2e865b614c74214691ed21ac380db63c7bbaa4380bc2681a4e531fbb360f7d1f

Analysis

max time kernel
145s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d3df37aa8a77c5d709214548a8754a6.exe
Size

2.6MB
MD5

0d3df37aa8a77c5d709214548a8754a6
SHA1

8a59fd156e89136c8e4ccb9d47d6681767415306
SHA256

2e865b614c74214691ed21ac380db63c7bbaa4380bc2681a4e531fbb360f7d1f
SHA512

ed4039bdcd9c066a4c79181a592ce58ab98d8e41cf9634bae0131fa7eb1feae41a427f67f7d40734498976cdaa17ff3660ff275f65a20d00da9559074d3fa699
SSDEEP

24576:zMMpXS0hN0V0HDIH/SGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63x:gwi0L0qK6l

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0d3df37aa8a77c5d709214548a8754a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000a00000001224d-2.dat	aspack_v212_v242
behavioral1/files/0x000a00000001224d-8.dat	aspack_v212_v242
behavioral1/files/0x000a00000001224d-7.dat	aspack_v212_v242
behavioral1/files/0x0031000000014852-38.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-55.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0d3df37aa8a77c5d709214548a8754a6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0d3df37aa8a77c5d709214548a8754a6.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
3032	0d3df37aa8a77c5d709214548a8754a6.exe
3032	0d3df37aa8a77c5d709214548a8754a6.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\S:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\H:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\M:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\X:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\G:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\Q:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\W:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\Z:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\Y:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\T:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\R:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\N:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\P:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\B:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\J:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\O:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\E:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\K:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\L:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\U:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\V:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\I:	0d3df37aa8a77c5d709214548a8754a6.exe
File opened (read-only)	\??\Q:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	0d3df37aa8a77c5d709214548a8754a6.exe
File opened for modification	C:\AUTORUN.INF	0d3df37aa8a77c5d709214548a8754a6.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	0d3df37aa8a77c5d709214548a8754a6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3052	3032	0d3df37aa8a77c5d709214548a8754a6.exe	28
PID 3032 wrote to memory of 3052	3032	0d3df37aa8a77c5d709214548a8754a6.exe	28
PID 3032 wrote to memory of 3052	3032	0d3df37aa8a77c5d709214548a8754a6.exe	28
PID 3032 wrote to memory of 3052	3032	0d3df37aa8a77c5d709214548a8754a6.exe	28

C:\Users\Admin\AppData\Local\Temp\0d3df37aa8a77c5d709214548a8754a6.exe
"C:\Users\Admin\AppData\Local\Temp\0d3df37aa8a77c5d709214548a8754a6.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini.exe

Filesize
1024KB

MD5
1a94e3f4e3912b90b0cf21f33644cd90

SHA1
0e547cc5f4f581c0ac51d43af6e894f34d8b28d3

SHA256
07eb9714622d432e5f07467a53f5bdf019920e857b2041678f09b1bbadd8083e

SHA512
5d12c37e587a3aa7f8a038509693d187374a9cca1d2c0ea90470af9f25beb7853a73e8914c0f4b73a1ff8600f189d34f65c6deb8b7baa598cb03e2f1e9936361

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
133a377ece34fefd01c1098d6a71a993

SHA1
4b06999b2c7ed7ed4e1d13c1a8ae69ee45da6160

SHA256
0ea4f3d00f8a72ee9ea9a12065106472019af488fa2b888310b1dacb2c291a63

SHA512
1379761005314ceb80ca45e011c2dcbf8d5c9991b7319a1a4ba7733f989bf72f84a41be976b471eb15b43270591f4fd45300ed5814f364e4830e42313210dda2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
75dcb45fe4f4960471acdb2f126d1035

SHA1
87eecacb31d44835e900fd84afceaefd833938e7

SHA256
88ca97294f47feb10df09f88b10bd9c939d892152c7934baaaadc89d3dda6883

SHA512
85602129fd5d93ce5d4541ca23e00f871275039b2dcb68fb00b302a998b160db9cbb1460b3f9abdbad5bfa585dc1f7ff79c025cb571a6381fd8693d8245634d9

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
320KB

MD5
4d79fa18f8209fbb4c777f53e8b82082

SHA1
56745a4963b2f2c2fcdd335bb24b886cedc3d442

SHA256
729311e99cb7bd8db719c1b16baa1f9ef3bc847b1e38d4f7ab8a625a61c75481

SHA512
5addd3fe5cc3514d4a11b611051d6dd2e779bccb1eeab6c870db52da1812bbc406b563aac72250327141945c70640fca532560acd498b7ce99c9554e6c1b64e7

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
256KB

MD5
f23b6ffb3b96e87bcf7771cdc6158437

SHA1
23ee457123136f957e1b1a2b4c2208a421f89277

SHA256
093f9c458e0e460019af4fb26da79c6e2692e80bf120fcfc515a880f4803ee0c

SHA512
2ab66d6489bf2bb4b642afca822055c36976efff04dd29607b0537f5c9d2b49c396d33961d84aa0bb1603a5bb1c5582fabe34fd17388fdb35ac92081f800bb20

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
840KB

MD5
12ffc3068cfe2c03d0ae2bcc32f10d62

SHA1
7569fa4fafa0501e5b362057c6dba436d8ed1a94

SHA256
34c1de54b062e77c547acb5b9f5d3f933c978d79939610b7797e86780dee8b7d

SHA512
d5767b5cea6b0ef37ee90fb971838a6590d07408b1459ab5dfe3798e30ae2d36625f4c12e97757719deefafc87a32143f5dd05c18fb931b9127233148b65ec95

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
608KB

MD5
f05b87ee7dc5b9732e0be6ae53600d52

SHA1
f0ac72d3d3d0f856ffea7dd86e1bc018a429bf11

SHA256
54948932968190d8a74e1042ba7656310b2e3d0f2122bccd98280501d121602b

SHA512
90a2d4ddd91e8ea79f04a447b491d5414edd1b081551a89e9bfc37a2872a540ee4e47e3f1085579593661a0ea0e1458e326c95aba0416b695f348c4283cd61d8

Download Submit
memory/3032-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3052-10-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads