Overview

overview

10

Static

static

7

ada4478249...92.exe

windows7-x64

10

ada4478249...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ada4478249b1b2541aa075a7fd36f792.exe

  • Size

    487KB

  • MD5

    ada4478249b1b2541aa075a7fd36f792

  • SHA1

    5e01950f4cd56a10e4f1933207de21d245fd5c7c

  • SHA256

    e2ce47ec3a67d1a9d8a6aef277215852e9d44dd588dd49d7016b52c8dbed40d9

  • SHA512

    15d734a62bf336b724048a80fdc3eda3ed71dd550a03c0530ccd44267380994f28d88f5d522ca65181a05b183b4f59803ef12bfc37d50b0a80476491209864d6

  • SSDEEP

    6144:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyAp0mgl8agveD6oMhNn9LV5EpRsxio:ZMMpXKb0hNGh1kG0HWnAlU8L

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ada4478249b1b2541aa075a7fd36f792.exe
    "C:\Users\Admin\AppData\Local\Temp\ada4478249b1b2541aa075a7fd36f792.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini.exe
    Filesize

    488KB

    MD5

    4130780581d266b4cf12e0aea2318268

    SHA1

    c2b11a1db1282dd9d5b2fda879414693a143e987

    SHA256

    c30aa9a977215b82e4b3097785ebe42ddfef704c37044b61d954601c8501fb72

    SHA512

    7b4cb30a113f79e1fbda72cb2bdfb382e9959c38c04351f35984b8fba8b5e38cc65bd29f47e035687892b7722272eed6bf6f5c56683bbbc567100c8e8d100a43

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    5e0511d2633489333d94743ffb99c7ab

    SHA1

    a82db27bc7d325740be067a4130556b64d7945f0

    SHA256

    31ae4083b1a2b30260e440f593c978f2c09cf83c617914fcc6407d938f1fc981

    SHA512

    fc6a92863711b59a083c272565527bf549234691bb19b39f878744050242b7b4607261fd2d0ec5c006730380f7f90a3f649e7c588580a9fe70c8c1742a01b90f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    734cf57f3ea4399cfe32e8c008536857

    SHA1

    348cfd963710fb0bad9348149c0a407b431ad048

    SHA256

    76a736ef3518fe1e843f693f53617eb9a57663a4e53b8ef2047958be424ba8bb

    SHA512

    319326cfc10b67b8f7bea1ee723204e266e412e6a96816465bcfda7dfb9903132477bf525662a619d4edeca0eb4540d444b6ad7620ac72bf6d36f71aead4b137

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    487KB

    MD5

    ada4478249b1b2541aa075a7fd36f792

    SHA1

    5e01950f4cd56a10e4f1933207de21d245fd5c7c

    SHA256

    e2ce47ec3a67d1a9d8a6aef277215852e9d44dd588dd49d7016b52c8dbed40d9

    SHA512

    15d734a62bf336b724048a80fdc3eda3ed71dd550a03c0530ccd44267380994f28d88f5d522ca65181a05b183b4f59803ef12bfc37d50b0a80476491209864d6

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    459KB

    MD5

    c5a0b05b4b8d68124ce5d534a2e136df

    SHA1

    475b7e558f975f2819bb670b094eddf6f7abca2f

    SHA256

    7c7a6a9f5645968c7874c8df96d827a94100faf272885879247e316516c5b76e

    SHA512

    a8b6819e83126f02d8cc350f416284ef54c9e20aa49e3ae568bc3e733d63923f9a0591a971f5f1128267b9c5eedeb46b4b6a6d5019c98e7d3507f57992ffbec4

    Download Submit

  • memory/2200-242-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-255-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2200-305-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-356-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-352-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-364-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-76-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-346-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-269-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-340-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-281-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-324-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-293-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2200-317-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-77-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-306-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-294-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-318-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-282-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-330-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-270-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-341-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-256-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-347-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-244-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-353-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-243-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-359-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2760-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2760-365-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download