Overview

overview

10

Static

static

8

d60e626a33...f0.exe

windows7-x64

10

d60e626a33...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    234s
  • max time network
    261s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 08:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d60e626a33e39d08d69381b5f11345364b5d31e9e93062b8195f1436a6c526f0.exe

  • Size

    184KB

  • MD5

    062a40c1295fe33377bd550d33335aaa

  • SHA1

    cb7730c99fbf896fb92f128b18b621e14d0981ae

  • SHA256

    d60e626a33e39d08d69381b5f11345364b5d31e9e93062b8195f1436a6c526f0

  • SHA512

    aa1f3688499f93edac1bf8f8cd6ca004013ec1da3d46e02002bc61373f6eb9e0d34832ffd2df509074e2de5c3fd6c14e7eb1483ee119a356cffa43b4a43d578d

  • SSDEEP

    3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJG:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWk

Score
10/10
aspackv2persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Drops startup file 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d60e626a33e39d08d69381b5f11345364b5d31e9e93062b8195f1436a6c526f0.exe
    "C:\Users\Admin\AppData\Local\Temp\d60e626a33e39d08d69381b5f11345364b5d31e9e93062b8195f1436a6c526f0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops startup file
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\desktop.ini.exe
    Filesize

    185KB

    MD5

    e16d6287de81ab1bf22a290c3f23083a

    SHA1

    6fc05e0f5966e1ea69a09c119c0ab4dacb61847d

    SHA256

    382fa9919e6f93b2cb56dfbc618e483a62bb88941dd701e2cd27ed3d46be7f09

    SHA512

    f0261675e2ac597034c10f8c25dfc8c3a29bbcdf694a05ad6f20d56312694bec393aacbcd1f037e2710d31773b63e6f3d02acc0c99544dfaefff25d4a60bcfe2

    Download Submit

  • C:\AutoRun.exe
    Filesize

    184KB

    MD5

    062a40c1295fe33377bd550d33335aaa

    SHA1

    cb7730c99fbf896fb92f128b18b621e14d0981ae

    SHA256

    d60e626a33e39d08d69381b5f11345364b5d31e9e93062b8195f1436a6c526f0

    SHA512

    aa1f3688499f93edac1bf8f8cd6ca004013ec1da3d46e02002bc61373f6eb9e0d34832ffd2df509074e2de5c3fd6c14e7eb1483ee119a356cffa43b4a43d578d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    e1fb60a6f2d6d01e1b3d910dd79ec008

    SHA1

    c6a450051fad1abaf7f0e5959a016e8024f7c3f1

    SHA256

    a721f03bb05e7ca2281dbcf4554e0c4b8ccd9213edd595dbc03e3a7585b1d2f0

    SHA512

    c78d2a84ae824da21f902204efc48226965aa6184b95af5476c2a30e9e41069fef70025ef5e80ca91ef2e53a1d9867897df3cab518fae801f04e8299782531e9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    56534dbc3fc5461864ae252bcd19d65d

    SHA1

    088141dc7129160ca78f2b9d0509404cbe4e3b6b

    SHA256

    8766b1c59fa07829011bc8d7894496f3a4ba02912df60a7290ddf50bd4d2b18c

    SHA512

    d0e8e2c5c0f2382644705cb7ef0e25d0c7e1186de99c3c8930206c2f0ee9ecee5cdfd2170ab899f02865e52c070b63f242883f7371a10ead44fd8388b9288794

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    034a47c796d0d0c9398fdcb7bdeb5857

    SHA1

    4344758b6009a58268bfbf22fd1cc6cd32668a19

    SHA256

    9a523fe39a4f10a1b852f92f916a0bf34ccc0c45ef78a67bdc2c80ca4ec869d7

    SHA512

    d9e8ffa1a340c0a694efb10a623f3a7d90ab23ce46fc91ef4619577237de977d01febe633ef9937094e5999fcddc7a9adca3564c09d73c5422229ceac83e4e6d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    8cdd5f2e22888f3c2cb0cf7eae5438c8

    SHA1

    481389e372d644a57acd581ce6fa3a6f718c3e61

    SHA256

    7de8f15e089137667fa6d7c9796c73cc4b68dd5f19945482b90f8388caa79dc5

    SHA512

    a110ea4e959c1f5d97a18eea4d6f19bc60594db457452f447cb108591f5093c148a6017acd5cb2f50dc65093f93dbe6fb5c5ee88df4973963ecb0a0b8ff97a0d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    52398113eaabb9611883a19d8cdff030

    SHA1

    5f6ba657e4a58d21c5bbda2183f49ccb062ba6bc

    SHA256

    237e69e649d7a6331645eb895734bc40bba3ef886cbf82416bf5436fb79e05bf

    SHA512

    53838de55360d517300eb18ea0459be10ad5b06eb1171d7c4eb63f951cdd600598e665eb3edfe378b9aa1063fee03302928fdc8c0418ad0007263aaf1db041fc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    71991336a8976fb3ee0b4b8a523d9a11

    SHA1

    7a6813510e14be5bafa3ae1c6e528f0008471eb5

    SHA256

    ebfadb9692a3c68553beb015c1ad55c0ce8342a68dbdd75e0785ad1c1d7a86c5

    SHA512

    2ea07228f583d8217ca827a6d3fc5b0ad17bed25952fdb1f70667d4054109ce72b29d6ab9c9709b4fd89c2c3c55527accbae3a388457643b0081b404bcd0af66

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    5531016760a10a75a42bc81f037ff2b4

    SHA1

    3514fa11b5aa5e85be859ee9aa235d4e1b510152

    SHA256

    3446e28decd2da022b6aaa4e3f8f8beacc3ae3f0e03dbe4654e3a4d9741806dc

    SHA512

    5b1d6d0983126c744f5d68db48454bc0fd94c641d01a0df98581e158c340ef8ac992a31a24e81e9ed1db6d59a880ea0ee62c040f41a74ebda130d188a5f0e2bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    fbba900d7c3632a6de37c0d3377c0dca

    SHA1

    8a2814d3694d5d477b2ebf5286d2bbef2903ed65

    SHA256

    21bc6a10f6afc21b74f80c77782bf4e784d7dbaf664e91fde32e309a98f3eb56

    SHA512

    5b3433626b041e75bc442db486c819982b1d4ee1228df81f7a4193ad84a4e9c7c54373d5bacde622440a0490ee48978a912ed9f70dfe8e0aee4db392f61fe559

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    6069405986aa98c9cc8b9969c4dfd559

    SHA1

    aefccb1782a8cd490b859a461cb73440c6806c8e

    SHA256

    8281f57cd35e5080221f2426880959fe2ab1232d2f86e0432e30e99c6d13214b

    SHA512

    20c04c4aadc3a77085412177b2d68b49f14d50ef78a48da49627db7601905c805827cc2672a4bebf195a5d550ae85d6a9c36ce778e2943c89245e5d4f1ee9334

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    6069405986aa98c9cc8b9969c4dfd559

    SHA1

    aefccb1782a8cd490b859a461cb73440c6806c8e

    SHA256

    8281f57cd35e5080221f2426880959fe2ab1232d2f86e0432e30e99c6d13214b

    SHA512

    20c04c4aadc3a77085412177b2d68b49f14d50ef78a48da49627db7601905c805827cc2672a4bebf195a5d550ae85d6a9c36ce778e2943c89245e5d4f1ee9334

    Download Submit