Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2024, 22:07

General

  • Target

    b337b7825c832c6a31a5207d22d5f987.exe

  • Size

    970KB

  • MD5

    b337b7825c832c6a31a5207d22d5f987

  • SHA1

    a73f1613c58aeb342afa205a0a7c3fe6dc93de62

  • SHA256

    5827dc336f6100d98832279ffa07c57f93ed8f233644977f519b2ac2d687936e

  • SHA512

    98002aee61204d22bb526d3e34b11c7852f163e0671a40dda28706196296432741867a9e743e1cea45a8e6d43d597dee2e3259d16d394a89d60114b808a4deaf

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnALa:5MMpXS0hN0V0H7MMpXS0hN0V0Ha

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe
    "C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1240

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe

          Filesize

          971KB

          MD5

          ad08ce27e5e85d84dda0d508031ca060

          SHA1

          5b561353d8365e404ca068a284f46be9442955e3

          SHA256

          63e87d4a0b445cf2e407290a31ecf5d226bb1a45e6880bafaf4fc68d1cfa7e96

          SHA512

          bc6ecc5d0eccb31a2ae088323a5ebfbf5509d0b313626f70a48436ada15265827f96b13dd87d94676d8a85c9dac5fff5d42b9a7dee57e57c8c22267fb6a49116

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          ddadcf81a9fc83b0b626c30e78880a9e

          SHA1

          9224fa092550dc910891b20b6c5b15bdbd2c65bb

          SHA256

          2c91d8d0758afff7b10a226b3ea0bcc60af1b11b2b349e03cf97708bed038ac5

          SHA512

          d1ecc410067ddf6a7f34de0d321ca05d77bc632e64bfc2309bc1c3bfdd9d0b8efdd04329a16fc902f03473c78bf828cd04fdc96ae0884fee44ed804373d28559

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          6e1b55823cd42884621c5032600b2bd0

          SHA1

          ead036d292af110d57e996403a2719e388290f95

          SHA256

          a00e3208e4dba6080062f4953fc109ce17104c9208eec904efc692424aaabb3a

          SHA512

          a45887dd6d102d098f46fe19618da388da20ce04df8bfee0895bb09958de9084d608ae5a9bffc9e04752f9188cbf0814b8e9755ede6a220bca7e2adb5c8a422e

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          652KB

          MD5

          1f5e185c57a7268df04cb6b2b76a92d1

          SHA1

          d5eaf064d4877eeea3a52b4c0d693ed6b7883024

          SHA256

          11d1774e282834a8028bb9b99ac77e6a8b11e8d4be9c170f4748817c603435ac

          SHA512

          021716ba8d6804b6fb8c6c967abbf27d713dc0d264c0bd51b509b0b69fb74aecd252d5056da10b9241530a758a147a9dabf972c42f90b5a6e45bf1b58d6fdda3

        • \Windows\SysWOW64\HelpMe.exe

          Filesize

          969KB

          MD5

          06a18d8092bd6c922d07922d3292f2e2

          SHA1

          76689f623991f89f5be7df73cd7058994c773a20

          SHA256

          a6d1e72ed010811b4694ab1f262d4ed4eb16f710eb9d14ac4d05f4796da90133

          SHA512

          5605c3e3a7ccad8c893bb39e1f34887b814011abe48681a1c3a32b3b31fc39137818ed83a950f535d80be16df59aff28f58f9a7f5477f776146f6949d96623f5

        • memory/1240-10-0x0000000000320000-0x0000000000321000-memory.dmp

          Filesize

          4KB

        • memory/2164-0-0x0000000000300000-0x0000000000301000-memory.dmp

          Filesize

          4KB

        • memory/2164-240-0x0000000000300000-0x0000000000301000-memory.dmp

          Filesize

          4KB