38e4a29ab9f16e4fa94d66b4d4e8f43a24872da912a3bdbd341e0ef21616b576

Resubmissions

12-01-2025 13:59

250112-ran7waxpaj 10

12-01-2025 13:48

250112-q38asavke1 10

12-01-2025 13:44

250112-q114paxlan 10

12-01-2025 13:37

250112-qw2jnaxjcl 10

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AxoPac.zip
Size

151.2MB
MD5

0dba64071e747e29fa9cf49c0b1c49db
SHA1

aeb1db90861e0b24713be3c0db292b58ca1858d9
SHA256

38e4a29ab9f16e4fa94d66b4d4e8f43a24872da912a3bdbd341e0ef21616b576
SHA512

b672a815d51172803281a2660f1e768021e7ca8c3504a1ab69c8e0da434e1a36ecca68193a5fc149052421271fe21e3b7345fc037dfbbef2dffbff3253dd935a
SSDEEP

3145728:Bq9V3ZOHG1pl1t3e50qZ04swW48GnGXB2/+rNPfOxeVf0dL:Bq9V9J3e506f7WxGnGXB/vC

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2520	Installer.exe
2792	Installer.exe

Loads dropped DLL 12 IoCs

pid	Process
2520	Installer.exe
2520	Installer.exe
2520	Installer.exe
2520	Installer.exe
2792	Installer.exe
2792	Installer.exe
2792	Installer.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 2792	2520	Installer.exe	33

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1016	2520	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3060	7zFM.exe
Token: 35	3060	7zFM.exe
Token: SeSecurityPrivilege	3060	7zFM.exe
Token: SeSecurityPrivilege	3060	7zFM.exe
Token: SeRestorePrivilege	2792	Installer.exe
Token: SeBackupPrivilege	2792	Installer.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3060	7zFM.exe
3060	7zFM.exe
3060	7zFM.exe
3060	7zFM.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 2792	2520	Installer.exe	33
PID 2520 wrote to memory of 1016	2520	Installer.exe	34
PID 2520 wrote to memory of 1016	2520	Installer.exe	34
PID 2520 wrote to memory of 1016	2520	Installer.exe	34
PID 2520 wrote to memory of 1016	2520	Installer.exe	34
PID 2520 wrote to memory of 1016	2520	Installer.exe	34
PID 2520 wrote to memory of 1016	2520	Installer.exe	34
PID 2520 wrote to memory of 1016	2520	Installer.exe	34

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AxoPac.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3060

C:\Users\Admin\Desktop\AxoPac\Installer.exe
"C:\Users\Admin\Desktop\AxoPac\Installer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\Desktop\AxoPac\Installer.exe
  "C:\Users\Admin\Desktop\AxoPac\Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 76
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE4FBF8547\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.AspNet.Razor.ru.1.0.20105.408\lib\net40\ru\system.web.razor.xml

Filesize
88KB

MD5
398dc059ac7b960a31bba803c6d4b7a3

SHA1
dfac62f6e4ac50a0029031244fc5a1469ffe90e8

SHA256
943feccacef5fe23b3daf662594e3b45fcb8bc1caf25ea1c474721921caa9488

SHA512
f3bb82690b39dad744be9c403f7efcf2c40c903f85be013fff4b1a2ac77e8d59e77bc1eb9989134f800fba3d9bcb987485a92b719386750c70dd7fa1acb533e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4FBF8547\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.AspNet.WebPages.ru.1.0.20105.408\lib\net40\system.web.webpages.razor.xml

Filesize
6KB

MD5
9c8531c1d5f692cd921c8a56d85bc85d

SHA1
801b699bec07e93fdd05469f15cf80be4178e409

SHA256
16953fbbff24c3d927e5640060948da47c15a32918ecb2fc4f922a82b3fcfa9c

SHA512
3e7fbce84ca7bc96d46ffc3b4fc7acf21d962d379589125a6515178693c379eb6b5833e428ec11f106e9b807147c698e898840a20a8189a01baf76ace9a1f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4FBF8547\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll

Filesize
44KB

MD5
969d6caf273394f064475292d549516e

SHA1
91f688c235388c8bcee03ff20d0c8a90dbdd4e3e

SHA256
fe18f4259c947c1fd6d74f1827370e72d7ad09aefb4b720af227333583e0169f

SHA512
b4f6a614e5fc52850e3d02ebf7e85abf1ebe3fb4ebd6b4f03ec9dc4989cce88e44714ca2198dd7e632f5ed0f15225a68b31052da33e5ac3ce48a1c91c3c04446

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4FBF8547\AxoPac\ASP.NET Web Pages\v1.0\Visual Studio 2012\thirdpartynotices.rtf

Filesize
87KB

MD5
b0ac92e72b07a4b37d66f0264e3373c0

SHA1
769dec94ed0bfcb47e68026aa01e80a26943ff38

SHA256
5a0792c375031840221f1737ba389b0d6dac373b118a107e50fbe78fe5f4ba69

SHA512
716c37b16c577de53b7f6e3934e09ae329e138a8a1725d60e9d8907c43c4400918a31b12ae173644efc25ccc9bf7cb332a3042c17386a3724320ab977a7ded52

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4FBF8547\AxoPac\ASP.NET Web Pages\v1.0\WebConfig\System.Web.WebPages.Deployment.dll

Filesize
25KB

MD5
f9efab153915541f6cbdd147f85f9842

SHA1
5d923740f2377298ad917eb9f5bfb45e0b1465fb

SHA256
130fe2b8282263c77d9bee89d636166848291432696c449d708c819b17bf053a

SHA512
74890a53f2b0b73816e5155fb2b48580fa1dbf3e35077e7915d96ae57516c5da2bbf968978ae134e12754039a5ada6f8dfbcdc121cab9b887a6d4d259b68f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4FBF8547\AxoPac\x64\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE227.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE249.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\AxoPac\Installer.exe

Filesize
322KB

MD5
fea4388761569e59cc513d1403ee16c6

SHA1
8a94f6eaf29afbdd1b52b198378e643af49db90b

SHA256
9a72d961c46dc5015fc4e95e528672561faf983ae7db77166588488020e06e87

SHA512
8b6018ff3c8f82b9195b839494811d84c6e03fdc03b38f7b2f99f0c14f789db55c31a0fe6f7e4f2c01a985d33c059baaf455af59a77be3306283f66f11e021a4

Download Submit
memory/2520-1543-0x00000000012F0000-0x0000000001348000-memory.dmp

Filesize
352KB

Download
memory/2792-1546-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2792-1556-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-1554-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2792-1552-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2792-1550-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2792-1548-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2792-1557-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2792-1559-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download