Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

3b85f3acf2...04.exe

windows7-x64

10

3b85f3acf2...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01/01/2024, 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b85f3acf2f180907172ef7619b86404.exe

  • Size

    184KB

  • MD5

    3b85f3acf2f180907172ef7619b86404

  • SHA1

    a552fb20c05a44f3e01c32a1b6cee6e987c1634b

  • SHA256

    1c382b2800f2d57ebb19bffae03b8ed679838a22520a212c19f051a84a75e977

  • SHA512

    a7fb01bed6c5fa65868ec1e1ba6d2d5df8e6e71d727947ec45fc97c8d22a8a1aebcfef1cef15f03f5851b1b0be62da700a90645736602d5adf778628aa081906

  • SSDEEP

    3072:rimsXXK9HRTOeriRfP6pXfSb0dspqc5oY0htVFAHT11Ual21Cxcs0HKAH057kyJu:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HWU

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\SysWOW64\HelpMe.exe
    C:\Windows\system32\HelpMe.exe
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    PID:2096
  • C:\Users\Admin\AppData\Local\Temp\3b85f3acf2f180907172ef7619b86404.exe
    "C:\Users\Admin\AppData\Local\Temp\3b85f3acf2f180907172ef7619b86404.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    a6d60358a33b03bf63e63fcc044cafd0

    SHA1

    79ee0807aba650836bd10f947a98778f3f67c62e

    SHA256

    a2a556c173fa2287c042fb1f96f2920d81ec2b00a20c9565c08bc8bb09512dd5

    SHA512

    60f870160ac95a02b72868f47948553011282cc4b2f8ade20ce77128689f47fda39781d771c6e6465b188eb1b5eb3543492da409cde84c438e46c7a9be07d357

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    803d329b7ff712e1c8812d83c6be79a4

    SHA1

    982f77757fbd7a86022d1596c3b1861365dcc56c

    SHA256

    d32296d8a020bc087e3e0157d75d8ea1bc714586d7637eb879652e00dac8e648

    SHA512

    17f39d6e0d301a143c0c0a39d4c9c66897c9024d5ad3aec38366bdf7a34ab07dd0a8654217a97de31376e33b2ae9ffe81a0942acdeb66394a5eaa5a7c57365c1

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    92KB

    MD5

    41f79d528c3ea94b7737c3ff9aa65c1b

    SHA1

    95987557e17366415d842f26d4d503782eb2edd7

    SHA256

    7c26813d4344d1b015ecd08755b4651607a13ade0936b45826e77bd2e876be71

    SHA512

    ff9d80fd3e9b5e287787eefc3092760101bb7c44edba895731916754114ad188b1dca3e6acfe9620ed49dc8e8af81daf56236d8bd2ecebd75adacfb6aa41e82f

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    183KB

    MD5

    6a01f4cb70f7bf7af36dc6c1d6fc18a7

    SHA1

    bacffe880cfc15d39109f796391e262a680b3f1a

    SHA256

    9d1d5b811c4d5e45fc436f3e9d32774b6adbc2723a6393baa3cd84f1b24cf426

    SHA512

    74fa550ee17a5f26a6b52602c3059a9d131f1bd99fb00e160d6e1793d597b077e6acfb5580cb81e187675a24f66def1fd0b5c04bd4db74902c4b2235d616fdd9

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    108KB

    MD5

    6eb8a18a2a15d3c80458b234326cee89

    SHA1

    1d010819d6bcf289331f97145d213519422f1745

    SHA256

    ca419a5a94384d9fb22ab26b367a1b673e2614ad2f65c214ffdae053bc93df91

    SHA512

    9e276bb1e439c5ede45b8e1ac0b78bae1f1c7176559c6aa70e0b9c730aacdab04b563fd7b84a47facadd4fa4ed1976bcbff99e66e31d9a99efbf95d7869ec130

    Download Submit

  • memory/2096-339-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-303-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-364-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-254-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-358-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-267-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-352-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-344-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-241-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-279-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2096-229-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-327-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-291-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2096-315-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-228-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-338-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-314-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-290-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-326-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-278-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-302-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-343-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-242-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2380-351-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-266-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-357-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-253-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-363-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2380-240-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download