Overview

overview

10

Static

static

7

b1a9649163...b0.exe

windows7-x64

10

b1a9649163...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1a96491637227f123a51cc3d5484cb0.exe

  • Size

    2.8MB

  • MD5

    b1a96491637227f123a51cc3d5484cb0

  • SHA1

    0f3c2e73386d369e6e2166857514f7e133d74165

  • SHA256

    412e9f02a4f8be99894ebc8019ab7f767699e2cd7bb8a193a5384a249e7d9f65

  • SHA512

    1f3c21496998ff58c74399af0079048218f0fdb49f2f443e78c68665296429dfdc14b68c6a66179b27db365f0d9eb0400ae2cb9118949eeb48eead3fade3ded9

  • SSDEEP

    24576:5MMpXS0hN0V0HYSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Np:qwi0L0q1VN0EG

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1a96491637227f123a51cc3d5484cb0.exe
    "C:\Users\Admin\AppData\Local\Temp\b1a96491637227f123a51cc3d5484cb0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1603059206-2004189698-4139800220-1000\desktop.ini.exe
    Filesize

    2.8MB

    MD5

    faea28861660f80edead5581fa10d116

    SHA1

    81c2cd885ad77271068bd9302fe70cb4ea5fc027

    SHA256

    7eeb69d309c1cbf6622ed8dbc31300c3961323825879133e81ddf6423d1f23d6

    SHA512

    239b807464ddb2adad4a1f90b0b29b89092421dd7720e8c1d4ea30c9db01a990b2bf2b8d9d346e79979eb13e2870e3e57ecd35149275ab291c7ac0d6fe967a6e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    e5673505b8710f30329f219f34f157ab

    SHA1

    df48f8429521376cb899105055b158d8275c07f3

    SHA256

    62145cbf480c183b9c770090070a5fcbb3bc90a010b4c25ab1a5edf11c9bb247

    SHA512

    a1e714cdedb6f6e76b4d289b5f279eaf12f6d64ca68138d437f4434c396d4160e9c2e2ca8105af37fdf8e0e608fac82911cce02fec5a33b004640f9b43ab698d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    17cc180535f6c64dfe61e804111e9d4c

    SHA1

    0d47ac3f705b4a5135e98d6d634c3cf654a323ea

    SHA256

    373211b6a17105cb6151e4bc87497c1a17ee932ad5da11865a8613dd5fb109e9

    SHA512

    f284c5dc5f4c1d4484fce718a3e4bcc723b34d7667faab14a57034e67ca57a4222ce9df557432a9bfcb1679c0b296e3f898d77ec0cab041f84309d9c0159dfbb

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    2.8MB

    MD5

    748a50996e84447a9c5c3f6db5f4299a

    SHA1

    6549f53591e1a85ccdbbea943480310bf3619901

    SHA256

    052d679e4cf52d049f6bf3afad4ae4d335021bfb202b11437d43d651f09397b2

    SHA512

    1d9c3a235b2a1277e82a45b1007aff2f89662d977f25876a54f7c2dc7084469090e9a5e8717e73e3593b4291b0a0de12ea701168c19c849954bfcca41cacb030

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    2.8MB

    MD5

    b1a96491637227f123a51cc3d5484cb0

    SHA1

    0f3c2e73386d369e6e2166857514f7e133d74165

    SHA256

    412e9f02a4f8be99894ebc8019ab7f767699e2cd7bb8a193a5384a249e7d9f65

    SHA512

    1f3c21496998ff58c74399af0079048218f0fdb49f2f443e78c68665296429dfdc14b68c6a66179b27db365f0d9eb0400ae2cb9118949eeb48eead3fade3ded9

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    1.5MB

    MD5

    d830193007b1dbe77ace8f1e4fc2d2bb

    SHA1

    5bcccac573f47b82b326de2ef34e2fb689b0cdd9

    SHA256

    3bf095d694f3f4dbfc7e3ad28a0f4b0d310e644aa7f81e0f0719f16a1e57f7df

    SHA512

    8742000e4c34f02f0b50f9db971c46bb8764b12ceb9f530e91690bebe9d8020ce6a75d923383468cf0aeb48d7cb7ab71ce44a8fe6e928e89d586cb6f94d2acea

    Download Submit

  • memory/2132-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-0-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-229-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

    Download