Overview

overview

10

Static

static

7

993f65ea49...df.exe

windows7-x64

10

993f65ea49...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    993f65ea49b033f781ec1c071f4e34df.exe

  • Size

    2.2MB

  • MD5

    993f65ea49b033f781ec1c071f4e34df

  • SHA1

    0ef33b1149c38b975d770ccf55a5984af3823578

  • SHA256

    8e5baf96f62fab27ddf02ded10ae29cca1946defcca9245e091b81359ebab83e

  • SHA512

    92d161be2a37b68aea93fe01ad534948dba6c5b0ed83db4aebbfc116da98bf66c723d78d6ad7eb25d33c4218f945913711860ab9c3ba5364c40b324cdfe678c8

  • SSDEEP

    24576:ZMMpXS0hN0V0HZHMMpXS0hN0V0HZCSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDT:Kwi0L0q+wi0L0qRyxd

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\993f65ea49b033f781ec1c071f4e34df.exe
    "C:\Users\Admin\AppData\Local\Temp\993f65ea49b033f781ec1c071f4e34df.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3308111660-3636268597-2291490419-1000\desktop.ini.exe
    Filesize

    2.2MB

    MD5

    5d4eb72226621d89ab558326c20d0019

    SHA1

    14997b4b03b41115a2e993d75e59937a5c7ad7b0

    SHA256

    970d02a56a544c6920d5af82fd45b23b11d6df31ee2e3d28e04bc51c64c01c56

    SHA512

    d7776e0b7b432b41a1513b530350561c7824aab40f7ccd9f880a0267602b565c5e712a913c6c7011c41b211b78245af44a380fd5f97395ff0fc67bdc4a69d827

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    8fce8fc7081cd076a4da3a925c528ffa

    SHA1

    31278f36250decdded108da62e55aca4c1953003

    SHA256

    6a5f02a3c0da7bead1f5feddc60b27c48aac1af056589b4d558a1555941db2db

    SHA512

    d0cad156e008e8ce2c6ffbcbb4c7c7626d81745d3cb8fb5ff48c0d491d67f49c847ca5640aa7f68d9e1100ebb03fd8ad1994cf4d5a18bfa6647217bb89d2fb42

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    50830cea2c38fbd509cef15c93b0671c

    SHA1

    5fd4f2da8618220a35f4dcba5677bffb0b081893

    SHA256

    20c85a0c5debdcfd019c42c1e4d935e6020484e3025f40e44c929e86ff83a385

    SHA512

    e31aa994f2d54032fb0287bdb3d63bf4575bd97ab911a93ad72d7357c1e59be3c8e1f6ee36242a9062b3f6e83bf7cca8f2c50268d3c6f6b27656a4a84ef36afe

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    2.2MB

    MD5

    993f65ea49b033f781ec1c071f4e34df

    SHA1

    0ef33b1149c38b975d770ccf55a5984af3823578

    SHA256

    8e5baf96f62fab27ddf02ded10ae29cca1946defcca9245e091b81359ebab83e

    SHA512

    92d161be2a37b68aea93fe01ad534948dba6c5b0ed83db4aebbfc116da98bf66c723d78d6ad7eb25d33c4218f945913711860ab9c3ba5364c40b324cdfe678c8

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    2.2MB

    MD5

    6df927c145d46bcd2a9909abaa6470aa

    SHA1

    a5f7f874a9461cd11eaa4e3a79a411c181be4acd

    SHA256

    9f016a4b9a71e4030b3d890e30a0614c71cb1b5839a9c94fb3a594b4cbf8ddca

    SHA512

    f45a78da843d51113918aa1e014baaaaa3b51b21dc86b169afa5a77249099315873dc29f98bdc7893af8f1394cd290ddadeb9cfeefbe897d01f0a97614c0e697

    Download Submit

  • memory/828-249-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-240-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/828-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/828-361-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-339-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-347-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-90-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-299-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-238-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-259-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-331-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-269-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-321-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-281-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-307-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/828-291-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-91-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-292-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-300-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-282-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-312-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-270-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-322-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-260-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-332-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-250-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-340-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-239-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-352-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2192-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2192-362-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download