9ab2d84d6c4a79f9669dc15fd48db3499ac976e53255c6fe213773279c9df757

Analysis

max time kernel
145s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 06:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5a939483c9677047120ef9326bab0bae.exe
Size

843KB
MD5

5a939483c9677047120ef9326bab0bae
SHA1

e32f878e4e1aaa7634408a4d54a7e4a236d84bd2
SHA256

9ab2d84d6c4a79f9669dc15fd48db3499ac976e53255c6fe213773279c9df757
SHA512

9a0b295e691960990d234d34be82d78fabb6c4dafe0073caa5c89efa5e4ac91100109b4e6075c6ac51655ee4ba57946ae53f23ca1fb7a9681677d20f51bf3845
SSDEEP

24576:5MMpXS0hN0V0H+E6Ehg7mM+M6RkMkIM7gE6EhI:qwi0L0qW0g7mM+M6RkMkIM7I0I

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	5a939483c9677047120ef9326bab0bae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a00000001224d-2.dat	aspack_v212_v242
behavioral1/files/0x000a00000001224d-10.dat	aspack_v212_v242
behavioral1/files/0x000a00000001224d-7.dat	aspack_v212_v242
behavioral1/files/0x000a00000001224d-4.dat	aspack_v212_v242
behavioral1/files/0x0007000000014b5b-38.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	5a939483c9677047120ef9326bab0bae.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	5a939483c9677047120ef9326bab0bae.exe

Executes dropped EXE 1 IoCs

pid	Process
2036	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
3036	5a939483c9677047120ef9326bab0bae.exe
3036	5a939483c9677047120ef9326bab0bae.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\Q:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\X:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\W:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\A:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\G:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\J:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\M:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\U:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\I:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\P:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\Z:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\E:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\O:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\S:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\T:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\B:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\L:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\V:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\Y:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\K:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\N:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\R:	5a939483c9677047120ef9326bab0bae.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	5a939483c9677047120ef9326bab0bae.exe
File opened for modification	C:\AUTORUN.INF	5a939483c9677047120ef9326bab0bae.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	5a939483c9677047120ef9326bab0bae.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2036	3036	5a939483c9677047120ef9326bab0bae.exe	28
PID 3036 wrote to memory of 2036	3036	5a939483c9677047120ef9326bab0bae.exe	28
PID 3036 wrote to memory of 2036	3036	5a939483c9677047120ef9326bab0bae.exe	28
PID 3036 wrote to memory of 2036	3036	5a939483c9677047120ef9326bab0bae.exe	28

C:\Users\Admin\AppData\Local\Temp\5a939483c9677047120ef9326bab0bae.exe
"C:\Users\Admin\AppData\Local\Temp\5a939483c9677047120ef9326bab0bae.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini.exe

Filesize
92KB

MD5
a38769c5f89b4c8997b72982b5f7e8d7

SHA1
76c83824d8a9027bc8e7f45572716b353c0ed867

SHA256
a55bc98b20e6e6d0f0f9fccd535210b64b321774f708d6be52b60fb22c968249

SHA512
c6a987666ad9149fe8b34994729b301dcbc8c6f8c04a3eeb7c572f9bfa1cbd223bf335e2232d5e3dc928671ad678494d4934a261f0945e3c33e88350a3b76d37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8e1e81e691fe4be98d136b75696069af

SHA1
adadd3790e295e7a64096fa91f40634fd2107c5d

SHA256
5dc559a612eba015335cbcd468c9abfbb0fe07e553bed3d1daa05dda349c1613

SHA512
92a753775db14b274940ba375ec70d97954179987942631e8f6ca25674ee31560d700cd3cbbd0bf36b084551c80caed33c28b0140c22fba16e9f2c4960a25141

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7062cac2db31b4d17ced16fdbc04fdc5

SHA1
6adc6d2b9fa66d265ccc22aacf2fa8389796d11a

SHA256
61a33d3aca5939c25e43e577205f917956b45ef512fc3706e7e81d3a2215026b

SHA512
b182dc62d7451ee652d8e0a8a049c4b5a46cef30ffb702b63f2e44626b22c9753faa0ef3a44d6b74d0c96b2612df6bc03d2091d62d6656e0200eaa8247602df4

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
382KB

MD5
b099dab788c6eb63b143720cab330d7f

SHA1
a3f349ea9bdf166d70871d2ed3091a65f595d991

SHA256
42111707bc88eb1cca89d3f45fb837b0bee4250eb1d25ed3e41b58a1724c5cdd

SHA512
b841abf705264d65b8d4eb79a21375e17584bf53faf29ac2a92101cd7e86d7cb33af4b4e7c5b87c03de963115eed0d5c1de96eb631c0082da320c72300b23817

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
384KB

MD5
6d96e36517a17ae8e4d9c0f8d2c71171

SHA1
6f8a94836cb66f3073ef24d8052af08f8617258a

SHA256
fa5e31d55e5433cb84c7c31a1f16e08d2a0b73073ef740bbeb1bb57655a85c66

SHA512
e835f3e23415382d755e4c646cca50c681fe5d462ff242a9969b3b5bda5e65eb21dcecb6467c007b140176f2aee9367185a8c096fdf64b7803c4c8d5ec0a7d5f

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
277KB

MD5
788304c70189592bb8cdd9f0dff10d1b

SHA1
3693cefa672c29bee2d9728d528bced35ec508ed

SHA256
a1454f9ec50a0f1238d8fbe7b3fca1062be6c1ed275472201a68df03ea04f717

SHA512
d2b35df71ff7c82880b97daf5dae72b5462a41842ebfc6fb31fc5eb42ffa10f0e710c5ab3fff7436920ab21fe7a1b36b625406c54be2c413ec4d08f37875c8ae

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
386KB

MD5
1dbd53e029e5df62c10e38aabaea1ab4

SHA1
f1e665e4215c1a23c885727468832a5b1adb540a

SHA256
5f6f0075099738e4bcfaf2640100611221b92e3d3bfc805fed0becf67a90a34a

SHA512
1199919835c1ba8f641bbf4bdec1555a6189d54a106b835edc8feb089c7c67ac4e801ac55c44cd5af0974b26da87e47d06b334623a3490cae8f7109f80d89147

Download Submit
memory/2036-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3036-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads