Overview

overview

10

Static

static

7

20011bd3c3...9c.exe

windows7-x64

10

20011bd3c3...9c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20011bd3c31203ba0c8601873099e09c.exe

  • Size

    1.1MB

  • MD5

    20011bd3c31203ba0c8601873099e09c

  • SHA1

    d1878d02f3ae76fdd5ed8d53df784dc4223e7251

  • SHA256

    0fc3a33196e96828b2855c78b84ecac050535a2fcbf0a84db3d0925e120fab00

  • SHA512

    985086155ca19b4ce4d46894318fb335543d6651614ba5a92882a3a61814053264ed2c539cad98ea84d84a62b39c6cc37acffd421220f51c0636e0671bb7f72e

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnALt0:5MMpXS0hN0V0H7MMpXS0hN0V0H2

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20011bd3c31203ba0c8601873099e09c.exe
    "C:\Users\Admin\AppData\Local\Temp\20011bd3c31203ba0c8601873099e09c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1603059206-2004189698-4139800220-1000\desktop.ini.exe
    Filesize

    1.1MB

    MD5

    d2cd1fc1d16538b06acfd93c6b41d110

    SHA1

    a9ba996506f64d77cb0927d926f3cc0474842785

    SHA256

    a21a6c12bd8fe3e7867cc88c4d4c9d9aa22c9de7786054f6a35942840c685466

    SHA512

    ea9bf469804eed25277b45df55f535ac5cea3ec0e9b2fb42cde957013badd076be44d29a7771bd76fc9b323736c3f369b96d2eb6078768aac463e2959d0d52d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    3be5c2263184c623843b54190cc65a2a

    SHA1

    4904be422e5dcec69f2a64058bb3feceb6113b8e

    SHA256

    96c38df266a9f3dce2fcb5fecf6296ee6d22c251dfc089cccd2e8357ec3a8619

    SHA512

    e4ee9e31336042501e8e6232712877e02176f598c69a6259764b057963e7d09672899354e95f61e7133310d06d57a7159ad75345e4dc9ab839898e6c15f30329

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    4f9236fb932790ee5ddb43e7fdf064d8

    SHA1

    b02ccd6fef1414956648bc643261ae62576592b9

    SHA256

    569dc7cf5e2c7dac42a9a8c721962443a88157f28ae0dc4ce5e1a539e5cfe2af

    SHA512

    8b2e6443492628cbaa6f962ee3088a8fb6bfe78d4ccdf7d8ae7e2a78fedd65ccb3aa6010daa033e96a7d303ab6ed33c5bf98523aaf61ae38edc65d1893b286b7

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    1.1MB

    MD5

    20011bd3c31203ba0c8601873099e09c

    SHA1

    d1878d02f3ae76fdd5ed8d53df784dc4223e7251

    SHA256

    0fc3a33196e96828b2855c78b84ecac050535a2fcbf0a84db3d0925e120fab00

    SHA512

    985086155ca19b4ce4d46894318fb335543d6651614ba5a92882a3a61814053264ed2c539cad98ea84d84a62b39c6cc37acffd421220f51c0636e0671bb7f72e

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    1.1MB

    MD5

    8dcf1d3cf8a65044536cf9dc94062acc

    SHA1

    1aeedf58783fab1904ccac3b7f2216925d2f9612

    SHA256

    3622ddcb572a10fd37cc0ec4c5d679755a41cefb03c41e479372c5752a7039f0

    SHA512

    c3df6e664d338b59279919a8769a91b3359bcb2ab0fd5c303b6b5140867e6063e9ebfbbecab1e400f32da17cdb8f95a7f40941ff6b3a159c0ef3ec9c559e4c5f

    Download Submit

  • memory/2704-9-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2704-86-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2860-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download