Overview

overview

10

Static

static

7

4f0a7b8523...33.exe

windows7-x64

10

4f0a7b8523...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 19:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    4f0a7b8523cea2af5411490ec5a94333.exe

  • Size

    666KB

  • MD5

    4f0a7b8523cea2af5411490ec5a94333

  • SHA1

    291f3a0e32334823c41da2e1013819bd9b133bd4

  • SHA256

    e61e016f08831015aa39a818fc430b786f13f3611d269a8a88165c899730a4f7

  • SHA512

    62488dd26192fcc487785e09f7493b990d54fba6b97aa1b201f3a746dd0b789e16b98d5bbd3f5e96f7b6b2cb0acc6266b29b558e52612bddbaf6e4c6873eb9bd

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnAL+:5MMpXS0hN0V0H7MMpXS0hN0V0H+

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f0a7b8523cea2af5411490ec5a94333.exe
    "C:\Users\Admin\AppData\Local\Temp\4f0a7b8523cea2af5411490ec5a94333.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1788

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1268429524-3929314613-1992311491-1000\desktop.ini.exe
          Filesize

          120KB

          MD5

          7d7bcab4c52b3be5ebc36ec15edf67e2

          SHA1

          6296f2005338b45b819e9684ddced8a519c34b14

          SHA256

          be60141cd555935f945f6ad1d52cc1a18a593a9aace4d9e673fc8d5328ae6d9b

          SHA512

          7131ac44103437fbdf8214e6a407b52869e365cf570256e88afdedc8f6e76d93bc8ea04d9e1cfd046e443ae1940187e2710e38835ea808370892b2bb43b3b76a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          2cbfeb8588fbaefa4a6a775bd3c55a82

          SHA1

          59e1c63cbf5991cedf2245ee2299ab6da00a6fa3

          SHA256

          035b4453dabc32f71d17d072c60c6674228743e951a331043b0f352994b43c27

          SHA512

          c24504a7d3facd6af3bde7af61a771d92a1bfc418925d762d521cbfc87b1441ecffc1bbe342ee3589d32e4900c2dc970cd0aecc8020a3a3060d1ff33bf8c1cc5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          954B

          MD5

          d8a3bc21ad5c8a4a0b48409d38dc287a

          SHA1

          26641bc3cf7e3300fc07f33a6a147316826f7ab0

          SHA256

          6ce25b904980ae0370f2e8f3bd14988018f40cd0c4c6451421578ba37997b6dc

          SHA512

          6f8aa574ca6d4c2e4f9c8f8b4cfe676c5b2a24ab6b9a5dba7874754c982232b16febe568599723e2c1b69126caf03e71e0d0b2a2b7a88fe190da0045d538e280

          Download Submit

        • C:\Windows\SysWOW64\HelpMe.exe
          Filesize

          173KB

          MD5

          5aa0bc02d1a8f4997ab590a0b3320563

          SHA1

          5673df495f279b0aadb87f7c3bcc6818c0658781

          SHA256

          4f17efb9b3ef88b1470b52e898fe93ab3462383c6d98a715541960ce18dd9316

          SHA512

          844ebe52c048d846f7e579198293fa7ffb1dd338a8253b2e8bb06f231b1d26c78432c8a8cfbb6266d85cfd1b0bd3222a1c9fdf122d72cce6b0d757767785c617

          Download Submit

        • C:\Windows\SysWOW64\HelpMe.exe
          Filesize

          143KB

          MD5

          a987c6c591bfa789987c146958ccd7b1

          SHA1

          ba7e99a5819691fa448ff7a5a26595c3aad2c0d0

          SHA256

          4f7bdf42861ffdd23b8d094c160040e85a34a6ece24b4508ffdb5422bd53936a

          SHA512

          508fa310fe5fe1c3dd351d2ba412e600042cfa9cb789b0efd60d1090e246383dbb3902f53b21347be2485476ff272a1a1e459d668fc7291cc36c8f6cb2d7bc00

          Download Submit

        • C:\Windows\SysWOW64\HelpMe.exe
          Filesize

          212KB

          MD5

          7238f6ec30c3e7a8d144a205b083c663

          SHA1

          b8c7a72536c4bc401b37f1a29bc2c57d0e27bf16

          SHA256

          d8143b4c1f0b0192919ba9bd9e087b152a8cef336f6397baa17aaa5b357ecc52

          SHA512

          eabb83ba1aea577f7e5f2dc9a053ff61eda7743949416ed2ddc817641e0719b7a08862d95a24e4b1200dde2f54409cc81fe41aa72d5cc045313e4f13744dfb7f

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          167KB

          MD5

          c4dbd886096e72123aec2f3aeb40fa8e

          SHA1

          1330810707305405b61c0ada9244aded2ba4bb48

          SHA256

          f32440a9e1921e06b94839c8d4baf173bded28fbda2e45427be69b6bd3e00a91

          SHA512

          f1e7e481f676ed8d03b35794c83213c58325deb0f5450be6aa0f1249396cac85c409d4cc01feda13fbcf8d531cc5c86c015cab9bd07f1f02f3ad80b7f37cd342

          Download Submit

        • \Windows\SysWOW64\HelpMe.exe
          Filesize

          60KB

          MD5

          9f449d8cda8191bb116b9c2522a378f2

          SHA1

          ad187fe7366fc37a20207a00f83c0360cf518335

          SHA256

          914f57654933701c0b913373e5b8c537da4ced607717de2b7fa0ed4cc23fc605

          SHA512

          59bc16f2cc18f66e594a464cb0daa119a3461a385c45e25ba245113cde659899661e7e2177292baf428db5d11cd761d8b3fa5f71da96c210628c244a5d9689ee

          Download Submit

        • \Windows\SysWOW64\HelpMe.exe
          Filesize

          137KB

          MD5

          487122fe7e1fce57e066c292624b498a

          SHA1

          fe90ffa1a139d8e5e850d27c712feed3ae33291d

          SHA256

          566b1a3a7d46ba426f0593e6193954894187ee225eeacdad1b2547f0ec7a077b

          SHA512

          cb341588fbe224d01d86b49c749f4f388b02e2f2e055287b6c5a91865bde3e645143e7ff078e543585fd2ca699efe8081f88d3f5ba976513e0cdbfda62203183

          Download Submit

        • memory/1788-10-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2172-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2172-104-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

          Download