623c13fd34e0d14b8b53f9559b5fdb84a7b3db3d9ec67f6a01cf2f7a1273462f

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3914543a69e234aab96ba65a24777af1.exe
Size

5.6MB
MD5

3914543a69e234aab96ba65a24777af1
SHA1

3aa51dbc96a8a96e015473f9befb5b7d67c4883d
SHA256

623c13fd34e0d14b8b53f9559b5fdb84a7b3db3d9ec67f6a01cf2f7a1273462f
SHA512

9dd25ba68e008ca4375f8a385954312e463a4031604a299efaae02790ee6c614c4a7409323201f239a29a82acbb906a10974ed8a0c0f6ccab30810102b4ecc7e
SSDEEP

49152:qwi0L0qIwi0L0qM4kfxuSB8NIMoB8NIMI8Sfpwotkzaxc1OGz8N:1i0li0/IMBIMzKpXOMGQN

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3914543a69e234aab96ba65a24777af1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000012284-2.dat	aspack_v212_v242
behavioral1/files/0x0008000000012284-8.dat	aspack_v212_v242
behavioral1/files/0x0008000000012284-7.dat	aspack_v212_v242
behavioral1/files/0x0008000000012284-4.dat	aspack_v212_v242
behavioral1/files/0x0008000000012284-9.dat	aspack_v212_v242
behavioral1/files/0x0007000000016c8c-38.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-55.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3914543a69e234aab96ba65a24777af1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3914543a69e234aab96ba65a24777af1.exe

Executes dropped EXE 1 IoCs

pid	Process
1420	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1384	3914543a69e234aab96ba65a24777af1.exe
1384	3914543a69e234aab96ba65a24777af1.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\Z:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\B:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\E:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\I:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\J:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\R:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\N:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\U:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\W:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\K:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\P:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\T:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\X:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\H:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\O:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\S:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\Y:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\G:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\L:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\M:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Q:	3914543a69e234aab96ba65a24777af1.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	3914543a69e234aab96ba65a24777af1.exe
File opened for modification	C:\AUTORUN.INF	3914543a69e234aab96ba65a24777af1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	3914543a69e234aab96ba65a24777af1.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1420	1384	3914543a69e234aab96ba65a24777af1.exe	28
PID 1384 wrote to memory of 1420	1384	3914543a69e234aab96ba65a24777af1.exe	28
PID 1384 wrote to memory of 1420	1384	3914543a69e234aab96ba65a24777af1.exe	28
PID 1384 wrote to memory of 1420	1384	3914543a69e234aab96ba65a24777af1.exe	28

C:\Users\Admin\AppData\Local\Temp\3914543a69e234aab96ba65a24777af1.exe
"C:\Users\Admin\AppData\Local\Temp\3914543a69e234aab96ba65a24777af1.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini.exe

Filesize
62KB

MD5
f6883b1f90e392a8ab9bdb32fc92d2a9

SHA1
9aa0b657aeb433616264364856a39fde9f7a342f

SHA256
92fe99f5f3f5b8a4ce34191e8c14a8876683f981feec0880e760cbe87d10fb56

SHA512
8bfbc84bd888f0429c75e7a5842485ae5a508e0ec9da6847d2610a98a1cf9aee2e6a9e9c2e91fda2b6fcf89f2971f2adfd76d1b56fc2bb5a67dd165f3f019939

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
efae0cdce5030990caaa933105824e8b

SHA1
8033a84554be6b57ebcb81ade7e6f17e779f4107

SHA256
ed08ecf0971136f436bd07e67160287133dc24911d4010e6c8743773233b7469

SHA512
4304a008f6a250441a46e20e6568ae2c36b44d2680ca865ff8ec6d094a108c7dbafa8b75bc14a1aafd4681c8263130557e8f1d48a1b0ed68e05d0ecdb4d96b95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
178aa241da9182218152b38374365828

SHA1
e980d904f18288ebbb9d8b4252d5e5df69c73ece

SHA256
d518b40e8e9205aab7f778271081d71a5ef329c4a1fc59e5c3fec8604e615cff

SHA512
5280738baf9e85608eb166fefc4632154f90497c6828569f290a193d4acf3f3140e0e1919bbe75e33ac2ae190447595b32d45f5c1b8b53ea775545bb4c2bdc4a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
510KB

MD5
c11eb490a9685e9232df5b3e659280f2

SHA1
d70f113011e184eaa047c56a5128f85b50e072f9

SHA256
1b5e5ef7816cd3684bf3dfb6457c6d3c2e92e51b2466a6507ec6b99b833a50b1

SHA512
91966deff0067b1700ea02d299f58b04668cc8ad559a3cca33f0f9f421c2b9eb0b87b649ea2f118ed64c2a5ba286c2d99095fd38cc43e1a82bcc5009d5f51414

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
433KB

MD5
47ae66e30fb7c84259ebe6e6a5ac3527

SHA1
9e3d5df3b685b854d13f1665b84069d9a9acc559

SHA256
3b344060dd627c406726226a3c589040c8ba1bed911d021c9c0406eee9e57f96

SHA512
d140b7c2bce369050aafb11cf61387e4d41cdc380e65f19d3207d4a404906c90fe8c94f8894ad11ecc3513425f60c8cfd116f038331ca29bd0ab29242f8f28da

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
857KB

MD5
350930ae5705dd2371707cbcaacb1fe9

SHA1
dd0dc9faa5466ea8eeb41f3a45e0f1ebc0901e31

SHA256
d80a1a02f675e1cb96e5f345152f14d06d59f7f15696bf55c188df28055f1019

SHA512
a103ced0bb4d5f23bbf7678dcbc664f30d499e7ab222af27bae494ff81f76d0ee37ed09c4eb432074e235733e9dcd14c337375cc265ea2b90f592d9afdb3b92b

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.3MB

MD5
1e7cf58d278cdc76361f580c145ad1e9

SHA1
cf49c19ae0be3b08c791d3911e4eb8d846aee74a

SHA256
ccb2bec0bb9e778e33cc830e9baeb16fba17fa27f1e37e29dcf99e39b9b2d682

SHA512
8dada88a5c7dff3bad28e8d1ee73ec28c6f5174fd670bbc74853c721450293a303336d24e7f5974357e3658a05cdcc29fe4707a3c7ebd6e603e65810e89ac9a5

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
420KB

MD5
dd8fd9f550ae6ad109fc93fb3fbbec44

SHA1
2f8cc964a5188b16c1aee10a72ba7b8c35819301

SHA256
f109c1a613e4f07ce64ea950ca1f0e750225f693148f344d1653b1bf61b0b280

SHA512
459eb8899065b4e59e19aa022d5c486f3e020c8a90a07bb64b4951215f3b177c36a31fc42190f36fbe82bcded089d633825d03a5dbeba4ac8dd6314156dd5051

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
726KB

MD5
486d8f198edf9c81ec62fb01c825fe80

SHA1
0d8a6584ce0da35df5a440b08c6aea940b71aff4

SHA256
f2c5dca9235a779d9996a91440f0b3acfdb5a15878c0ae415838d150df6a3bbf

SHA512
54cacb6664976ad4b12cf238038900e1f50926011e9ecec970da90ccaa215e006472083ca0f25bd1e641bc51f9a06e719363299dc514636f8b967ff305c64d1f

Download Submit
memory/1384-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1384-86-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1420-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads