Analysis
-
max time kernel
144s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2023 14:21
Static task
static1
Behavioral task
behavioral1
Sample
Winbox.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Winbox.exe
Resource
win10v2004-20230220-en
General
-
Target
Winbox.exe
-
Size
3.5MB
-
MD5
81f583de2d16e2f451a0be9b8a7dd96c
-
SHA1
90e7b57b50302f60b4294b54f7f9e2bddd279747
-
SHA256
44e30d499a2977f70f0cd11411cfde8a26ff4f63c476740f4d8e4a461f9e753e
-
SHA512
171f353a2ca289af5e925392b6ac53c136bb9860e0bcb1697362fe0a75deff1d84f2128a3b0d711ae2a603f0d4af8dd44ab4cc5d39aa38e482e69ed11d5bff3f
-
SSDEEP
98304:lfLcWEe08s9qCzeDBsdGExhSrIClK7GE5PBl:N0h8cD5DxKWV5b
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe aspack_v212_v242 C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exe aspack_v212_v242 C:\Users\Admin\AppData\Roaming\Mikrotik\winbox.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Winbox.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Winbox.exe -
Executes dropped EXE 1 IoCs
Processes:
winbox.exepid process 2896 winbox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Winbox.exedescription pid process target process PID 2028 wrote to memory of 2896 2028 Winbox.exe winbox.exe PID 2028 wrote to memory of 2896 2028 Winbox.exe winbox.exe PID 2028 wrote to memory of 2896 2028 Winbox.exe winbox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Winbox.exe"C:\Users\Admin\AppData\Local\Temp\Winbox.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Mikrotik\winbox.exe"C:\Users\Admin\AppData\Roaming\Mikrotik\winbox.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exeFilesize
40KB
MD5c6d6860bf26d5b1c8e736589b8ae075f
SHA1fb92cee6a51fe1b50266e13d2ca4ab21b9d26715
SHA256d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67
SHA512d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox.exeFilesize
40KB
MD5c6d6860bf26d5b1c8e736589b8ae075f
SHA1fb92cee6a51fe1b50266e13d2ca4ab21b9d26715
SHA256d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67
SHA512d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\advtool.dllFilesize
72KB
MD5af27b422f99c88971ac8303e98454382
SHA1f34867dfdbc10b68fbaf4554114d83a5a658d79f
SHA2564b34e70d92f1b1e4cc13976e3cd1b74703c0b518af17a2edb5b3ec1a5659fcb6
SHA512c2a81a54ce96110b2a85c449c580815e5a3e1d75f4d10ef491752d4f128e4428d9cf871090ebf74eadd5acf6a45fc239732f07e28e3854cc9f70f3b02cd98e22
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\arlan.dllFilesize
55KB
MD524b90688277d19619af843382eedf097
SHA1e44553b1ee609ce588a3190b6d6e47df5ad9781c
SHA256d9f225d7c3a506a7b5ce172ad20763a91d50d5d264f992543cc5ed3e5f362e2a
SHA5127ba0b59ff123bdfcd25fc5eb33155f83a1f402bd0049075ce1fd1b696e5096615d10531041f109c61848145b5d637f1398cad1a17f0017eeb00a939ad8216611
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\dhcp.dllFilesize
90KB
MD51a82b6af1821b7605986654f1383bf15
SHA180c1026e17adbc53a3da85605f3048ad68da183f
SHA2568bf3c021709508687eb43bf1d2157e53173227ac25ec4a62f536b70e518e9d2a
SHA5125152c03456869d6ab1672d2fb91e6a7163fa68c3ab3673577a6664fcd96b0b40e35e89e9b6a611e71675735934b82f3139d192e2ef249aa59930338c77249fc3
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\hotspot.dllFilesize
121KB
MD533af77c5d77a44a04191769d3b918493
SHA1e0991a37c86dc72ce8653c6ed33b1953ac308148
SHA2562bb4bfd054d632783ddc9a5583373334ca8be7b29e174af72bb1abc6f0b841b2
SHA512ff8167d2ac2e416fd8cbd83acb9c027ad7c6018eba61a21e9350606c3fd807676786d6665ee5055defcf2e0302627ebde3d3173680b5be95eff021958766f720
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\isdn.dllFilesize
52KB
MD52268343e66cb885b8378932d30f59d16
SHA1ae54a196035ed0250ce334b5c79bf92758d0cf05
SHA25611120851788248cc9d1513584d0994e3e80717fa8d2983c7035a8d2587669912
SHA512b5f10c9138693f9b14cd26797248b4471fcf851334673f897a5c3e8a5c209ee07243dc2423b638bf6106053133f1def0bb50fa6d1172e652413d96344e1a7bb4
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\lcd.dllFilesize
54KB
MD5b697e89bf476d5ac996279adb1ec1b16
SHA16177ecc6699fe2c12cb9a9591b51979296957fa0
SHA256c67ac4878d980033a713806780074a19b9e8f7beb6050a9b792c482a9d2fa956
SHA5129dc6bbb80946fb1af328c5b828cd0ddefc932496957cba382d802b8c15b700b994abaa3c901659ca1af535ffe5b701909420ba36e499a105232903075ee07e45
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\ntp.dllFilesize
54KB
MD5d4765f3c0d1997668a2def84b41a84fb
SHA1b77e59b443f0f490c6ec04f746cff712c1f4748a
SHA256c8301643390123f3155c47766ed9dfdada55c7e815b57a02de3251b5e371a7cf
SHA512f80afbd0495e8b0a07a158f460f9006e30aaa89f30c03d4c0ea1a0b6e867c0800d922e38c278fbe817db8c105219fca699845bbe799e5b6e90f5ee571568d3e5
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\phone.dllFilesize
93KB
MD581bc614ddd4cf2d639e2c6aaad007d85
SHA1ed7d582a09e66a4a7475d82a4ce6698828b254e7
SHA256a2d7f0e1fc5709bd770cdfd24b9cb0d750ec49090a335754b73d22c0317b7c41
SHA51247cf7d848f31b2a849c8318f12e7347c613bee2150a3bcaf7c4ce5267f770359df0b8f0a25c898a8e2690ec47968766ebf0a2a98d1ed8d2250dd1f7ffb2fb18d
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\ppp.dllFilesize
122KB
MD5ff1bc8ea8566dbc1dc0c28ae2ec11b5b
SHA16de341785246055040e5487d87afc05c3eaf02b8
SHA256c48405d7cc96897defd625053059d2b88832a0d02d3848575171fe7cb81bfb96
SHA512c85f3c479df391fcd47d7a4d8bcdbf4343063fc95e448732dae375bb6725ad25ad1f6a38d8347ae76ceb35b7ec0ab141427268de62174097bedbdd89c9ebe7a8
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\radlan.dllFilesize
63KB
MD5227df0f4a728464d86fc96b7e87bef44
SHA17321bedef53ddd283b68fdd984d9da5b7eb141dd
SHA256b760273719d23c23de5bb8825273fcb778441c084527a1324125c7c42c7e7516
SHA5121c21099beae78b00be0ad96a3c064b4942914bdfe35eb467e19f207e5877c30c6673c5c497bcaaa62cb36aa440d56fa6221b76ff09bce3f339c7987e97e19f29
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\roteros.dllFilesize
1.2MB
MD5c56450840fe72563b90bee3c789a3390
SHA1dc9e9d67c2f577d12cc9e4422da2fb597add58ea
SHA25670468a2a142111638e105a2c06e0e2b4186b45d4276730cc89f95aa65410f33d
SHA5125c34b1b37fe3a75956676775488f21018538eacb79a9e16b5a02c40b51f7cf4afd27c0662585032022bd65285ea5af64b194dcb4ba68dafe9e783f1d8e57e502
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\routing.dllFilesize
95KB
MD52f700ade547169ea74cab86ce654de35
SHA143d3717b7dc766bed8335b2180dac55e2b012454
SHA256684e4c8e143d3c3053a3823e7311d968fdc69061275860a54ce1ffdf3421ceed
SHA51279a4cf550907c8f2a1363ad2bf655e442ad3e3f605a8d6905644efc131d6595cdf96b44dcf4ddcadcf509f34888a2912fe79f6d44a2b879b9ffe1ed2b1970ded
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\rstp.dllFilesize
100KB
MD5985df652c8099b85365e5f65af6424db
SHA174eddc5a8cee4a5ac084cb9d24fbe0b847a9993e
SHA25634294cc0f1668bbf5a9d5075edc75430206dec64ce2e1db44c7e9a658753a079
SHA512bcc804e4d705c8e246e00df3e2df63d3f9c55e84393fbd7206e786c42264535247e4c856e327837c9803e881d24f01064b94dc1a24eaa1efada49ea1622da7a7
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\rtboard.dllFilesize
52KB
MD533504321c2a7d883e0359f90639b7340
SHA1c64787c8364ef0bce9b6714f66c4eaba306a6ce2
SHA2565d711573ec0e6a3f38b7c580916f445bb200876a54d0e4a9e6187e1a3e0b1804
SHA512d81ce0daaed1fd5bba36c368fc80f9973ce88edba39df9cd5e3407d204d9e323537c123d9c714d90679029b6992f94fee8cedd839729bcbc469e55aad5962b8a
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\secure.dllFilesize
702KB
MD5d975e097dbc3fbf35533751a6900eac3
SHA141f08b171c186383743976cf91207a57f7475360
SHA2568194eca102cc70d3faf785e72514ad3cf3d4d4d97cc9d3ec70dca6e7863b7469
SHA5121db9de915f567ac7cedb5bbd96f5b1719befba090b56f7c9752dbf77334d7a286f9068a679c4204b01a84ca4b8aee457e341fa16d7e12aef5df1b32b7f0960ef
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\sync.dllFilesize
93KB
MD50e7a37b5d547a3d13b34bf9dae8fe437
SHA1f6d296e46eb586bc2b2368e65284aa00f2bf8780
SHA256e9cd50d95827e7214e15cabf6e1cb9f667c8ac06b7395311a753b4490aecceb8
SHA512d7a220a3c30ac5f6b99d71c1d2363393b6a9059d4b53c4f029b7f7c3b6b5f6a70d5fa9366cd6ae4b4fe270ae5a2f9487dd3285792fe96bc08cee61c357f5a149
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\system.dllFilesize
10KB
MD5a99ab3413ff50fba9eed7bcd14db6d9e
SHA19242a5faf63b6581236abc933df7e72b2075c051
SHA2563a2071516fbd531ab592f09b0450c2da68bdc977b19a98158e25a5ae7c45b846
SHA512eb0d1a5bc323561c7effec951c92b79a7a3919a5dab7abb9a28174e9c7ec43ea9e7f16d23506c641d97b0c18813efd87b62cd1b6f6835e69007badd0e8a6b6fe
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\ups.dllFilesize
60KB
MD5b2c2e0d46162101980f0da61b5371b29
SHA14e7a0db227def36139a512911487880a264f78f5
SHA256350bdcfd955df0c72e9e6307a3d02d4175951b9643ddd56944df25b67d052478
SHA512d2652892bf1ba12c0dc5a79daf843b679af9c2dc736d555530dfaa9fb276be06114d82ddf6cce2df6ac80aea11030094524b1ba42937150265f871e3139cec2d
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\wlan2.dllFilesize
222KB
MD521536039fde03c572896eb6d6571959d
SHA15d75dd561fe57adef0ec42de6dacea17acdf4bb6
SHA256f16031ec60035428d23e929432cc330f94f74c8c61080e025a65e41c51b25e0f
SHA512f413e288ba33f5af262f24ad8fee38733bd61d612a11be83df4f72c7acd599a9c129ad8a138d87dee0a34dcb1021b33c17c17cfa2b0fbc71d711d964295cea00
-
C:\Users\Admin\AppData\Roaming\Mikrotik\Winbox\2.9.7\wproxy.dllFilesize
68KB
MD544a3cf923562243b8ec433e0f62b8b48
SHA120f8b3a03f7984e44a6907c58629592060b7e48b
SHA25658696a5d0936a4e202a90027410b5291960834e970239b7633178e6708e152ca
SHA512e448f8b36f342cb4d27f9068b1134f3a037bd906293bd2d231e498e8205c5b9ffe5eb1ecd788bd964c0ab4f8161d4a13d1d69a84b800dd90321da42069851fd8
-
C:\Users\Admin\AppData\Roaming\Mikrotik\winbox.exeFilesize
40KB
MD5c6d6860bf26d5b1c8e736589b8ae075f
SHA1fb92cee6a51fe1b50266e13d2ca4ab21b9d26715
SHA256d90cdf69ab21220d21e4d4b3e4c7d70db4c14f882eb4fce2aad3d41487b5ca67
SHA512d639cb1c0752209a160fb4e367d873933075b4e7f291a0093b406eb4dbe1130ec3c522513b048bff7e8ca398b4e554f2fe410624830294a8ae7f18d294ef9dfd
-
memory/2028-384-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2896-385-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB