Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29/02/2024, 03:10

General

  • Target

    ad8a053573f17bcef0da88f613a5aa87.exe

  • Size

    477KB

  • MD5

    ad8a053573f17bcef0da88f613a5aa87

  • SHA1

    9a4ae2a8670bd1a80662f55974491033613a8523

  • SHA256

    a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005

  • SHA512

    b0a92d633a3520a9a94ea580180293f07673b19fcf0f6b187dda6954c3d9d0dc70c7c38bdd67ca96de966659494762f7457fe2adc59ff93f7f4c67725f7a87d2

  • SSDEEP

    6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRAjZGrWmsu4lnEqR6q:5MMpXKb0hNGh1kG0HWnALbkr

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe
    "C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2184

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

          Filesize

          477KB

          MD5

          0204d377cb429962fd564f31e02f88ac

          SHA1

          83ab4729316a798b8d81d0ac27c328969894abcb

          SHA256

          03b4bfe6b90587a8b794728d452082825432ff23ce45c4d62e81ac66f165d0bb

          SHA512

          6fd80e1c609c3d426f4ccd1f7dbc51e2133e07728e6724b5a9e525cf98f667f690824da8a0a616017500a81ff3ba55233141cd98d59517ff39fee054c9a0b475

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          67a6adadcdf506af7c89cb147722a1e1

          SHA1

          a9489f615a9cb8228fb50c04c4d2f76ac6e1a686

          SHA256

          985d7e05cf3083e62835033e7bb62302c035f5c32616e29bf7313f76c1b878f3

          SHA512

          606ba6bbc6f8bb01d4ba24583ce6429df5ebb4643a21d87928a3325dd19d4719102feadf65b1a3139db7c90796c60b9ecdf2a5f8bf5f063e606ecf0f052df6a0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          ddcbdec4911a915b53d0d08b12e94c22

          SHA1

          a1ea8be0baf8730904cc9df340bab78582c43743

          SHA256

          94a432ed70f5334c8b5a4607b1d534a3ce0ca53809b169c0eababa087bba0195

          SHA512

          e040fb98426c8ad53ae6b117b5bed28aa92b61332c3798e36ae48f733d2a23a2e2db0498d4a08e79e9184898fd6e07d3d237f83b6ee676e17fb0f6a722238265

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          477KB

          MD5

          ad8a053573f17bcef0da88f613a5aa87

          SHA1

          9a4ae2a8670bd1a80662f55974491033613a8523

          SHA256

          a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005

          SHA512

          b0a92d633a3520a9a94ea580180293f07673b19fcf0f6b187dda6954c3d9d0dc70c7c38bdd67ca96de966659494762f7457fe2adc59ff93f7f4c67725f7a87d2

        • \Windows\SysWOW64\HelpMe.exe

          Filesize

          475KB

          MD5

          0ad94d1d5e36331067b4d0b470e21d6a

          SHA1

          02b345a4b2bceb1aac5663bae61d13f692514a2d

          SHA256

          d6f25f47371f29fecab67a4f9538aa92612029c6094c8102bbda6832f0a9f023

          SHA512

          49b470761affab9bd04b87b43ffbc71c9ea98063daa18668aebf99383982be66d1e142d5e0f804094d1047225cb0399963767ff9e69da0ff26000c296dccfd46

        • memory/1928-0-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

        • memory/1928-244-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

        • memory/2184-10-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB