Overview

overview

10

Static

static

7

7495e5ae70...a3.exe

windows7-x64

10

7495e5ae70...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2023 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7495e5ae70fda52eb0f4da21ff6768a3.exe

  • Size

    1.1MB

  • MD5

    7495e5ae70fda52eb0f4da21ff6768a3

  • SHA1

    f288ece13d0d1811e54222e550c716ac9f85a55b

  • SHA256

    d27ad98101b3b0988b85f0dd6a21c319faa5a9a9d8cbd1a2d5f414dbddca05dd

  • SHA512

    444a7520c1bb0c2ef126ea7431eb71ad2f139cd1e424570fbe0a360748a7014c3d7ed139a8a6e5c7d567befeb21f8e607657874ae4d992504d4a1ae9883c1484

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnAL4:5MMpXS0hN0V0H7MMpXS0hN0V0H4

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7495e5ae70fda52eb0f4da21ff6768a3.exe
    "C:\Users\Admin\AppData\Local\Temp\7495e5ae70fda52eb0f4da21ff6768a3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe
    Filesize

    1.1MB

    MD5

    64841322ebb194682b0db062db4a7109

    SHA1

    e7303a64015fe5ee1d3dff9a143bd3c6ce8b279d

    SHA256

    bdf1872087019206f6ace75945c7025626b1cc24f18108610b5d5e09526590db

    SHA512

    af69751237862faa41120ae8b9cf374b503bf9597fb06c1fbd82aa6f2b953f1ed076d6f750cf3e06fda341f2358ea51a837a7ceaee10a4d4d07258f7cefaca2d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    aa20d14c5a9e04d606b2250a4e4d7ca3

    SHA1

    d5589b7152175c67017c7e1b1af6e3a82c9a42e9

    SHA256

    d20f112cace807898bcabb734a6c22d8c8c23860e99dec96338f8f9d47e37ee5

    SHA512

    17d5f565f8deb408e5fb0d65b61f1ad68d10b34e0d3a4bbb4f56ebc470ad8d88b4baf985fa1d5bd8a136909cbe341634686bab1dff9acc95c4af793d42e41a78

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    dcae2a083170c7132e20b7f09bb3f42a

    SHA1

    55d2dc44631de329b524debdc7e89c94a85eaec3

    SHA256

    dd85144ebf507254d9debfb4b21e55644664421212e9d9677a70be3757cf2441

    SHA512

    d45ef5ba6590622db09fdeb90895faabe2afa2d313f95cbcbf93044d89f1031728144c9ff9128f2f8aa6736ea9b492281af5a9106c0f2f0fe65c7171dce9cfef

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    1.1MB

    MD5

    7495e5ae70fda52eb0f4da21ff6768a3

    SHA1

    f288ece13d0d1811e54222e550c716ac9f85a55b

    SHA256

    d27ad98101b3b0988b85f0dd6a21c319faa5a9a9d8cbd1a2d5f414dbddca05dd

    SHA512

    444a7520c1bb0c2ef126ea7431eb71ad2f139cd1e424570fbe0a360748a7014c3d7ed139a8a6e5c7d567befeb21f8e607657874ae4d992504d4a1ae9883c1484

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    1.1MB

    MD5

    8dcf1d3cf8a65044536cf9dc94062acc

    SHA1

    1aeedf58783fab1904ccac3b7f2216925d2f9612

    SHA256

    3622ddcb572a10fd37cc0ec4c5d679755a41cefb03c41e479372c5752a7039f0

    SHA512

    c3df6e664d338b59279919a8769a91b3359bcb2ab0fd5c303b6b5140867e6063e9ebfbbecab1e400f32da17cdb8f95a7f40941ff6b3a159c0ef3ec9c559e4c5f

    Download Submit

  • memory/2272-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2320-240-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download