Overview

overview

10

Static

static

7

54a2421684...ab.exe

windows7-x64

10

54a2421684...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54a2421684a8654ea923b803200ff0ab.exe

  • Size

    292KB

  • MD5

    54a2421684a8654ea923b803200ff0ab

  • SHA1

    ca0aea6f09f91328ba44d68ac351babecb6f2686

  • SHA256

    108add0ebd32c694d4cccadac85aa0c19b70c36eb6c69a4002b9c3d4a5c208cf

  • SHA512

    19f6f6b9470f366029213aed261108efdaf030721d9f3a9e2d176ef8f93d9ddad663b4f36c35fb6043b1e9ac2b11102db04ff09ffd83789797a9c80ddb96f6e7

  • SSDEEP

    6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvR7:5MMpXKb0hNGh1kG0HWnALb7

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54a2421684a8654ea923b803200ff0ab.exe
    "C:\Users\Admin\AppData\Local\Temp\54a2421684a8654ea923b803200ff0ab.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1603059206-2004189698-4139800220-1000\desktop.ini.exe
    Filesize

    293KB

    MD5

    a0fe5bc4f8767cca7dc92109242620f2

    SHA1

    9f0ca6a3a1da1fe4041d93cc555bc8947c584bf7

    SHA256

    ecb3f761f98fd8d8d5c62fd6c31d0228b79a3fa0efc839c63a8d9afc05c4a3f5

    SHA512

    3b0cc0eb622e6d759d5a7dad2cdae75a9249b63056845d5090fe8e6f1d9a70f3b46b81f1345ba3ecdeb9fc952b59c1a91101b98256edb53d338290564516d1b1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    6eb9026279cd18b2d37dbbff8a26bf33

    SHA1

    734b3f436d1b4fb143cf6599ff359c7ad5162057

    SHA256

    a16831330358fb3f25fda8ac1ea16f303cdb5976123e6ea8b2e5c98d3202d138

    SHA512

    04c8a885fa9546403f458b16b0befe2f44e3547322cc6509358deb41ece094bc5f2a6757c697185c3403213ccae80f6dc9d7d1232b917ed1e71dc53c8dca4ce4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    29683fa2091b7f0cf2a45b6fd7698ed8

    SHA1

    b3157404e17f85f536423f026618e5907f06163d

    SHA256

    d172b9bb150cc3ccadc4070f98e40d5bf08c301082ee3e9c08cf599d06901f13

    SHA512

    dd52781d8958bbc1bf62c787ba535183e788afe0fe0e015df1f3c5f7dbb2a8b5346447285e6f5607143434444ac9dc3abcc7c3fd1eca4108211f6a154b727faf

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    292KB

    MD5

    54a2421684a8654ea923b803200ff0ab

    SHA1

    ca0aea6f09f91328ba44d68ac351babecb6f2686

    SHA256

    108add0ebd32c694d4cccadac85aa0c19b70c36eb6c69a4002b9c3d4a5c208cf

    SHA512

    19f6f6b9470f366029213aed261108efdaf030721d9f3a9e2d176ef8f93d9ddad663b4f36c35fb6043b1e9ac2b11102db04ff09ffd83789797a9c80ddb96f6e7

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    290KB

    MD5

    a19195bf4edc5139859d26792fdac06f

    SHA1

    64fa5ef40ff54fb07e88654a5e0f6e817fd04df0

    SHA256

    60c3e8d7f3c7afcd378524784b61f28c9611c02df14a4101f1a4c8d0265f3412

    SHA512

    e78e2b3d327081b47b90852c143f344ec9a0f738b5c9e7690f7a37b850aaa5c633c22ef2798f9fda86c9c70a4213611630ebbf2c29ac3f21e282c2f4273e4495

    Download Submit

  • memory/2976-0-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-108-0x0000000000260000-0x0000000000261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3000-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download