0cc1d0306f59a4e5d555928c128df6bb95e1916c3ebf535f3b4aa8b4b91b0453

Analysis

max time kernel
6s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a5895dd6b1e8878086b3329020ff67a.exe
Size

290KB
MD5

1a5895dd6b1e8878086b3329020ff67a
SHA1

4bbf9fb0b24eb120f0f1ee4d3440fc43ac381416
SHA256

0cc1d0306f59a4e5d555928c128df6bb95e1916c3ebf535f3b4aa8b4b91b0453
SHA512

c4acb4ce07b90c43813258986a34dd463ef11330fd06b66a7c275d9e6fe1219a3e77874968a06b809cae1f2df449095e9fb787c29d3a2d1ed811a255c3194166
SSDEEP

6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRs:5MMpXKb0hNGh1kG0HWnALbs

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	L

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000126ab-2.dat	aspack_v212_v242
behavioral1/files/0x000b0000000126ab-7.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	L

Executes dropped EXE 2 IoCs

pid	Process
2544	HelpMe.exe
868	L

Loads dropped DLL 5 IoCs

pid	Process
2216	1a5895dd6b1e8878086b3329020ff67a.exe
2216	1a5895dd6b1e8878086b3329020ff67a.exe
2216	1a5895dd6b1e8878086b3329020ff67a.exe
2216	1a5895dd6b1e8878086b3329020ff67a.exe
2544	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	L
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\I:	L
File opened (read-only)	\??\K:	L
File opened (read-only)	\??\L:	L
File opened (read-only)	\??\Q:	L
File opened (read-only)	\??\S:	L
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\A:	L
File opened (read-only)	\??\V:	L
File opened (read-only)	\??\X:	L
File opened (read-only)	\??\U:	L
File opened (read-only)	\??\Z:	L
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\E:	L
File opened (read-only)	\??\G:	L
File opened (read-only)	\??\M:	L
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\J:	L
File opened (read-only)	\??\N:	L
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\O:	L
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	L
File opened (read-only)	\??\B:	L
File opened (read-only)	\??\P:	L
File opened (read-only)	\??\T:	L
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	L
File opened (read-only)	\??\R:	L

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	L

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notepad.exe.exe	1a5895dd6b1e8878086b3329020ff67a.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	1a5895dd6b1e8878086b3329020ff67a.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	L
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	1a5895dd6b1e8878086b3329020ff67a.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	1a5895dd6b1e8878086b3329020ff67a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	1a5895dd6b1e8878086b3329020ff67a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2544	2216	1a5895dd6b1e8878086b3329020ff67a.exe	17
PID 2216 wrote to memory of 2544	2216	1a5895dd6b1e8878086b3329020ff67a.exe	17
PID 2216 wrote to memory of 2544	2216	1a5895dd6b1e8878086b3329020ff67a.exe	17
PID 2216 wrote to memory of 2544	2216	1a5895dd6b1e8878086b3329020ff67a.exe	17
PID 2216 wrote to memory of 868	2216	1a5895dd6b1e8878086b3329020ff67a.exe	16
PID 2216 wrote to memory of 868	2216	1a5895dd6b1e8878086b3329020ff67a.exe	16
PID 2216 wrote to memory of 868	2216	1a5895dd6b1e8878086b3329020ff67a.exe	16
PID 2216 wrote to memory of 868	2216	1a5895dd6b1e8878086b3329020ff67a.exe	16

C:\Users\Admin\AppData\Local\Temp\L
C:\Users\Admin\AppData\Local\Temp\\L
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:868

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2544

C:\Users\Admin\AppData\Local\Temp\1a5895dd6b1e8878086b3329020ff67a.exe
"C:\Users\Admin\AppData\Local\Temp\1a5895dd6b1e8878086b3329020ff67a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\HelpMe.exe

Filesize
92KB

MD5
b9e75584fbdfbce3e0814797a1219622

SHA1
a86f90440678e7c7b3728b21182b2b3b8fc170a9

SHA256
75e49936ba26131d7995b3fa38049882abd74db2fd4326af79fad341512866ab

SHA512
64d2d08ebdd00fed8de92e6e7ae4c83c6af809459d81eedc42945691b68ee832f37aa7bf0c3faa1e0b01fe6399b0b016edf2905ef0bfdad10e1166f11e34cfdb

Download Submit
memory/868-20-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2216-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2544-9-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download