Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

4f0a7b8523...33.exe

windows7-x64

10

4f0a7b8523...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f0a7b8523cea2af5411490ec5a94333.exe

  • Size

    666KB

  • MD5

    4f0a7b8523cea2af5411490ec5a94333

  • SHA1

    291f3a0e32334823c41da2e1013819bd9b133bd4

  • SHA256

    e61e016f08831015aa39a818fc430b786f13f3611d269a8a88165c899730a4f7

  • SHA512

    62488dd26192fcc487785e09f7493b990d54fba6b97aa1b201f3a746dd0b789e16b98d5bbd3f5e96f7b6b2cb0acc6266b29b558e52612bddbaf6e4c6873eb9bd

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnAL+:5MMpXS0hN0V0H7MMpXS0hN0V0H+

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f0a7b8523cea2af5411490ec5a94333.exe
    "C:\Users\Admin\AppData\Local\Temp\4f0a7b8523cea2af5411490ec5a94333.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1268429524-3929314613-1992311491-1000\desktop.ini.exe
    Filesize

    120KB

    MD5

    7d7bcab4c52b3be5ebc36ec15edf67e2

    SHA1

    6296f2005338b45b819e9684ddced8a519c34b14

    SHA256

    be60141cd555935f945f6ad1d52cc1a18a593a9aace4d9e673fc8d5328ae6d9b

    SHA512

    7131ac44103437fbdf8214e6a407b52869e365cf570256e88afdedc8f6e76d93bc8ea04d9e1cfd046e443ae1940187e2710e38835ea808370892b2bb43b3b76a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    2cbfeb8588fbaefa4a6a775bd3c55a82

    SHA1

    59e1c63cbf5991cedf2245ee2299ab6da00a6fa3

    SHA256

    035b4453dabc32f71d17d072c60c6674228743e951a331043b0f352994b43c27

    SHA512

    c24504a7d3facd6af3bde7af61a771d92a1bfc418925d762d521cbfc87b1441ecffc1bbe342ee3589d32e4900c2dc970cd0aecc8020a3a3060d1ff33bf8c1cc5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    d8a3bc21ad5c8a4a0b48409d38dc287a

    SHA1

    26641bc3cf7e3300fc07f33a6a147316826f7ab0

    SHA256

    6ce25b904980ae0370f2e8f3bd14988018f40cd0c4c6451421578ba37997b6dc

    SHA512

    6f8aa574ca6d4c2e4f9c8f8b4cfe676c5b2a24ab6b9a5dba7874754c982232b16febe568599723e2c1b69126caf03e71e0d0b2a2b7a88fe190da0045d538e280

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    173KB

    MD5

    5aa0bc02d1a8f4997ab590a0b3320563

    SHA1

    5673df495f279b0aadb87f7c3bcc6818c0658781

    SHA256

    4f17efb9b3ef88b1470b52e898fe93ab3462383c6d98a715541960ce18dd9316

    SHA512

    844ebe52c048d846f7e579198293fa7ffb1dd338a8253b2e8bb06f231b1d26c78432c8a8cfbb6266d85cfd1b0bd3222a1c9fdf122d72cce6b0d757767785c617

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    143KB

    MD5

    a987c6c591bfa789987c146958ccd7b1

    SHA1

    ba7e99a5819691fa448ff7a5a26595c3aad2c0d0

    SHA256

    4f7bdf42861ffdd23b8d094c160040e85a34a6ece24b4508ffdb5422bd53936a

    SHA512

    508fa310fe5fe1c3dd351d2ba412e600042cfa9cb789b0efd60d1090e246383dbb3902f53b21347be2485476ff272a1a1e459d668fc7291cc36c8f6cb2d7bc00

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    212KB

    MD5

    7238f6ec30c3e7a8d144a205b083c663

    SHA1

    b8c7a72536c4bc401b37f1a29bc2c57d0e27bf16

    SHA256

    d8143b4c1f0b0192919ba9bd9e087b152a8cef336f6397baa17aaa5b357ecc52

    SHA512

    eabb83ba1aea577f7e5f2dc9a053ff61eda7743949416ed2ddc817641e0719b7a08862d95a24e4b1200dde2f54409cc81fe41aa72d5cc045313e4f13744dfb7f

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    167KB

    MD5

    c4dbd886096e72123aec2f3aeb40fa8e

    SHA1

    1330810707305405b61c0ada9244aded2ba4bb48

    SHA256

    f32440a9e1921e06b94839c8d4baf173bded28fbda2e45427be69b6bd3e00a91

    SHA512

    f1e7e481f676ed8d03b35794c83213c58325deb0f5450be6aa0f1249396cac85c409d4cc01feda13fbcf8d531cc5c86c015cab9bd07f1f02f3ad80b7f37cd342

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    60KB

    MD5

    9f449d8cda8191bb116b9c2522a378f2

    SHA1

    ad187fe7366fc37a20207a00f83c0360cf518335

    SHA256

    914f57654933701c0b913373e5b8c537da4ced607717de2b7fa0ed4cc23fc605

    SHA512

    59bc16f2cc18f66e594a464cb0daa119a3461a385c45e25ba245113cde659899661e7e2177292baf428db5d11cd761d8b3fa5f71da96c210628c244a5d9689ee

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    137KB

    MD5

    487122fe7e1fce57e066c292624b498a

    SHA1

    fe90ffa1a139d8e5e850d27c712feed3ae33291d

    SHA256

    566b1a3a7d46ba426f0593e6193954894187ee225eeacdad1b2547f0ec7a077b

    SHA512

    cb341588fbe224d01d86b49c749f4f388b02e2f2e055287b6c5a91865bde3e645143e7ff078e543585fd2ca699efe8081f88d3f5ba976513e0cdbfda62203183

    Download Submit

  • memory/1788-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2172-104-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download