125a3698b36b7ffc02f95b72fe817f05a821d6d6f14789c65435fedb2b4636c2

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c77098a56ce5752bc7efb26b374cc73.exe
Size

917KB
MD5

0c77098a56ce5752bc7efb26b374cc73
SHA1

43b8fc6d1ed1cf1061090c1fde340adb343ed73e
SHA256

125a3698b36b7ffc02f95b72fe817f05a821d6d6f14789c65435fedb2b4636c2
SHA512

3a0c2ee970246169e17c360400380c3aa20c4ec01839904ed9d680f6c9cec21a1b71ed6fdd985bd5552a9c6e99ef65ff74378dc69e5fe0e264ec0e9ea4b0cfbb
SSDEEP

6144:ZiMmXRH6pXfSb0ceR/VFAHh1kgcs0HWHkyApOhP/SgljwRwdX/1H9fYavJiPZBgL:zMMpXKb0hNGh1kG0HWNAuCsltHlYzXi

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0c77098a56ce5752bc7efb26b374cc73.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000012264-2.dat	aspack_v212_v242
behavioral1/files/0x0007000000012264-4.dat	aspack_v212_v242
behavioral1/files/0x0007000000012264-7.dat	aspack_v212_v242
behavioral1/files/0x0007000000012264-8.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-20.dat	aspack_v212_v242
behavioral1/files/0x0007000000014483-39.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0c77098a56ce5752bc7efb26b374cc73.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
2140	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1456	0c77098a56ce5752bc7efb26b374cc73.exe
1456	0c77098a56ce5752bc7efb26b374cc73.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\U:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\A:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\E:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\S:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\P:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\Q:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\V:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\I:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\O:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\R:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\L:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\M:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\W:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\Y:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\N:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\X:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\Z:	0c77098a56ce5752bc7efb26b374cc73.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\H:	0c77098a56ce5752bc7efb26b374cc73.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	0c77098a56ce5752bc7efb26b374cc73.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	0c77098a56ce5752bc7efb26b374cc73.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	0c77098a56ce5752bc7efb26b374cc73.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2140	1456	0c77098a56ce5752bc7efb26b374cc73.exe	28
PID 1456 wrote to memory of 2140	1456	0c77098a56ce5752bc7efb26b374cc73.exe	28
PID 1456 wrote to memory of 2140	1456	0c77098a56ce5752bc7efb26b374cc73.exe	28
PID 1456 wrote to memory of 2140	1456	0c77098a56ce5752bc7efb26b374cc73.exe	28

C:\Users\Admin\AppData\Local\Temp\0c77098a56ce5752bc7efb26b374cc73.exe
"C:\Users\Admin\AppData\Local\Temp\0c77098a56ce5752bc7efb26b374cc73.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini.exe

Filesize
918KB

MD5
9f74029397cd68ab43dd89c4c1ac2d87

SHA1
2c21206f8a712e7138e05169750e70fddbc9b9ff

SHA256
6726cb93cd9f2eaaa46ef137285470a207f20d98dada5d35e1ef3b67b5f185d5

SHA512
e27f5f6abf971bb0dde9afde05a93773186c326da71c6fee92198ad6547e7335978fe7ce6949c0332ccd897702923db5e9d9dceb9cb5bf278cdf80bbc1385d76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6cf58e4068a64566c8aa7da4df7258a5

SHA1
e8dd4f55b7a59ff6a78976d151f94f922afd098c

SHA256
16351fda73e6872a45ac5fe932d6c4548c674a44e160145f8535a942f4ec9d02

SHA512
1969768a4c62c58f2d10b09a0e5d8a39391ab928f573062c75fb636381fe2f53d6f7e4fdea5b2152b0c64f729e8e5aeed4fc25575ab3135499dade9081467e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
18aab85e010f23b06d1d59bb75be6de1

SHA1
d66f3c850a38ffffed41e5436e0efb7bfbc6a9aa

SHA256
e0de6a9c9f47bf35cd11eda83a0d3c321d3ce4c0f1088fe6a6df395864335ece

SHA512
e56e74b015fbf51efe5a66f783efdced8209b4ffcd55d655f3991287f33669e03d335f566b8a93ebe5caa8b7ae52bfb7de02ce5e16796631e1318152d72a9462

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
187KB

MD5
7fa0d3640cfdf8351318e86f77821982

SHA1
995696fbecad3260f653637d1724692b7516a192

SHA256
7845012309f5fcdd74a5b8a04ee798173b64e627a7ecbefe062d720fafe1f1f3

SHA512
6a03845411d2b75b22c0fd62f61f6d7226630a83d3559df4a00df9d0657015d135b6f7c1285f6b568828ed3fc5e549ac17a714d7a4b6f1ae1cb2396593521953

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
99KB

MD5
92927cbe54d4f74e2eb59555bd426277

SHA1
407c9b4eeb967528fa9eb938248510d9c7f8f954

SHA256
16bfd54f0001510d4efe9624714e5626ab10ea238f754bfad88ed9d0ed75a1b9

SHA512
1a4f59bdf617cae63233453128e12070f8365ffc37e431f7c3edc6003a87305f0ddf243a18b2dd02c2ae0f3ea51f6fd6d758ea29645af5f60e2e46dcbccdb8a1

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
917KB

MD5
0c77098a56ce5752bc7efb26b374cc73

SHA1
43b8fc6d1ed1cf1061090c1fde340adb343ed73e

SHA256
125a3698b36b7ffc02f95b72fe817f05a821d6d6f14789c65435fedb2b4636c2

SHA512
3a0c2ee970246169e17c360400380c3aa20c4ec01839904ed9d680f6c9cec21a1b71ed6fdd985bd5552a9c6e99ef65ff74378dc69e5fe0e264ec0e9ea4b0cfbb

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
916KB

MD5
8a051f571d261a91eef2feb019fb9b30

SHA1
e7d3bc9516a7d488b6c06df34f26f38998ee7ae2

SHA256
228c0eef6625664635ab27233eb1f9994ac49b08e7518c138a8e38798c75f844

SHA512
80074efaec18bab1de17deb07943dc16e1d2cf24f2cfb8c275a3022161723446e6da296da8897310cf5049e6773158d98ecb550fb014f0c409dfc22f4905631e

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
107KB

MD5
d8aaa127280b780e17e4c412543d9b98

SHA1
612974daf409fbf3aa7d9b786407c5a4b0059a85

SHA256
2fdaa00a2e88b30564e675faff686ef34699d6733a427d017926b5cb61368216

SHA512
b9fff5780fd3e8becc33410b734e49419d0e7cd30a69ca3794b0064ca4358814d80f36e3acf14806194191352d8e7236d4f54090e50016ed07e05714982b91db

Download Submit
memory/1456-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1456-100-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2140-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads