Overview

overview

10

Static

static

10

AxoPac.zip

windows7-x64

7

AxoPac.zip

windows10-2004-x64

7

Resubmissions

12-01-2025 13:59

250112-ran7waxpaj 10

12-01-2025 13:48

250112-q38asavke1 10

12-01-2025 13:44

250112-q114paxlan 10

12-01-2025 13:37

250112-qw2jnaxjcl 10

Analysis

  • max time kernel
    211s
  • max time network
    208s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2025 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AxoPac.zip

  • Size

    151.2MB

  • MD5

    0dba64071e747e29fa9cf49c0b1c49db

  • SHA1

    aeb1db90861e0b24713be3c0db292b58ca1858d9

  • SHA256

    38e4a29ab9f16e4fa94d66b4d4e8f43a24872da912a3bdbd341e0ef21616b576

  • SHA512

    b672a815d51172803281a2660f1e768021e7ca8c3504a1ab69c8e0da434e1a36ecca68193a5fc149052421271fe21e3b7345fc037dfbbef2dffbff3253dd935a

  • SSDEEP

    3145728:Bq9V3ZOHG1pl1t3e50qZ04swW48GnGXB2/+rNPfOxeVf0dL:Bq9V9J3e506f7WxGnGXB/vC

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AxoPac.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2780
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4616
    • C:\Users\Admin\Desktop\AxoPac\Installer.exe
      "C:\Users\Admin\Desktop\AxoPac\Installer.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Users\Admin\Desktop\AxoPac\Installer.exe
        "C:\Users\Admin\Desktop\AxoPac\Installer.exe"
        2⤵
        • Executes dropped EXE
        PID:116
      • C:\Users\Admin\Desktop\AxoPac\Installer.exe
        "C:\Users\Admin\Desktop\AxoPac\Installer.exe"
        2⤵
        • Executes dropped EXE
        PID:1584
      • C:\Users\Admin\Desktop\AxoPac\Installer.exe
        "C:\Users\Admin\Desktop\AxoPac\Installer.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1572
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 800
        2⤵
        • Program crash
        PID:4236
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4128 -ip 4128
      1⤵
        PID:2576
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:312

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zECDA4BBC8\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.AspNet.Razor.ru.1.0.20105.408\lib\net40\ru\system.web.razor.xml
        Filesize

        88KB

        MD5

        398dc059ac7b960a31bba803c6d4b7a3

        SHA1

        dfac62f6e4ac50a0029031244fc5a1469ffe90e8

        SHA256

        943feccacef5fe23b3daf662594e3b45fcb8bc1caf25ea1c474721921caa9488

        SHA512

        f3bb82690b39dad744be9c403f7efcf2c40c903f85be013fff4b1a2ac77e8d59e77bc1eb9989134f800fba3d9bcb987485a92b719386750c70dd7fa1acb533e0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zECDA4BBC8\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.AspNet.WebPages.ru.1.0.20105.408\lib\net40\system.web.webpages.razor.xml
        Filesize

        6KB

        MD5

        9c8531c1d5f692cd921c8a56d85bc85d

        SHA1

        801b699bec07e93fdd05469f15cf80be4178e409

        SHA256

        16953fbbff24c3d927e5640060948da47c15a32918ecb2fc4f922a82b3fcfa9c

        SHA512

        3e7fbce84ca7bc96d46ffc3b4fc7acf21d962d379589125a6515178693c379eb6b5833e428ec11f106e9b807147c698e898840a20a8189a01baf76ace9a1f719

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zECDA4BBC8\AxoPac\ASP.NET Web Pages\v1.0\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll
        Filesize

        44KB

        MD5

        969d6caf273394f064475292d549516e

        SHA1

        91f688c235388c8bcee03ff20d0c8a90dbdd4e3e

        SHA256

        fe18f4259c947c1fd6d74f1827370e72d7ad09aefb4b720af227333583e0169f

        SHA512

        b4f6a614e5fc52850e3d02ebf7e85abf1ebe3fb4ebd6b4f03ec9dc4989cce88e44714ca2198dd7e632f5ed0f15225a68b31052da33e5ac3ce48a1c91c3c04446

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zECDA4BBC8\AxoPac\ASP.NET Web Pages\v1.0\Visual Studio 2012\thirdpartynotices.rtf
        Filesize

        87KB

        MD5

        b0ac92e72b07a4b37d66f0264e3373c0

        SHA1

        769dec94ed0bfcb47e68026aa01e80a26943ff38

        SHA256

        5a0792c375031840221f1737ba389b0d6dac373b118a107e50fbe78fe5f4ba69

        SHA512

        716c37b16c577de53b7f6e3934e09ae329e138a8a1725d60e9d8907c43c4400918a31b12ae173644efc25ccc9bf7cb332a3042c17386a3724320ab977a7ded52

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zECDA4BBC8\AxoPac\ASP.NET Web Pages\v1.0\WebConfig\System.Web.WebPages.Deployment.dll
        Filesize

        25KB

        MD5

        f9efab153915541f6cbdd147f85f9842

        SHA1

        5d923740f2377298ad917eb9f5bfb45e0b1465fb

        SHA256

        130fe2b8282263c77d9bee89d636166848291432696c449d708c819b17bf053a

        SHA512

        74890a53f2b0b73816e5155fb2b48580fa1dbf3e35077e7915d96ae57516c5da2bbf968978ae134e12754039a5ada6f8dfbcdc121cab9b887a6d4d259b68f3ba

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7zECDA4BBC8\AxoPac\x64\lib\images\cursors\win32_CopyNoDrop32x32.gif
        Filesize

        153B

        MD5

        1e9d8f133a442da6b0c74d49bc84a341

        SHA1

        259edc45b4569427e8319895a444f4295d54348f

        SHA256

        1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

        SHA512

        63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

        Download Submit

      • C:\Users\Admin\Desktop\AxoPac\Installer.exe
        Filesize

        322KB

        MD5

        fea4388761569e59cc513d1403ee16c6

        SHA1

        8a94f6eaf29afbdd1b52b198378e643af49db90b

        SHA256

        9a72d961c46dc5015fc4e95e528672561faf983ae7db77166588488020e06e87

        SHA512

        8b6018ff3c8f82b9195b839494811d84c6e03fdc03b38f7b2f99f0c14f789db55c31a0fe6f7e4f2c01a985d33c059baaf455af59a77be3306283f66f11e021a4

        Download Submit

      • memory/312-1563-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1561-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1558-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1559-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1560-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1562-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1564-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1554-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1553-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/312-1552-0x0000020135980000-0x0000020135981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1572-1551-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/1572-1546-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/1572-1549-0x0000000000400000-0x0000000000456000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4128-1540-0x000000007483E000-0x000000007483F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4128-1550-0x0000000074830000-0x0000000074FE0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4128-1541-0x0000000000730000-0x0000000000788000-memory.dmp

        Filesize

        352KB

        Download

      • memory/4128-1542-0x00000000056A0000-0x0000000005C44000-memory.dmp

        Filesize

        5.6MB

        Download