Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

0e435a6b11...76.exe

windows7-x64

10

0e435a6b11...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 04:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e435a6b11a79ade89f63a1a4f465176.exe

  • Size

    2.5MB

  • MD5

    0e435a6b11a79ade89f63a1a4f465176

  • SHA1

    1c6b5d46b29f1a663d0ad725be76ad614acc2549

  • SHA256

    b5c4707b95e18a0ed17732091b644fb2cc04b407546dbd8fe1977d88a1502ebb

  • SHA512

    37daad440ea23cea48f286b933b4028a64b8a7fa25201756852fe1bf0272c11d2917f8043f3738dd376c2f569d7a2ef1404b96c29bd139ae1e8a99705582255d

  • SSDEEP

    6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRAExJex5gfzDVtkhKbYM:5MMpXKb0hNGh1kG0HWnALbix5G+8NH

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e435a6b11a79ade89f63a1a4f465176.exe
    "C:\Users\Admin\AppData\Local\Temp\0e435a6b11a79ade89f63a1a4f465176.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini.exe
    Filesize

    2.5MB

    MD5

    432169ef4cc034b958b87099ffe4b311

    SHA1

    561b385f4091b13cc305d593e8734246286be254

    SHA256

    879bc5aa97aa470d39a55f1c2057c36197c9d1a64b17a628137cdf72edafda5a

    SHA512

    0db6ba44346db197db1591c849b8064c12c5ff659de30a76ab241f99ac99ee38b3bb8e4095b1dc63a2a56906e53f67fdd0d4f96dc5d2b8dc4b2916fd1dfbad1d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    4547000770f25a0468f248e3aed39c58

    SHA1

    dc2be9639da171c9b8e41bc382845dad1b32b786

    SHA256

    dc15f74a97fd05b46b4d7e786014c11c4a40edd87c3a1acbfedf5814c1ca8694

    SHA512

    26ef21068057b0f89bdc35288ed14fc8cf231c49ff9a0a980d0c6f8ae004bf9370aa49c17f360690eab59f8e83b719d4c03282286e0d52bb62c39dfb34d42800

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    f6f324a3c0e5b9577e7c4ce70219380e

    SHA1

    c46aea6d93bbdcbb83f5e136898a5ca2cd2b3581

    SHA256

    5e4380ac889175d779b443d683cf55a0ffca531b991d6aefaf9287d7a0379d67

    SHA512

    12904c284fd94811a7606308078ab48b3b3ca5b06d11ea2c868b358d7e0d2cdd59b70663d64d6e8e799ba2a8fa64f0f4f8887b98337928d1de0ba74ddb9b5877

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    2.5MB

    MD5

    0e435a6b11a79ade89f63a1a4f465176

    SHA1

    1c6b5d46b29f1a663d0ad725be76ad614acc2549

    SHA256

    b5c4707b95e18a0ed17732091b644fb2cc04b407546dbd8fe1977d88a1502ebb

    SHA512

    37daad440ea23cea48f286b933b4028a64b8a7fa25201756852fe1bf0272c11d2917f8043f3738dd376c2f569d7a2ef1404b96c29bd139ae1e8a99705582255d

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    2.5MB

    MD5

    0351b0159dda3db5d4998f6ca8c9b210

    SHA1

    29f5223c31dc533820fa139249fb99c0d4b41826

    SHA256

    42ecf8efc5bca0d591c38612a6e11fcf68ab036330d8c8795059959fee76f168

    SHA512

    a9327fa24913afd52ecce1f94c5ebe5d7d7bcfa8e98f6780a17f4f0036c6dc979257e7591c8a40f7f25297ddc31f23fd17377c207d92c679d5945c6e0f53d287

    Download Submit

  • memory/2000-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2852-0-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2852-240-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download