0a5e820027608f1aa3a807cd0ffa3d9d8c20ee0caebded53cfe95137fa9164b0

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cc956e3f4befedd16d3f49ae9a269ed.exe
Size

1.1MB
MD5

0cc956e3f4befedd16d3f49ae9a269ed
SHA1

a69268d42b52acee28051af2dc97397a1e42a980
SHA256

0a5e820027608f1aa3a807cd0ffa3d9d8c20ee0caebded53cfe95137fa9164b0
SHA512

21103d13232091f3a86984b32712e60b603aa63c9a2ac72bae6813f1be2ae1e2d7bdbfe6e83548ddff7941753f6281cb91a5410270834cb1f9e1c4b73bcee6e2
SSDEEP

12288:zMMpXKb0hNGh1kG0HWNAuCsltHlYzU+Wg7:zMMpXS0hN0V0HDIHyow

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0cc956e3f4befedd16d3f49ae9a269ed.exe

Renames multiple (226) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000800000001e712-3.dat	aspack_v212_v242
behavioral2/files/0x000800000001e712-4.dat	aspack_v212_v242
behavioral2/files/0x000600000002321a-37.dat	aspack_v212_v242
behavioral2/files/0x000100000000002c-19.dat	aspack_v212_v242
behavioral2/files/0x000100000000002a-109.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0cc956e3f4befedd16d3f49ae9a269ed.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
4952	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\E:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\O:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\X:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\Q:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\W:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\K:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\I:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\N:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\L:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\S:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\V:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\Z:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\Y:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\H:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\J:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\T:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\U:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\P:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\R:	0cc956e3f4befedd16d3f49ae9a269ed.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\M:	0cc956e3f4befedd16d3f49ae9a269ed.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	0cc956e3f4befedd16d3f49ae9a269ed.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	0cc956e3f4befedd16d3f49ae9a269ed.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\descript.ion.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\readme.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 4952	644	0cc956e3f4befedd16d3f49ae9a269ed.exe	88
PID 644 wrote to memory of 4952	644	0cc956e3f4befedd16d3f49ae9a269ed.exe	88
PID 644 wrote to memory of 4952	644	0cc956e3f4befedd16d3f49ae9a269ed.exe	88

C:\Users\Admin\AppData\Local\Temp\0cc956e3f4befedd16d3f49ae9a269ed.exe
"C:\Users\Admin\AppData\Local\Temp\0cc956e3f4befedd16d3f49ae9a269ed.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini.exe

Filesize
770KB

MD5
34258749794061a037fe5bddf72df3ee

SHA1
cc274c4436a2753638a087e6759c5d3717b5eedb

SHA256
530225996fe85f722ab5e6bd2e2d87d9084f9159f05984b341eb304fdfff48d5

SHA512
493bbc638c9c91a452d43a8d4ca8288fcfa4e25d01f7314a235518acd4729bd0e09ec1911ddc4bfc710eb03abb8a58a994ff7677b8a1c6d773b004726d8374b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
8e80d50a207fb45b4f378f5d2babf3e0

SHA1
bd62351a772504affa5eaf2aa7e2f4d3227430da

SHA256
39e399f90f0f1dddcb6a479ed6397393fec557760d905da9a2acae96b7de5f20

SHA512
df233940f26d586c8e3fff951fc93d67f1103ca7af47bce347759d9c499ee95e9029b12983ca0b586dd7d6bbbbbd3f7c79a33c6dc8045e97dc94c8b3e3bfc337

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cfdccde7aff694c0421a75bdead54421

SHA1
c1c03262cbb7b6e96d28c336acb6386a9d972c25

SHA256
b21e437dbadb641726b70a185951f0dd2652e79291cebec5038bc4f1d35061c0

SHA512
2adb11953a09836b624096fea80120d8c4bc4819aa0e87a571620acf5ee861384b3fc46b59f70e7e066456f7b4016d4357229374f8983a060aa8b32e7c11ffcb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
728044b0bb098067561a1553d045a90f

SHA1
b9dee59ad43b60fa8ee2feb87e96862ab3a21f83

SHA256
37dbba886937209be64b388f91e2633458be069e39a4caa3af2bb1c73752e898

SHA512
5b0e31aa07fb3e711b8d48b228b43ccf60ecf0f7e273183e607cb78a2bcec3a55a67de1e7ea4b68d3a841854ad944abd1d76dfa570fac024af4fc0a7e05210e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
617c6364c382aa91194990d29fdebcd6

SHA1
9870f208fd1e4728c59d6b6c828dddb176e4853b

SHA256
b865cf5e177a3c1c3fa153d50805e30c0ef515cad4b9cd65e4cee160a9e96406

SHA512
b6999e5eacb87d1bde936183814d31c11afe0b9144576296f0adc3d594c700369f3fe988f78325ee4b2ff0a5e94b56f5e6d82652d2ffbe810598d7d48b542011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5db239f3dff74c630004ed58c6698ddd

SHA1
c15ea9d9694d4a75f818b06e00e7e81204a22190

SHA256
7ede0d181f5ff3cdabb7f3a1639c40a7c41aa965e345a495a7e4d07ec6152154

SHA512
7d82e8e09280513d680e50ababedd56bd7886a73fa5fe811f105e980c20ac0c7514a4769f30c6498eb13e168afcada17b7b565a7a908780bfc30303c4b7fa65d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
70d9e28f5518ff724ae7e24ae3a78b68

SHA1
e28d11bf89154beec939ff134f0e9644390c4cf9

SHA256
12f3ef6d913b83b151a53c859b92b29f6afeed1dc3703d0f67295b9b99157caa

SHA512
c2f2abc41209ee50926a96717fffbacd741d6c943ab291486f8496e85281865267589bda275530674b3cbd07eab20b8e619e56a326d9efbc13fc30d0164aac3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1b05798f114abf5ec605b77bcc0232b6

SHA1
91b31ec784b16116f5714ba1a5a8ba62a5639250

SHA256
6ff320c38615dfebd40fb6670bf6d7e329f8e95f38a82ba1bc8b5217a739d9e1

SHA512
d96e701072412d183fec6e7f6cd42817e30a9f29fdb823efdc7f5d8a9cb2cba0528b9002e9810e7bed32123991da1b609483efd4e6ce5dbd928042f7baa50605

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
be55d7ebc7012edae8abb4fefa9645a4

SHA1
e9ca2a4764431af517ba79d9ed730ff7a5ecd13b

SHA256
b7609ab383f3089f2af4b1197fc275bb1b3d056c284b069a333207a811c4e976

SHA512
a5a49605b24aaabbc0e27548f260593e49823f6fc2c020b967376eeab42a34a53d7133f4b4f766b68840407d6d422a0706111aade8a58bfc1b03e28d9589208d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
0af7071c38472ecedadccb6e309e8b5c

SHA1
fc2d4d397a3e7652d2279d413995a81d2fadd937

SHA256
03d7b11a718df2bc2ff67e1b396bf53c5707c95fb81f32abc4a06dfb1e4cdcfd

SHA512
8a291ff67e82099e3a145465728fc8223e85132b0d19a540d1baa0783f8db6ed1178234322172b046010e137f8c7ac2d19a2024c2014ef1ab80a6530f7038563

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d1edeb6ce755d4a4daa78e83d899141e

SHA1
2bdc04a0db6df3f2bee9007e8c485af82ac292a5

SHA256
97bef73456e82984627b62bbc6c287dd9d88f124f8163c12f298c6f73d385c5e

SHA512
2b1aaac9f6e255b191dc7d5c648fc0f9169ae880982114d7b20aaf8bca09dab91fb3d058880791777bcf39a08199e9de215af835b185283464a1ca68f3273ba2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
08f65aa7262d3723981b338288d4b420

SHA1
5a9da2390265039d470cce6bd0f1e73ddc4526d6

SHA256
11ac893e0a08d6666b5182049bee44dbee98e12c28a4204b4ebad45c88670c61

SHA512
5308f0ff04a5531b1a43b8bc7f6cce23d31152c5cbcc2c8ec25d4cfb3d88e64b4367839406f1641b687799646c2ac0c64ac9af734dae89f4311939906df35c1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d52b4a0bdfba0f05ef61b7046e822754

SHA1
8e3cb04e7fd92f12b2d43f10e16f3fea4606f64f

SHA256
866a7736f3a1ea98c2cc5b4a210f7510fb5491b38aea898ac6aabb4d3bdc9f88

SHA512
a4f02f58ceaa48bfaab6d51870a7514101e0a2ac68980f5cc6fa902d9967f55de5430d86309c4a790a6d02936e5f4f7bf54abf4b9e3be4b7c8b3e30207c5e724

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5e043ce942bc9c4ac0f63f275dade42c

SHA1
209ecc07b60a8acfd6553f90aafb2dd7fb1d92c4

SHA256
d9c728be7fabf5e29f7d66d4941819a30ad0e648121590445c5b70d062c57b0e

SHA512
ecc20a64f3c111d9fa2b3c76c5ce9bdff25f50b0df6e042821fbc18ea7db8e121c2cc58d737a0005a6c16c825f73a9b9da816044f1bf8cf9d285eea5bda6b57a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
a9df534c6b41fb50c0b6bd5c8b25018f

SHA1
0c9850ab3dc92c72a1770833977a23f20058fe4d

SHA256
17a26aa376ffebff16cd635aaf292897a58f7fb7de9ae51b390e6997ee3fd84a

SHA512
d5993da9e6eec6483364f1ccddfe0ce0b686b4bd14cbdc9939fef28044cabbd158aaa1a79c3a56bf186f522d039f960beafd2ddd627ad792624b8e84b38e1eb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d6bf3d54e9243a0f2868e267f7d6a80c

SHA1
78d095999439e3524b4830eff8556519ce96f5c1

SHA256
dbe21285269597d2f829b65445e389d7ba9855a13b95299b7970d0aa75d6a794

SHA512
fd1df12c1a1df142449733d168c907585d7c1ab163939f23295cf066e72e2f8776821b4b366d35f061eb81c420983c9a71b930ef8672607ba747913aa9a3bfa7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5d30a8b543a4572e61e8a4f9ac336aa4

SHA1
09f0f2892349806f0efe67c3c9add185084c2f0a

SHA256
c47461a130cb2a4cff8c324f88a0003b79ac441263f81f88396e287f6c12ac67

SHA512
acb31d4f25c54efedf68573c2de56ed0e1f00c7b1be2a289174fd1e64f0b585a9f9227af8a1e06931ba2eeeac8fa1f8dbe5af05dd6fe72ebce5a5460d15c727b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
fe703fa0e695d948d5f1ff2a00f9b302

SHA1
8bfc4646ffc6dcb970d19cdbcb24d74c4259470b

SHA256
73567d53ec9fceb0bacc6ba55979fbd90e18437c8dbd651b2625b480145d85b9

SHA512
a03123794269a020a4980c394f9b1df9ec6701109411863191158374aa6e5bef7acb83bc5351b672c483ec69435fba93efce66e9f3d03ecb9e78330a46df531d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
3bf5c76adde717604bbf70f790d59ea8

SHA1
ac379636c18669e65158375868390e5c90b0e96e

SHA256
e33e090d75e0ce8f84fc33b8040de35d9fca05b7ee17cc8dad9615a1f497edd4

SHA512
7baf2d97c1b94b0bd5fdc34586cb6fbe1e4f560279b62e4f869f7c33d9370813101b0ad2cd8eb328452c5e04832d1231d3854ff3de020180e5f762e56259a76c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a710df5afad4608ed3fd766c7a5fab0a

SHA1
6ed966b5fec950b147baae50a5751ef483ba1cc0

SHA256
34b27291630b595654cce08c768be19af01c29e80fa1854ec587573475994677

SHA512
883b3b13ffe2c0f4e0104246cf9559fe2aee799951e04c291c290a6dba7e84041da80103e92255491b278e4ab65fa86e4a18f6bc418b0159e56f3ed29c6dce1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
4371da85741376b19a4f7a2684ef56dc

SHA1
dd9d6385a4151bc2c8da033b4e711fabf804609f

SHA256
732bf6dbbf67f1a58ec67cb244a7c1258e398801c8cdb52cd48f55d08825d613

SHA512
6e0823e777d6385d5fca986c669c2e15be8d8ab742b7740c8fd12f1876a53629e947e08258787f6d39f3078a547e4344adea55ced2cfa780dfe88fb9eeec4955

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
672KB

MD5
767c88c3eebe09a37aa73016bc91a4d2

SHA1
e448c6dfc29ea3012ec308489eb8805e7d1e3d0d

SHA256
ccbb84aad9474e2e56fcfb6efd6d5aca52809497161cba132be0b8850f9614b8

SHA512
fc95054c2ed9525d474c44cad41ddb713ffe278bbdb0161294606187e27fcd33183f8a74ba3f6641e64d1dfa2696b379d883bdbaf2ea3ee1d43126a009bffb40

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
729KB

MD5
a8a8bd076ff64258b0db730decf59d72

SHA1
d70b600a65168b8a332fbac3816944864655e040

SHA256
65438a3a540ce58a9123e5b1c8262bfa1d7c2b23349420d783f0b05be19c51db

SHA512
fcbdb3a9ca5f02d0a95d1cf869eba73484c850e50c16d489bd6d96ea9a79ef84a3fedb0d1f0bd9f9dc9c8ffedafa363b108f281bce68f45443d633c9aa32abfe

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-996941297-2279405024-2328152752-1000\desktop.ini.exe

Filesize
1.1MB

MD5
4699bb67040e318a8ebf3140679a4c68

SHA1
d7bd21d8914cd8b8b0601151b572085b51475349

SHA256
2ffc53867e6595f1448cca4bc06cf23d9cb8ea37e6a9de3e8e6202af6fc77bb3

SHA512
dc4b42ceb2e415f9649041ee5df81a90a2aeef4b48f074730550f43a508500acac24a76905dd9b7dc557f6c6d9fea647b2bd810250f1331b6c1d78731f3816c7

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.1MB

MD5
7930f19c44280f3b5228bff5bb968ce5

SHA1
a4e04359fb5c6e5f59f6881109f58ea6c32ed5d4

SHA256
4cd5b7e79c9958a711b425aeb9e37886c7c9f56bb5e4b708d3b480cd071f39be

SHA512
2347f8539d59119cd80eae40993110c56d54cd51612dec3918bd587720fbf1e8a22903db7afe0711fe4dfa3db7f697277c846c778bccf3a4f841a46e4d612656

Download Submit
memory/644-0-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/644-79-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4952-5-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/4952-82-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads