f431b39b0f9296ce42315649d6bf9a0c180f8f802d0fbba26effb52cb491e1bc

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

150fd74be3ab268ea9578e39b962a0df.exe
Size

1.3MB
MD5

150fd74be3ab268ea9578e39b962a0df
SHA1

b045cf497a57c73988a251fea099bd950e18900c
SHA256

f431b39b0f9296ce42315649d6bf9a0c180f8f802d0fbba26effb52cb491e1bc
SHA512

0ca8efc6f9cd929fe6c6905ae94ea69daa04caf8644d9c1418a9ab1fd81d65296bfe14178983385dd2045fc7c3a7c1355dbda29e9eaed32d7157cc9d7b842983
SSDEEP

6144:ZiMmXRH6pXfSb0ceR/VFAHh1kgcs0HWHkyApOhP/SgljwRwdX/1H9kM2AfQ2C4ef:zMMpXKb0hNGh1kG0HWNAuCsltHC

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	ÿØÿà

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000c000000012243-2.dat	aspack_v212_v242
behavioral1/files/0x000d0000000122cc-14.dat	aspack_v212_v242
behavioral1/files/0x0007000000016231-53.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	ÿØÿà
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

pid	Process
2000	HelpMe.exe
2044	ÿØÿà

Loads dropped DLL 4 IoCs

pid	Process
1928	150fd74be3ab268ea9578e39b962a0df.exe
1928	150fd74be3ab268ea9578e39b962a0df.exe
1928	150fd74be3ab268ea9578e39b962a0df.exe
1928	150fd74be3ab268ea9578e39b962a0df.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	ÿØÿà
File opened (read-only)	\??\I:	ÿØÿà
File opened (read-only)	\??\N:	ÿØÿà
File opened (read-only)	\??\P:	ÿØÿà
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\X:	ÿØÿà
File opened (read-only)	\??\Y:	ÿØÿà
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\J:	ÿØÿà
File opened (read-only)	\??\M:	ÿØÿà
File opened (read-only)	\??\Q:	ÿØÿà
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\U:	ÿØÿà
File opened (read-only)	\??\W:	ÿØÿà
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\A:	ÿØÿà
File opened (read-only)	\??\O:	ÿØÿà
File opened (read-only)	\??\T:	ÿØÿà
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	ÿØÿà
File opened (read-only)	\??\Z:	ÿØÿà
File opened (read-only)	\??\K:	ÿØÿà
File opened (read-only)	\??\L:	ÿØÿà
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	ÿØÿà
File opened (read-only)	\??\R:	ÿØÿà
File opened (read-only)	\??\S:	ÿØÿà
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\H:	ÿØÿà
File opened (read-only)	\??\V:	ÿØÿà
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	ÿØÿà

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	150fd74be3ab268ea9578e39b962a0df.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	ÿØÿà
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	150fd74be3ab268ea9578e39b962a0df.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	150fd74be3ab268ea9578e39b962a0df.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	150fd74be3ab268ea9578e39b962a0df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1928	150fd74be3ab268ea9578e39b962a0df.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2000	1928	150fd74be3ab268ea9578e39b962a0df.exe	28
PID 1928 wrote to memory of 2000	1928	150fd74be3ab268ea9578e39b962a0df.exe	28
PID 1928 wrote to memory of 2000	1928	150fd74be3ab268ea9578e39b962a0df.exe	28
PID 1928 wrote to memory of 2000	1928	150fd74be3ab268ea9578e39b962a0df.exe	28
PID 1928 wrote to memory of 2044	1928	150fd74be3ab268ea9578e39b962a0df.exe	29
PID 1928 wrote to memory of 2044	1928	150fd74be3ab268ea9578e39b962a0df.exe	29
PID 1928 wrote to memory of 2044	1928	150fd74be3ab268ea9578e39b962a0df.exe	29
PID 1928 wrote to memory of 2044	1928	150fd74be3ab268ea9578e39b962a0df.exe	29

C:\Users\Admin\AppData\Local\Temp\150fd74be3ab268ea9578e39b962a0df.exe
"C:\Users\Admin\AppData\Local\Temp\150fd74be3ab268ea9578e39b962a0df.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\ÿØÿà
  C:\Users\Admin\AppData\Local\Temp\\ÿØÿà
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini.exe

Filesize
1.3MB

MD5
9a3f30944e77f656ad256706c85a8459

SHA1
92dfd026cf1f411b88fec8d174ad7e19393b8d5c

SHA256
697b22c250b63568874f424aad02ac7c6a1a33063bd5bfeee4803ed09c5500f5

SHA512
e44657969adb00794bd95c4e021dd2a127a9b9f9e73275ef971421fcd997c82cc4923a7e067496b8189c9684ab2f3f18551bb38a261a7e3a012bdd8610622a81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
4a36a855c23c44127197ea9d451538e3

SHA1
6b1a51b7a8e62f27a3852c8c9cf35130d0b523ee

SHA256
b24b89ae8a90053694a98b70914ff2885cc36983a247d40000f326513ea1c832

SHA512
a31bb651a8e96cfa714d960fa82a2f5ae45eed45ab76e5ddfb0a989f27a2eb8cc5d6d298d5054d200125764e919b1f861f20a81d7b5982549329f4fcb4a2c933

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
999B

MD5
707fcb74af04b5e6e8de3a554e2998b5

SHA1
e0f39c51ed405c94fda0e05e5a311912b88d8808

SHA256
bc528b9038a908f07c9031b6da9fbca4e7ad3b693d178002e004646aa9600636

SHA512
c65deb0bc3c27639a568c4501c471abde0851e127bd7e366fdc7868f4cc09947dcb9edc8841caf55bce61ae2e4760a1a661e0aa2aaa3609a8f5b0e7c6eb157fc

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
\Users\Admin\AppData\Local\Temp\ÿØÿà

Filesize
1.3MB

MD5
150fd74be3ab268ea9578e39b962a0df

SHA1
b045cf497a57c73988a251fea099bd950e18900c

SHA256
f431b39b0f9296ce42315649d6bf9a0c180f8f802d0fbba26effb52cb491e1bc

SHA512
0ca8efc6f9cd929fe6c6905ae94ea69daa04caf8644d9c1418a9ab1fd81d65296bfe14178983385dd2045fc7c3a7c1355dbda29e9eaed32d7157cc9d7b842983

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
1.3MB

MD5
c3f86cc58e8c67fc65f18cdbbe294130

SHA1
aa4b0da41b652c0730a38c4dadd5e0fc7cf9705c

SHA256
ffe8102099dd2e2d96c8ae983b660f5a851cb9d1f9edc0993ae31612e7265d60

SHA512
314628b7f405837f958e255d72085de0cc3aa45e30605ef42276ebc39894153ee36bfc02dd854988b1fddb2b6d1db5e1f670f78d63976f78aef27d86106812e1

Download Submit
memory/1928-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2000-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2044-19-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download