89df1eb47e24963acda027076d670844dd2923fdd76546046afba32ab783cb6c

Resubmissions

07-03-2024 15:06

240307-sg3jhseb28 10

Analysis

max time kernel
151s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AOMEIBackupperSetup.exe
Size

122.9MB
MD5

dda8bd6c99fe29fddfbdd31d2e66d4f0
SHA1

5c7f878b6273e89ec1bb4afc6df44ea1cc16ecf4
SHA256

f4ce867a89a65467bd16ed1b744dec7dbe8e0439653e3cbacbc0f472f16dc541
SHA512

6cabe39b9e1e20d4ad2b429f813a10a3e3e0d83846557d192bf953ed46170e6bb232a821b8e0efe5016fd0bb67b17c7e41aed909b934331529118255442047df
SSDEEP

3145728:Lafv2ZUw0hkI6aCO4K9rdU9vhn1Jph080DWS9L:LaWIB4K9xURhn1Jph07SiL

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winsevr.dat	Aman.exe
File opened for modification	C:\Windows\SysWOW64\winsevr.dat	OneKey30784.tmp

Executes dropped EXE 4 IoCs

pid	Process
2696	OneKey30784.exe
2536	OneKey30784.tmp
2388	Aman.exe
1576	IUHelper.exe

Loads dropped DLL 14 IoCs

pid	Process
2692	AOMEIBackupperSetup.exe
2696	OneKey30784.exe
2536	OneKey30784.tmp
2536	OneKey30784.tmp
2536	OneKey30784.tmp
2536	OneKey30784.tmp
2536	OneKey30784.tmp
2536	OneKey30784.tmp
2388	Aman.exe
2536	OneKey30784.tmp
2536	OneKey30784.tmp
2536	OneKey30784.tmp
2536	OneKey30784.tmp
2536	OneKey30784.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2696	2692	AOMEIBackupperSetup.exe	28
PID 2692 wrote to memory of 2696	2692	AOMEIBackupperSetup.exe	28
PID 2692 wrote to memory of 2696	2692	AOMEIBackupperSetup.exe	28
PID 2692 wrote to memory of 2696	2692	AOMEIBackupperSetup.exe	28
PID 2696 wrote to memory of 2536	2696	OneKey30784.exe	29
PID 2696 wrote to memory of 2536	2696	OneKey30784.exe	29
PID 2696 wrote to memory of 2536	2696	OneKey30784.exe	29
PID 2696 wrote to memory of 2536	2696	OneKey30784.exe	29
PID 2696 wrote to memory of 2536	2696	OneKey30784.exe	29
PID 2696 wrote to memory of 2536	2696	OneKey30784.exe	29
PID 2696 wrote to memory of 2536	2696	OneKey30784.exe	29
PID 2536 wrote to memory of 2388	2536	OneKey30784.tmp	32
PID 2536 wrote to memory of 2388	2536	OneKey30784.tmp	32
PID 2536 wrote to memory of 2388	2536	OneKey30784.tmp	32
PID 2536 wrote to memory of 2388	2536	OneKey30784.tmp	32
PID 2536 wrote to memory of 1576	2536	OneKey30784.tmp	33
PID 2536 wrote to memory of 1576	2536	OneKey30784.tmp	33
PID 2536 wrote to memory of 1576	2536	OneKey30784.tmp	33
PID 2536 wrote to memory of 1576	2536	OneKey30784.tmp	33

C:\Users\Admin\AppData\Local\Temp\AOMEIBackupperSetup.exe
"C:\Users\Admin\AppData\Local\Temp\AOMEIBackupperSetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\OneKey30784.exe
  C:\Users\Admin\AppData\Local\Temp\\OneKey30784.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\is-U6N6R.tmp\OneKey30784.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-U6N6R.tmp\OneKey30784.tmp" /SL5="$50158,128105039,433664,C:\Users\Admin\AppData\Local\Temp\OneKey30784.exe"
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\Aman.exe
      "C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\Aman.exe" -Cookies
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      Loads dropped DLL
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\IUHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\IUHelper.exe" UA-136152959-1 "pro trial/en" "Install/7.3.3/Microsoft Windows 7 Ultimate Eidtion 64-bit/AOMEI/nil " "Run Installation"
      4⤵
      Executes dropped EXE
      PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneKey30784.exe

Filesize
13.0MB

MD5
ebf768757f21ff35edc36576969e208b

SHA1
63e0521383693cd05ed1f58e367f60bbf198d316

SHA256
0efe7039b7e01830f2cc95f43b5f80a83b0acde6a203e035085da01e2d5e6759

SHA512
7f0ed2bd5e62da86540622f479c4c3d9d4903db713a7cf543ea67daf0d19d8218e37d8a122aa73654feb134e04189364367253c716eeee497f949d4f15ac71ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneKey30784.exe

Filesize
10.2MB

MD5
a2eb0e0a654cea31f24b0ce3d1ba2fc8

SHA1
edb91af8a71703f0d591b3b3492d1d8f15f56dcc

SHA256
7d64b65f259822dacce84baacc2b9b533ef6d2dec27c337fc192435b1695bc4e

SHA512
ad5d9a5801c34f19bccd551cbe7a87eb95b21645cef8c8003b29185066aced72f5e61e383dcc17fd3e32d81b629eb961a50d8969e7ea5ec80d5dbc6651360744

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\Aman.exe

Filesize
1.3MB

MD5
9ec4c59f00a6af9e8d73b652d1c92bc8

SHA1
d2acba73683f255b3bcfccd0145be515c86a8f4b

SHA256
a62b53d7df3696d7370ad7b2083b36ba828f07ab8e343f6765b3310ee3187545

SHA512
b0cac56860b1acb238360303e0e8aba7ccf2a232e38fa0914a50345e1fd02358abd57ffb2e35c03fc51aefa1b791e9ab54522716d2f4a8c29fe173526eda3706

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\Checkblue.png

Filesize
694B

MD5
a8b6c2a1eb48b2be0f941f3ab8f7e238

SHA1
b78df675d44df51d64b55c8f2c511cd180d5cf73

SHA256
4ef202de5bf06745f20ef82ab0680cb4b1d882025a4503639ccdb6435e029dd0

SHA512
b181985244dbd6dc0bc456f822cc8011cb76ce334a680928a8c2aa12a9f0c4a066c3e6745f738ffc480e39b907a0499e59b3865fed040a5a43310803de61c0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\IUHelper.exe

Filesize
165KB

MD5
02d494ad634d84b47253228cc85042b5

SHA1
09eef1dba5f00841e6c339a5bdbe652081e58060

SHA256
db2b7098c1dd35ef822b25be1e88b3ed012260c86e8498ebd96094e06f7d2f1f

SHA512
a32ffcb8453a5df9f941c23b129484e2fc0628c086f948114c86ccc0fa9e45984d579b1e9f7e948d633bfb7dca587238b0f692f7c6b11793eaac1c64ff6a1ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\LH

Filesize
267B

MD5
c09f0c687d36e9a0b49aadf76a8988f0

SHA1
1cbce7fdc0867657ed6d331430a2564b6f81ff6f

SHA256
ccc1d344954edd8589328bda021a24f90a61feccf3be08ebf7652a754dbf7fde

SHA512
24ff4d36a19ca3508267890cb1917ddb16bbdf607ca0230f740464924dbce9387e9c77f571aa7464cd82c2598aebe773583d5ed93e036b3dd6f96c05dc8ca913

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\btopen.png

Filesize
2KB

MD5
90eb121bf0ae802f3ad12bc6582ca691

SHA1
8647260945740e2cd97a97b7cee6e5016688166f

SHA256
85a908620121820c1c40303d6e268bac586c469cbfbfe864143a2c96d171f56c

SHA512
881bdec3c122b7baaf81c01f91b24409377602c0d9398b09aa3ad7cb965d347bcee5e631ca87636edfad693d5666b8339ee45e8877500f78f823817d449ec8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\iconclose.png

Filesize
274B

MD5
3a58934b887aab94f6b08f937379cd27

SHA1
1b56a9405cc8b818c4c2584372d30ff2e3f07173

SHA256
2412f5c1a826c923b6afbf41aa700066f8845227bc6c0732f1917f4671e16015

SHA512
f5232174b1c4c3871fbc0fbcab403d2281f8d2c207127466d215de44b23d4472e5dee32210e3adf2294a9be31b334e0dae14f0421ee05318ed419239bcb983d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\iconminimize.png

Filesize
375B

MD5
5577c4f4a5b74020337c273b94744d25

SHA1
46c46b1d15a07319d7396e9ab1bd686764abf785

SHA256
8e9e7818db8b22e2d7e836ae72712eb402b4e94fc43aa1b2a6b1217dfb90e9ac

SHA512
3cd31fc686103a83ce8779fc94771b51afbf1343f5ab4e36f3f2d1ede013feb6eb4b0d66c48c5f00217eefb9c407071fd30188dc0a16244d86899116c6fc4f45

Download Submit
\Users\Admin\AppData\Local\Temp\OneKey30784.exe

Filesize
960KB

MD5
205da03ca34103f97611acdabea57a43

SHA1
6e4d391b1d69bb914226b615959217a9b80fcf0d

SHA256
08b3d97c87d793e624d3cc58d52e3271408053e44d52bd894608abcfe569814a

SHA512
91d666326577b385c2c82b73ac55c9a9fbdec1095a6d49e56872913b377b84fb56a3416ff3c163b1e28f36cf6959e200b5304b609587de6f9dc23e5631ea52ca

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\BrVersion.dll

Filesize
296KB

MD5
b58874d6ffc1beb674be20b87e1eac3d

SHA1
627c446e083f035d08db972da1d819aa9c0429ad

SHA256
23e8cec91cd6e600e4eb0d8bf835d76a75d625c04b4edd41bc563320cfb2e3db

SHA512
9f174723a014553416abc6a22193164d265a4b5445d9d6dfb4e26df0279186da5ae2956401875890411e8987f51b04b4c139bbabf9bc79d6dd82b58be9567e3f

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\Encrypt.dll

Filesize
41KB

MD5
3653d8f4b294df688bd9e8c120cceaad

SHA1
330f43ae83bb282d6144635e07469b5210556f6d

SHA256
719a2c743ebfda605c40117547ea81c1c329b770f526e825975d902cb41c412d

SHA512
3b45c5023cc7726bdf4ac37145eb8c5b989d138ee0834adba06418f2ec6bde5c2104f4d57c50b1fe1f9aa4406e221e5ef837fb7a5cf51cef719209fbb4c73042

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\MFCButton.dll

Filesize
233KB

MD5
508b334f7a1c539adde48a55f71f2041

SHA1
3c746bc215bce5cc42822f30252082956850612b

SHA256
ea43da95dc1d4f814b6399cc2cd92e2c606fcb1e8ec0b60bbd89269c22d7313c

SHA512
e9d29127cbeb4d660290bb330e0410a86e6e29ab87b9a41c886d1d5414201868f0b9d12521cf00cb05302789e04518a8880763a3782b99fe892a7d4f87bd6ae3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
\Users\Admin\AppData\Local\Temp\is-EDK7B.tmp\systeminfo.dll

Filesize
124KB

MD5
faa9340d6b1db491914d01c184dae4ad

SHA1
fbcc530d28e3ccb9a96e869e4d616f4db0c2d060

SHA256
aa36c2f44bad2e31670aa0850e423225ac7151341b944737bdf7376efafae080

SHA512
88ce634911d84889a0787f3d300247e0bcebc14bf22903d00b56d1592e2586c5e3cc1381e61d3e11c4b149ce98bb22cc8d7249d8de2f76d52b638cf8393cf942

Download Submit
\Users\Admin\AppData\Local\Temp\is-U6N6R.tmp\OneKey30784.tmp

Filesize
1.7MB

MD5
079e12a0aaf2d84c349155469db4d425

SHA1
2759e612710cbf618680100c5ef03a6cdfa81f64

SHA256
4c635334e4d8539f4aa90fb3e5f3786f8e5ee5864dde5db094f3810d4f6df7eb

SHA512
b837f47696b5e4a059b7c9c2d289bf66b150bf73938062c2fe9fe25ea5e145ed61a9382b8aa74d3b579f0a1b99973d975a7efced61709ce6178bdcbd76632dfd

Download Submit
memory/2536-87-0x00000000057D0000-0x00000000057DE000-memory.dmp

Filesize
56KB

Download
memory/2536-100-0x0000000005C90000-0x0000000005CCA000-memory.dmp

Filesize
232KB

Download
memory/2536-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2536-21-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2536-67-0x0000000005750000-0x00000000057B0000-memory.dmp

Filesize
384KB

Download
memory/2536-132-0x00000000057D0000-0x00000000057DE000-memory.dmp

Filesize
56KB

Download
memory/2536-131-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2536-136-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2696-20-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2696-5-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download