eb467e19f207e5877c30c6673c5c497bcaaa62cb36aa440d56fa6221b76ff09bce3f339c7987e97e19f29

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\roteros.dll
Filesize
1.2MB

MD5
c56450840fe72563b90bee3c789a3390

SHA1
dc9e9d67c2f577d12cc9e4422da2fb597add58ea

SHA256
70468a2a142111638e105a2c06e0e2b4186b45d4276730cc89f95aa65410f33d

SHA512
5c34b1b37fe3a75956676775488f21018538eacb79a9e16b5a02c40b51f7cf4afd27c0662585032022bd65285ea5af64b194dcb4ba68dafe9e783f1d8e57e502

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\routing.dll
Filesize
95KB

MD5
2f700ade547169ea74cab86ce654de35

SHA1
43d3717b7dc766bed8335b2180dac55e2b012454

SHA256
684e4c8e143d3c3053a3823e7311d968fdc69061275860a54ce1ffdf3421ceed

SHA512
79a4cf550907c8f2a1363ad2bf655e442ad3e3f605a8d6905644efc131d6595cdf96b44dcf4ddcadcf509f34888a2912fe79f6d44a2b879b9ffe1ed2b1970ded

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\rstp.dll
Filesize
100KB

MD5
985df652c8099b85365e5f65af6424db

SHA1
74eddc5a8cee4a5ac084cb9d24fbe0b847a9993e

SHA256
34294cc0f1668bbf5a9d5075edc75430206dec64ce2e1db44c7e9a658753a079

SHA512
bcc804e4d705c8e246e00df3e2df63d3f9c55e84393fbd7206e786c42264535247e4c856e327837c9803e881d24f01064b94dc1a24eaa1efada49ea1622da7a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\rtboard.dll
Filesize
52KB

MD5
33504321c2a7d883e0359f90639b7340

SHA1
c64787c8364ef0bce9b6714f66c4eaba306a6ce2

SHA256
5d711573ec0e6a3f38b7c580916f445bb200876a54d0e4a9e6187e1a3e0b1804

SHA512
d81ce0daaed1fd5bba36c368fc80f9973ce88edba39df9cd5e3407d204d9e323537c123d9c714d90679029b6992f94fee8cedd839729bcbc469e55aad5962b8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\secure.dll
Filesize
702KB

MD5
d975e097dbc3fbf35533751a6900eac3

SHA1
41f08b171c186383743976cf91207a57f7475360

SHA256
8194eca102cc70d3faf785e72514ad3cf3d4d4d97cc9d3ec70dca6e7863b7469

SHA512
1db9de915f567ac7cedb5bbd96f5b1719befba090b56f7c9752dbf77334d7a286f9068a679c4204b01a84ca4b8aee457e341fa16d7e12aef5df1b32b7f0960ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\sync.dll
Filesize
93KB

MD5
0e7a37b5d547a3d13b34bf9dae8fe437

SHA1
f6d296e46eb586bc2b2368e65284aa00f2bf8780

SHA256
e9cd50d95827e7214e15cabf6e1cb9f667c8ac06b7395311a753b4490aecceb8

SHA512
d7a220a3c30ac5f6b99d71c1d2363393b6a9059d4b53c4f029b7f7c3b6b5f6a70d5fa9366cd6ae4b4fe270ae5a2f9487dd3285792fe96bc08cee61c357f5a149

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\system.dll
Filesize
10KB

MD5
a99ab3413ff50fba9eed7bcd14db6d9e

SHA1
9242a5faf63b6581236abc933df7e72b2075c051

SHA256
3a2071516fbd531ab592f09b0450c2da68bdc977b19a98158e25a5ae7c45b846

SHA512
eb0d1a5bc323561c7effec951c92b79a7a3919a5dab7abb9a28174e9c7ec43ea9e7f16d23506c641d97b0c18813efd87b62cd1b6f6835e69007badd0e8a6b6fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\ups.dll
Filesize
60KB

MD5
b2c2e0d46162101980f0da61b5371b29

SHA1
4e7a0db227def36139a512911487880a264f78f5

SHA256
350bdcfd955df0c72e9e6307a3d02d4175951b9643ddd56944df25b67d052478

SHA512
d2652892bf1ba12c0dc5a79daf843b679af9c2dc736d555530dfaa9fb276be06114d82ddf6cce2df6ac80aea11030094524b1ba42937150265f871e3139cec2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\wlan2.dll
Filesize
222KB

MD5
21536039fde03c572896eb6d6571959d

SHA1
5d75dd561fe57adef0ec42de6dacea17acdf4bb6

SHA256
f16031ec60035428d23e929432cc330f94f74c8c61080e025a65e41c51b25e0f

SHA512
f413e288ba33f5af262f24ad8fee38733bd61d612a11be83df4f72c7acd599a9c129ad8a138d87dee0a34dcb1021b33c17c17cfa2b0fbc71d711d964295cea00

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\wproxy.dll
Filesize
68KB

MD5
44a3cf923562243b8ec433e0f62b8b48

SHA1
20f8b3a03f7984e44a6907c58629592060b7e48b

SHA256
58696a5d0936a4e202a90027410b5291960834e970239b7633178e6708e152ca

SHA512
e448f8b36f342cb4d27f9068b1134f3a037bd906293bd2d231e498e8205c5b9ffe5eb1ecd788bd964c0ab4f8161d4a13d1d69a84b800dd90321da42069851fd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mikrotik\winbox.exe
Filesize
40KB

MD5
c6d6860bf26d5b1c8e736589b8ae075f

SHA1
fb92cee6a51fe1b50266e13d2ca4ab21b9d26715

SHA256
d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67

SHA512
d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd

Download Submit
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe
Filesize
40KB

MD5
c6d6860bf26d5b1c8e736589b8ae075f

SHA1
fb92cee6a51fe1b50266e13d2ca4ab21b9d26715

SHA256
d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67

SHA512
d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd

Download Submit
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe
Filesize
40KB

MD5
c6d6860bf26d5b1c8e736589b8ae075f

SHA1
fb92cee6a51fe1b50266e13d2ca4ab21b9d26715

SHA256
d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67

SHA512
d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd

Download Submit
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe
Filesize
40KB

MD5
c6d6860bf26d5b1c8e736589b8ae075f

SHA1
fb92cee6a51fe1b50266e13d2ca4ab21b9d26715

SHA256
d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67

SHA512
d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd

Download Submit
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe
Filesize
40KB

MD5
c6d6860bf26d5b1c8e736589b8ae075f

SHA1
fb92cee6a51fe1b50266e13d2ca4ab21b9d26715

SHA256
d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67

SHA512
d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd

Download Submit
\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe
Filesize
40KB

MD5
c6d6860bf26d5b1c8e736589b8ae075f

SHA1
fb92cee6a51fe1b50266e13d2ca4ab21b9d26715

SHA256
d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67

SHA512
d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd

Download Submit
memory/1324-306-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1460-311-0x0000000000330000-0x0000000000351000-memory.dmp

Filesize
132KB

Download
memory/1460-312-0x0000000000330000-0x0000000000351000-memory.dmp

Filesize
132KB

Download
memory/1460-313-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1460-326-0x0000000000330000-0x0000000000351000-memory.dmp

Filesize
132KB

Download