Overview

overview

10

Static

static

7

398646f1bc...1b.exe

windows7-x64

10

398646f1bc...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    398646f1bca7b2630599fe83a5e7501b.exe

  • Size

    10.7MB

  • MD5

    398646f1bca7b2630599fe83a5e7501b

  • SHA1

    2de320aad4ac27e790cdc1eceeb5d60f51370b83

  • SHA256

    d9ee97ebfca901fc2296137e2219d4115a9b4a68799cbfcf7a09224b2addf481

  • SHA512

    7bdcb6c4fa70d09905fbf5b6696934f4a5adfc662cf606321d5f5a6fda0ae6383df937657fe7ff40f0eb9d884a79482fee646a168aedb1e8e1cf0f72099ea483

  • SSDEEP

    98304:1i0li07IMzKpXOMGQKIMzKpXOMGQFIMzKpXOMGQJ:40I07I2lyKI2lyFI2lyJ

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\398646f1bca7b2630599fe83a5e7501b.exe
    "C:\Users\Admin\AppData\Local\Temp\398646f1bca7b2630599fe83a5e7501b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini.exe
    Filesize

    10.7MB

    MD5

    515b300e842762dc5cc5cfd7c041c200

    SHA1

    12d24c1e43eb61bd145c5f3dc1d906cd503c72bb

    SHA256

    ff665e8c23d785ce6ab281e9d59fd7154ce0a91ac82d1d1df7cb1e76f5716058

    SHA512

    bfc726ec80438143b2bfddfbd31c94112b0c8a39f9a86242e942e77939a18d9d4910e6a174f54ad7f8e32b941bcc718f5134f8236a888f8b9ae241e36c56883e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    971b1bef53b51490021d5172520d7104

    SHA1

    248c4a68a59664d7fa0df9266a5efc8e3119db4e

    SHA256

    f34823371acf9a833f69a79cfb3f6a79b9c14db5151d3ef80e982d333ad31948

    SHA512

    19638a797dd137155eb3a0224780cf4273544dcd56cee8d24024b2ab87d48fccef9c44dbf1b569f54a15155a5bd715915090a49fa6179182907b1c3a31b11fe4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    3156f7f7ee5fdfc39e93c7ae70ec06e3

    SHA1

    f699f311d204c8c3d1770c78344c77510a7e23bb

    SHA256

    f0fff8a59f9b342614b612b72c2bb6faa3bc8f6b0ea01c29be146ffd49075b94

    SHA512

    0053b35b3aaa9fd42ca64907775204052476bffc39378d79daa0fb3b8768519cbad99156af850557fadbe0b73da310c50796c35cc903c6ee45ecf200e850399a

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    10.7MB

    MD5

    398646f1bca7b2630599fe83a5e7501b

    SHA1

    2de320aad4ac27e790cdc1eceeb5d60f51370b83

    SHA256

    d9ee97ebfca901fc2296137e2219d4115a9b4a68799cbfcf7a09224b2addf481

    SHA512

    7bdcb6c4fa70d09905fbf5b6696934f4a5adfc662cf606321d5f5a6fda0ae6383df937657fe7ff40f0eb9d884a79482fee646a168aedb1e8e1cf0f72099ea483

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    7.8MB

    MD5

    e3e9192e9595b2626808e71d5173e993

    SHA1

    584380d93188c7f0a2482bc10c33b344326f0486

    SHA256

    86c62f85a28e939f6e2645287ed7952249211e798e44398c0bde742d307bda3e

    SHA512

    d03c1b0795d69c26543255ea7f56a9424296b824a53f0a55da35bb96e34cbc69d14386188d7adc918d30edf4a5fd7541a8b9ac1ae37ee841b4afb9681b8cfa63

    Download Submit

  • memory/2300-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-222-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download