Overview

overview

10

Static

static

7

9b61060eeb...08.exe

windows7-x64

10

9b61060eeb...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14/02/2024, 10:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9b61060eeb9a633b57f05d36dc09a208.exe

  • Size

    3.1MB

  • MD5

    9b61060eeb9a633b57f05d36dc09a208

  • SHA1

    902d25a92b344642a858d3d8d789037d0037395d

  • SHA256

    621730bc11685858a3538cde9eef471c1a55265228554e307ff5cd4d147b62a6

  • SHA512

    05dcc808290429963ad869f9651c8644be6df3b09a6a853275c8690ca8df7d03367752da73fbb59516f31fd0c457f36d242ca7853afe0442a295a9011d232065

  • SSDEEP

    24576:ZMMpXS0hN0V0HZSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Nj:Kwi0L0qkO+2NHm1C

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b61060eeb9a633b57f05d36dc09a208.exe
    "C:\Users\Admin\AppData\Local\Temp\9b61060eeb9a633b57f05d36dc09a208.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:3016

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini.exe
          Filesize

          3.1MB

          MD5

          b4c898fd483d62c2ad3d7841cd4d64c4

          SHA1

          ebeb5ddc4d269b507e89212aac6d371c689ca938

          SHA256

          a8bb7339454331cdcc27bb5cde4fdc290cf73d7996f0cd0800f4ee24d0171c3e

          SHA512

          d35d6264346c9a61d4bd16bbe9ed6baf6f57bd358945e9a5a9da6693d2bfe60a3301164559900e94793c5afb7350ac8bbddecb52d6069ea09e81d1ddf82ba0de

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          e3f293503886e150d81e7ad83270a7a2

          SHA1

          373b80ffcfe18c7104557222055bfa9b00253939

          SHA256

          203b2fef735a746a07c828f72d741ed9c56d31efcea3392f9d2c9146fdfca72b

          SHA512

          c64b29c4c6ca23d6767adfb02cf9acdacf7dbc011be4a307c393689925387bc7b48c4586f24dc1840c8a508d302f3d74fc693753c2c973733e3917078dc75802

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          950B

          MD5

          eadaed759705e96d834efbffdeae6ed7

          SHA1

          8f3ea241c8917d955862836773148139f880c23c

          SHA256

          daa14a95ab786e297cb8a193c197e41a7f2809f005d0ec7a6a554bcfd202b4bc

          SHA512

          d73211e27d7cee13d0e92a99308a8805d69d232f5d1adf3750f40a543684781ab36e69331746967b0b9ebc67cfa574a4202d9b9f4cc5624484140f0810bdce55

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          3.1MB

          MD5

          9b61060eeb9a633b57f05d36dc09a208

          SHA1

          902d25a92b344642a858d3d8d789037d0037395d

          SHA256

          621730bc11685858a3538cde9eef471c1a55265228554e307ff5cd4d147b62a6

          SHA512

          05dcc808290429963ad869f9651c8644be6df3b09a6a853275c8690ca8df7d03367752da73fbb59516f31fd0c457f36d242ca7853afe0442a295a9011d232065

          Download Submit

        • \Windows\SysWOW64\HelpMe.exe
          Filesize

          2.9MB

          MD5

          384ab83d8ed3c45c36d60d29741464eb

          SHA1

          2597285c83a7c9d358c939fc5a8ef06e5cc57583

          SHA256

          eb53033b855dab1f328d6d188fda583a6e6c1e06527eb8cf755a253df2f4cf32

          SHA512

          3bce8af44e0bdc91c275494750ed691ca5608c099057d7d79058c0d6f3cf391933f6dcdd00e726af91889d9a4ec94b10e8f9dda31fb6ee0a81289acd680c9015

          Download Submit

        • memory/2968-336-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-270-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-224-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2968-238-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-350-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-360-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-258-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-248-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-330-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-298-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-320-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-280-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-310-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2968-290-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-229-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-291-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-299-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-281-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-311-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-271-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-321-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-259-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-331-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-249-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-337-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-239-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-351-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/3016-9-0x00000000001C0000-0x00000000001C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3016-361-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download