befe3e7f3ebbf93994bc7cc4e03c18f8a74b04ceec56d60d8a34d384bbacd296

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15/01/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bca1ac080c6a1bd10d9313b0af9ff6d.exe
Size

428KB
MD5

5bca1ac080c6a1bd10d9313b0af9ff6d
SHA1

3a3fe86e6d957c7e91b76f6a0082595843594859
SHA256

befe3e7f3ebbf93994bc7cc4e03c18f8a74b04ceec56d60d8a34d384bbacd296
SHA512

76a920f19d189e69148efb2fb9ac078420683ede6c2772c3047fa69c34661fe7883d3ca1ccb7f1d0ffabaa1301a2897eb4ce8d99ba7b51bc3f7d82cff086149d
SSDEEP

6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRAjmDtDqKmk3O2NXw:5MMpXKb0hNGh1kG0HWnALb1BuKmXyw

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000012254-2.dat	aspack_v212_v242
behavioral1/files/0x0007000000016052-38.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-55.dat	aspack_v212_v242
behavioral1/files/0x0008000000012254-278.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	5bca1ac080c6a1bd10d9313b0af9ff6d.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	HelpMe.exe

Loads dropped DLL 31 IoCs

pid	Process
2132	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
2132	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe
2316	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\K:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\Y:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\G:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\L:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\M:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\N:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\Q:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\X:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Z:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\O:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\P:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\J:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\W:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\V:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\B:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\H:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\R:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\T:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\U:	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened for modification	C:\AUTORUN.INF	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	5bca1ac080c6a1bd10d9313b0af9ff6d.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2316	2132	5bca1ac080c6a1bd10d9313b0af9ff6d.exe	28
PID 2132 wrote to memory of 2316	2132	5bca1ac080c6a1bd10d9313b0af9ff6d.exe	28
PID 2132 wrote to memory of 2316	2132	5bca1ac080c6a1bd10d9313b0af9ff6d.exe	28
PID 2132 wrote to memory of 2316	2132	5bca1ac080c6a1bd10d9313b0af9ff6d.exe	28

C:\Users\Admin\AppData\Local\Temp\5bca1ac080c6a1bd10d9313b0af9ff6d.exe
"C:\Users\Admin\AppData\Local\Temp\5bca1ac080c6a1bd10d9313b0af9ff6d.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1603059206-2004189698-4139800220-1000\desktop.ini.exe

Filesize
429KB

MD5
c85402a32fb260fc4361d30fcbdc7ebd

SHA1
540f78c104a2a7e44a20e0165a89056da4a115ed

SHA256
48112f79be9df40fa611dbcc977e3c601269ddcea402ea27307981ebaf38007e

SHA512
e53791913e916f73783ca0700f91fd64bfef795961ddb9f47a95c9a700def660d67c077ab30720a85e29372ba4b834209db270577524ab5d68d32d99392c7f44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e7a5a86de1f0c1929b342b9c170a9b65

SHA1
996e0fa6e326e323f70e9118aa91b2b50d533ec7

SHA256
c4f721d07c322371ccdf1eae90436c7089013a04c51dc1e51315a630b2fde6f9

SHA512
dcec6c0e2363a4325dbfa2db66d86bb0bdf4f1874e501573eede6540048305a0d8163caa3b7e91d45af948b4f6bcd7fb7bf92369789eabc3e27cc845f0bf9810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
328079b0490951ab3ece667f0bdae148

SHA1
18399252ea2eb4056f91f5c7818c041e9e4d94bb

SHA256
4a8924321e4462f475dca079fead7dfbf90a673f69354a29cb9704040cb643aa

SHA512
e643d12c51f9642f8f465839aa701e145b8edf5c832087110af489498639415015b9476ef36e58d0f5cecbb75f7b8bb731d84294ab3e0f71e19e5ef44899d775

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
428KB

MD5
5bca1ac080c6a1bd10d9313b0af9ff6d

SHA1
3a3fe86e6d957c7e91b76f6a0082595843594859

SHA256
befe3e7f3ebbf93994bc7cc4e03c18f8a74b04ceec56d60d8a34d384bbacd296

SHA512
76a920f19d189e69148efb2fb9ac078420683ede6c2772c3047fa69c34661fe7883d3ca1ccb7f1d0ffabaa1301a2897eb4ce8d99ba7b51bc3f7d82cff086149d

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
423KB

MD5
f52823b5860cab807b4b2fd07f27c2aa

SHA1
1e6f2503de8277a15afaccb585dfea32eed4e94d

SHA256
e1754b97055c1a1576caa7bc695c83987014d2798a22735b296f6c9b2ced063f

SHA512
a432d13a3857fccd0735811aafecc319b183ca6abe6f65060d6c6462db48c675db5b2e36d575f21631e66d0886db52487c3b31474854e376ed4f9b0755a85963

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
222KB

MD5
1625edeee6d8b6a558a045d2545411d5

SHA1
1e14e7e0af6330696a81cf074def55aa831ceeb5

SHA256
fc153cd6eb5569e2258945f6a1e948c186f394a8e89f4702c0d693e31b10922e

SHA512
eca6a7ea0c47489523aabf3f2b823c76effc7b4576edaf5d5a135b5e6593e7fdf4a14fcb202c753067a55aca4caf869f1e196e2c62f276558e016b79c882c86b

Download Submit
memory/2132-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2132-244-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2316-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads