Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

36ee0e6caf...ba.exe

windows7-x64

10

36ee0e6caf...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2024, 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36ee0e6caffac0e32220a3f949a8caba.exe

  • Size

    921KB

  • MD5

    36ee0e6caffac0e32220a3f949a8caba

  • SHA1

    5947cd25fe9fad2e94d67ed0a4bc2e08914b9ae0

  • SHA256

    bcfb667a2c45940ad4674f23e10f3fcf5af3708ff78b64d180cf6d8e1f512ef2

  • SHA512

    b7c763b6fe82eef18d408d16c9bb03c488929b6756ab97682f980eec684fabcb821fb75cd5dba253764185c1b7bfd02c969b900f86ab60cf8dc1d73582af69f3

  • SSDEEP

    6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRGDWd4oTqW+lowK42euE:5MMpXKb0hNGh1kG0HWnALbp4os31BKDY

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36ee0e6caffac0e32220a3f949a8caba.exe
    "C:\Users\Admin\AppData\Local\Temp\36ee0e6caffac0e32220a3f949a8caba.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-928733405-3780110381-2966456290-1000\desktop.ini.exe
    Filesize

    922KB

    MD5

    a1e2e0c650918470cc5ed532c80bd85b

    SHA1

    31b0b27f59c74405308dc2865dc1df8e78580f3c

    SHA256

    b55c2d6c213743b79b2805ae6f8a5fe593be9979dafd2e5a1455b404493483a4

    SHA512

    2dafb401f83879add7b3764afba5bdc94b81682f7ecbdafd68becb5e3e060afa53e0c3f7ea07b40e1bf9781dd5907fd8c9948d0b89eea898f5293f69531e6552

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    802232367c00f81fd287dcc6b27e7614

    SHA1

    95195a2253315f96a22aa6e029ebcb9f835bbe44

    SHA256

    aad073dbf5d0456bd45c2de6acc54173ffd9ef9fa4d290c82f9a31645e2452c9

    SHA512

    700514315b132e7c75b9e14a1f2d3f2d3288464b7335c5847b7266148a5bb10c324e3c67bd59939fde3b9e081bb92adf4b848321f6a5b827ea155260e07ae48b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    6e058c18617310fe3df628240cdc6f76

    SHA1

    5b9ec6ad0daa211bda0040de51ac2bcff42b7d3a

    SHA256

    ac87916a6db90232776a20d6a3d532be5c854d1797167df3ed37d5bbab7d2e28

    SHA512

    54d3ba8588106163d69d9eaab7ba6f2c7b21c05dd200c3862ebada302eaf6c47118a0cfd5dfe0dd56b6ea2213b82102129fb22f546b77506d28772459e13f815

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    921KB

    MD5

    36ee0e6caffac0e32220a3f949a8caba

    SHA1

    5947cd25fe9fad2e94d67ed0a4bc2e08914b9ae0

    SHA256

    bcfb667a2c45940ad4674f23e10f3fcf5af3708ff78b64d180cf6d8e1f512ef2

    SHA512

    b7c763b6fe82eef18d408d16c9bb03c488929b6756ab97682f980eec684fabcb821fb75cd5dba253764185c1b7bfd02c969b900f86ab60cf8dc1d73582af69f3

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    409KB

    MD5

    a3dbaf57a7773d57d91ae86aad979bdb

    SHA1

    1e14804802c11a12ccdc91dfa752c81d5aaa915d

    SHA256

    c9344141fc16b1948179171b28a999aba1ac7bdfb80bebe99f00b3cf7ab91aba

    SHA512

    5ce4fb46a79f23bc11d997ffc541e7fe91745a66746db5e5e0db55df3ed369b21b03a4977a3f8b1256784d9616c578448df9e4bd4d1bc2ef82bb727f15dead0e

    Download Submit

  • memory/2460-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2460-90-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2712-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download