Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

756bab043d...ad.exe

windows7-x64

10

756bab043d...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2024, 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    756bab043d61134b32672f731922b9ad.exe

  • Size

    5.9MB

  • MD5

    756bab043d61134b32672f731922b9ad

  • SHA1

    cd259f4a8e1ff1d0713b03bf6a36044eb94d0e4d

  • SHA256

    7818e559bd7eb1a59e44bae2781519ee345c4213a96eb4fd587f6c31aaa0f58c

  • SHA512

    8984e42b966a057898ce641d892b8fa599efae68fa1f50cf134e2e8dae6eebfe3087b6c5805ab5f5057f3e70a02304fa22548f3f5a6d172ae038a94b87b77d14

  • SSDEEP

    24576:ZMMpXS0hN0V0HZSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Nf:Kwi0L0qk

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\756bab043d61134b32672f731922b9ad.exe
    "C:\Users\Admin\AppData\Local\Temp\756bab043d61134b32672f731922b9ad.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3818056530-936619650-3554021955-1000\desktop.ini.exe
    Filesize

    1.7MB

    MD5

    6a71c7c9aae8a4d111b014697ab699d3

    SHA1

    f2ac96dc726bd5b1fb9aab5683f5e70bc0d72e41

    SHA256

    f9831837c9d16617d32669d394b0bb87f2b431ded6104658a5e12c952ec1ff04

    SHA512

    222efd0983544031ac24e953162976116741dec53e1f0da55bb827c53973fc10c25c8bdeca4ccf0e55f1098da8b070cded61421b61d3818cf6db54ee8f16a343

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    3519f0563b26b33e610ba18281622789

    SHA1

    004a2b4f4c014ca9d75f95d0690d9f6c25abb9aa

    SHA256

    98238dcf66967ccc0ce81ae865e32145ea19511879e0a05ec1b0c6c51df98a9b

    SHA512

    9bacfbe4f9443b66123097dea74c8f891ea243bd2b547e93a32cc6eb4e69ce72e5d259aec0a639dab3649f92ed670d0931f6bcac56f1763473a029bbc4a55a2b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    bc85055336665e4a538e071c81a20e2a

    SHA1

    a1158a0a5c3d0a97795c3ede7b2b576b8ac1e924

    SHA256

    f4c25112c7daf9b5fb1429a48584e113b80f2b818a6730cf154e015901c005e9

    SHA512

    e0f5202a878cbba3112cdae0bcf8b25fe22a2e2a92ba9ad4798faabe8390d91ea71ff7001ce162f2d5801022819d55566086097ee95d44201788fc384c3d4374

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    636KB

    MD5

    42f26ed376f4e7894330e59d77dc5af1

    SHA1

    a7ce6afc8ef1b2406ad7936cd6a24a3a574f29a0

    SHA256

    6087fca4e2056141f9739d1ce66d4b326f40cc34cc26bb73af3364baccf231cd

    SHA512

    941541a32aaa1792d194ae9961b1bc518e8850e4462b45b67101ff1be6923c925f3e2373e3eed063a551533cead94e7675e941a16e9ac1759488e6eb3d4ece6c

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    567KB

    MD5

    2fa9fe1ef28eb0fb3ec393360780324a

    SHA1

    fc4762440762130bdcc7fdb1e602c9115e96c65a

    SHA256

    20fe9585600f53600da6ed8c7be36522e8e97d9dd5b14f5a3ec94744344dead4

    SHA512

    a4b643b3695fa5a0a4d3311c532c8772f95580b1a00457ecb91d07bcef19cc4a3db9c9b1d349dc625c6d490d3571ba5158229610a2789fbc4bb9b52d5769f63e

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    1.0MB

    MD5

    7c5050979402512dfb9b221b5784cba8

    SHA1

    a7270f67bf4c0aefc52c18e61b19b6ab3803f3b5

    SHA256

    ff45805fea350a65f5294af85d5094aff996fa7f690b24fd36ec1b3c802ef4f7

    SHA512

    68f8a567e00bf4e3b619e9099e2afa356767eb1c1a4ace031fa150a00a77e5075754b8c823ead0d376234042ae656f8f96156502ab07c587f8ae558bbba6fce8

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    1.6MB

    MD5

    e9f694ef9ab552b4d2751ffb287263f7

    SHA1

    2b76a611d30cf2009842f7ff60f62faede7b501a

    SHA256

    0647f8983b53291b502d5e73347768e7178cd6ebf5dcf43211f58a0b4c23d5d2

    SHA512

    56f907a0a373d557a36c60338920d79d26f5a7b70e174ad5855ff5f79199b9d492840d2e204be77bf71ac6da6ad2dbf3c6311a698e91176d15b301a8d6540c98

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    1.7MB

    MD5

    e4fa1e6b63a13629d5a857ead5a8130a

    SHA1

    69b3c042eced1ad70bbd3f5f87f9156b50dad80a

    SHA256

    34211fac055018f7ab22f4496aff391ad2537b86154ef4d540eaf53ec7b4ea66

    SHA512

    a3eece92396e9a70d484aa40c488f48ca4e733c287de1f0672fc418d9f2eb284e68c04e6b996138432228821aefebd39909ee3407495e51542564e21d66ef5f8

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    957KB

    MD5

    ef72f3821a26a31d33a44a7d93a0634d

    SHA1

    5b6fc3575cb1958a20396084fcd707243ca5b45c

    SHA256

    fe3334a3d6be292911d73d74cbbaa095fac664eaa043ad1af20364ff8d749a26

    SHA512

    6e034fddeced0ce01b3bb67bf8e5a0d3395aa17bae01926e0142c8dbffcbdb4aeaf3f554fa102f0c5b0cdc5121b63ba640a171c8c9403c91fbab02166ca32c67

    Download Submit

  • memory/2144-261-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-329-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-361-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-229-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-351-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-239-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-341-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-249-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2144-321-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-311-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-271-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-301-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-281-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2144-291-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-320-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-340-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-280-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-310-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-270-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3028-300-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-328-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-290-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-248-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-256-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-238-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-350-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-228-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/3028-360-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download