38e4a29ab9f16e4fa94d66b4d4e8f43a24872da912a3bdbd341e0ef21616b576

Resubmissions

12-01-2025 13:59

250112-ran7waxpaj 10

12-01-2025 13:48

250112-q38asavke1 10

12-01-2025 13:44

250112-q114paxlan 10

12-01-2025 13:37

250112-qw2jnaxjcl 10

Analysis

max time kernel
63s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AxoPac.zip
Size

151.2MB
MD5

0dba64071e747e29fa9cf49c0b1c49db
SHA1

aeb1db90861e0b24713be3c0db292b58ca1858d9
SHA256

38e4a29ab9f16e4fa94d66b4d4e8f43a24872da912a3bdbd341e0ef21616b576
SHA512

b672a815d51172803281a2660f1e768021e7ca8c3504a1ab69c8e0da434e1a36ecca68193a5fc149052421271fe21e3b7345fc037dfbbef2dffbff3253dd935a
SSDEEP

3145728:Bq9V3ZOHG1pl1t3e50qZ04swW48GnGXB2/+rNPfOxeVf0dL:Bq9V9J3e506f7WxGnGXB/vC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 13 IoCs

pid	Process
3148	Installer.exe
3616	Installer.exe
4464	Installer.exe
4352	Installer.exe
3936	Installer.exe
3468	Installer.exe
2320	Installer.exe
2352	Installer.exe
4292	Installer.exe
3952	Installer.exe
440	Installer.exe
1724	Installer.exe
4604	Installer.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3148 set thread context of 3616	3148	Installer.exe	88
PID 4464 set thread context of 4352	4464	Installer.exe	105
PID 3936 set thread context of 3468	3936	Installer.exe	111
PID 2320 set thread context of 4292	2320	Installer.exe	118
PID 3952 set thread context of 440	3952	Installer.exe	123
PID 1724 set thread context of 4604	1724	Installer.exe	128

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3628	3148	WerFault.exe	84
2708	4464	WerFault.exe	103
1528	3936	WerFault.exe	109
2244	2320	WerFault.exe	114
4364	3952	WerFault.exe	120
3092	1724	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5004	NOTEPAD.EXE
3980	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
224	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	224	7zFM.exe
Token: 35	224	7zFM.exe
Token: SeSecurityPrivilege	224	7zFM.exe
Token: SeSecurityPrivilege	224	7zFM.exe
Token: SeSecurityPrivilege	224	7zFM.exe
Token: SeSecurityPrivilege	224	7zFM.exe
Token: SeSecurityPrivilege	224	7zFM.exe
Token: SeSecurityPrivilege	224	7zFM.exe
Token: SeSecurityPrivilege	224	7zFM.exe
Token: SeSecurityPrivilege	224	7zFM.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe
224	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 3148	224	7zFM.exe	84
PID 224 wrote to memory of 3148	224	7zFM.exe	84
PID 224 wrote to memory of 3148	224	7zFM.exe	84
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 3148 wrote to memory of 3616	3148	Installer.exe	88
PID 224 wrote to memory of 4464	224	7zFM.exe	103
PID 224 wrote to memory of 4464	224	7zFM.exe	103
PID 224 wrote to memory of 4464	224	7zFM.exe	103
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 4464 wrote to memory of 4352	4464	Installer.exe	105
PID 224 wrote to memory of 3936	224	7zFM.exe	109
PID 224 wrote to memory of 3936	224	7zFM.exe	109
PID 224 wrote to memory of 3936	224	7zFM.exe	109
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 3936 wrote to memory of 3468	3936	Installer.exe	111
PID 224 wrote to memory of 2320	224	7zFM.exe	114
PID 224 wrote to memory of 2320	224	7zFM.exe	114
PID 224 wrote to memory of 2320	224	7zFM.exe	114
PID 2320 wrote to memory of 2352	2320	Installer.exe	117
PID 2320 wrote to memory of 2352	2320	Installer.exe	117
PID 2320 wrote to memory of 2352	2320	Installer.exe	117
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 2320 wrote to memory of 4292	2320	Installer.exe	118
PID 224 wrote to memory of 3952	224	7zFM.exe	120
PID 224 wrote to memory of 3952	224	7zFM.exe	120
PID 224 wrote to memory of 3952	224	7zFM.exe	120
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 3952 wrote to memory of 440	3952	Installer.exe	123
PID 224 wrote to memory of 1724	224	7zFM.exe	126

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AxoPac.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\7zO0E0851C7\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0E0851C7\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3148
- - C:\Users\Admin\AppData\Local\Temp\7zO0E0851C7\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0E0851C7\Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 140
    3⤵
    - Program crash
    PID:3628
- C:\Users\Admin\AppData\Local\Temp\7zO0E096C28\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0E096C28\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Users\Admin\AppData\Local\Temp\7zO0E096C28\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0E096C28\Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 796
    3⤵
    - Program crash
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\7zO0E0E0E28\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0E0E0E28\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\7zO0E0E0E28\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0E0E0E28\Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 808
    3⤵
    - Program crash
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\7zO0E077F28\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0E077F28\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\7zO0E077F28\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0E077F28\Installer.exe"
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Users\Admin\AppData\Local\Temp\7zO0E077F28\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0E077F28\Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 816
    3⤵
    - Program crash
    PID:2244
- C:\Users\Admin\AppData\Local\Temp\7zO0E015028\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0E015028\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\7zO0E015028\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0E015028\Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 796
    3⤵
    - Program crash
    PID:4364
- C:\Users\Admin\AppData\Local\Temp\7zO0E03B228\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0E03B228\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\7zO0E03B228\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0E03B228\Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4604
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 828
    3⤵
    - Program crash
    PID:3092
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0E002058\THIRDPARTYLICENSEREADME.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5004
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0E0E9998\README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3148 -ip 3148
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4464 -ip 4464
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3936 -ip 3936
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2320 -ip 2320
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3952 -ip 3952
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1724 -ip 1724
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0E002058\THIRDPARTYLICENSEREADME.txt

Filesize
176KB

MD5
0e87879f452892b85c81071a1ddd5a2a

SHA1
2cf97c1a84374a6fbbd5d97fe1b432fa799c3b19

SHA256
9c18836fd0b5e4b0c57cffdb74574fa5549085c3b327703dc8efe4208f4e3321

SHA512
10ba68ffd9deab10a0b200707c3af9e95e27aed004f66f049d41310cb041b7618ee017219c848912d5951599208d385bcb928dd33175652101c7e5bc2e3eba5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0E0851C7\Installer.exe

Filesize
322KB

MD5
fea4388761569e59cc513d1403ee16c6

SHA1
8a94f6eaf29afbdd1b52b198378e643af49db90b

SHA256
9a72d961c46dc5015fc4e95e528672561faf983ae7db77166588488020e06e87

SHA512
8b6018ff3c8f82b9195b839494811d84c6e03fdc03b38f7b2f99f0c14f789db55c31a0fe6f7e4f2c01a985d33c059baaf455af59a77be3306283f66f11e021a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0E0E9998\README.txt

Filesize
47B

MD5
4bda1f1b04053dcfe66e87a77b307bb1

SHA1
b8b35584be24be3a8e1160f97b97b2226b38fa7d

SHA256
fd475b1619675b9fb3f5cd11d448b97eddee8d1f6ddcca13ded8bc6e0caa9cf3

SHA512
997cee676018076e9e4e94d61ec94d5b69b148b3152a0148e70d0be959533a13ad0bc1e8b43268f91db08b881bf5050a6d5c157d456597260a2b332a48068980

Download Submit
memory/3148-12-0x000000007456E000-0x000000007456F000-memory.dmp

Filesize
4KB

Download
memory/3148-13-0x0000000000050000-0x00000000000A8000-memory.dmp

Filesize
352KB

Download
memory/3148-14-0x0000000004F60000-0x0000000005504000-memory.dmp

Filesize
5.6MB

Download
memory/3148-20-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3616-16-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3616-19-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3616-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download