Overview

overview

10

Static

static

7

a0a654ab18...57.exe

windows7-x64

10

a0a654ab18...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23/02/2024, 23:41

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a0a654ab1844abada2eebf3806925957.exe

  • Size

    641KB

  • MD5

    a0a654ab1844abada2eebf3806925957

  • SHA1

    cbe14a85ddff321452551c2ca98f4290fe8be48a

  • SHA256

    98a9cf926210ccb175aa798fc9b1d06674813809ae4456a0cde047752d7172be

  • SHA512

    944d59ed5b6ab85cb3964385310a9accb17f479f0fdb4156badd3063ee6b4c2412c50d531d419137e9cc9b54aa53fac0c4af892e2acccdb6ac6d4663211fa5ca

  • SSDEEP

    6144:ZiMmXRH6pXfSb0ceR/VFAHh1kgcs0HWHkyApOhP/SgljwRwdX/1H9fYavJiPx5S7:zMMpXKb0hNGh1kG0HWNAuCsltHlYzM

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0a654ab1844abada2eebf3806925957.exe
    "C:\Users\Admin\AppData\Local\Temp\a0a654ab1844abada2eebf3806925957.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:3064

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe
          Filesize

          642KB

          MD5

          7c77f6aaadc9affa2477bbc57dd70fd3

          SHA1

          41a8888a211b5f5c5043ce698bf8d2794a28d183

          SHA256

          0a0af93c1c49f274890b58e87d8dbf8e17f96ace76d87fcd7955ea4c006fbba1

          SHA512

          3f5e754a909d9f4ef77286c9a805452c6446833c2f6b3638685429fb02161c26cde61f986e47e04e90d0b1e9160222b808e86db467920d7cb81e5e084eec3679

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          109962587151737eff7215b10e05ffb5

          SHA1

          629b17886e3cae39f5ed2589b6f96159a7e91125

          SHA256

          6028e1386f19f742d9f6dc59f5cb60995f07b94a1719a862f95205c5da091142

          SHA512

          737b60a58a54f77e54e155e61fc7346dade893f88ae82f2649b590ff7fc38e97643e78abb3ae1412212f393855db7a24f3cabbeeb96fbbec98324396afcb637b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          954B

          MD5

          926a9265516069c8e9203abec26f00a5

          SHA1

          16a2afa460f80d759b912a8bbbfb7573f2556f99

          SHA256

          fbf861c93e8bc0a559fc9d5c7ac84a8dcf67301fb43ed723ab309c97dbb881bc

          SHA512

          0ea8194998f280b5d5d5f8e8bc2b7c6b7353453701aa93b982b591dbfb1f47c2804790f3275d9cf43be0ce250a1ea5011d465989f4d379b2233a802fe0330654

          Download Submit

        • C:\Windows\SysWOW64\HelpMe.exe
          Filesize

          573KB

          MD5

          c4b021753e23cd9ee06e650f9517c64d

          SHA1

          fa817463817384d44ec30101a74b2617b4be1f97

          SHA256

          4f2cd8be99ed90c4fd3dc4226587531a116ab5f99cb348d4d61861fffa59fac3

          SHA512

          6d20a1fd6f76b3ea61010d2e9358e7b5c4d6bcbd83c7499d16569f43e17a99c1c72a500de024c3ebbb921114f43b6f22eb9c01bdf62600c038db46a30f9ca36f

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          641KB

          MD5

          a0a654ab1844abada2eebf3806925957

          SHA1

          cbe14a85ddff321452551c2ca98f4290fe8be48a

          SHA256

          98a9cf926210ccb175aa798fc9b1d06674813809ae4456a0cde047752d7172be

          SHA512

          944d59ed5b6ab85cb3964385310a9accb17f479f0fdb4156badd3063ee6b4c2412c50d531d419137e9cc9b54aa53fac0c4af892e2acccdb6ac6d4663211fa5ca

          Download Submit

        • \Windows\SysWOW64\HelpMe.exe
          Filesize

          639KB

          MD5

          46e8a53782340c0733013e671fcfca43

          SHA1

          e182d34db0c37091de8193338e4e516d45fdba57

          SHA256

          7ac0817b27975edf95cbd177f5f44f7e9c527dee75425faad8b9f1155777bbce

          SHA512

          fd8e6aaa81f8ba909d313dbfd1d0f511ed96b532d3e9c7da8feb4fec7c76ccba62bc327aa5275ae478f8cf05833f6ad1d4cf7893bb516855727df6c9bcade5b3

          Download Submit

        • memory/2588-0-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2588-240-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3064-10-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download