Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2024, 21:49

General

  • Target

    b32f8e38b6835b37ce52f3aca570ef8a.exe

  • Size

    1.1MB

  • MD5

    b32f8e38b6835b37ce52f3aca570ef8a

  • SHA1

    bb15c07e0bf974d09e45954556de0592c4b57d08

  • SHA256

    dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814

  • SHA512

    dd2833c1efe50cb5f220bf28bf1ef57394db8aad34b34499352c68306ed6b753efc0afb7038daef388380cb4a34eecf0ea85a099e4ce5eb3efe024c311e18b73

  • SSDEEP

    12288:5MMpXKb0hNGh1kG0HWnALbLw+VsLkjrVlQB9FbDTF53nlNFRpO50w9XCfyGjN1PS:5MMpXS0hN0V0HvwkSGr

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe
    "C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1296

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini.exe

          Filesize

          1.1MB

          MD5

          569baf132f3455efb7b16f1947786d37

          SHA1

          13165399307e115e80ceca5c76f94ea941388b6c

          SHA256

          08dea23eb844f8ecd2f373595064133dfc44f1efcd9cfd4b35d317b8b42be049

          SHA512

          8e6564ca3496fddd9aa01cc9cc728cf263f8ad11dda076b0d1a6eacd4fd5a98de6bb7f75267e2062b1e6743883e9a5d810bd7347d6609bf131f40bfe5bff1ad3

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          b3f42a5c7c1350c6d2c820d5b7bb2e4e

          SHA1

          76552523bc2bf373d292787542ce0ea6f55e3156

          SHA256

          2de99e344bcc1fbe74b5a2e462ff61d37cadc40cf0f1069163c46e98da157acb

          SHA512

          01be09df99df9632ce6ffb0532246b25f92fa5053446564fa82515f6fb18ae4260d42f01098ebc4de6ced5ede1812acf55d4e5e542ac292d4acf5f31142b89e5

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          954B

          MD5

          546e41c33c20c2f562621ae1dbbad3af

          SHA1

          ccf3942c94bf0bbdc92fb4bf749614ae915a4df8

          SHA256

          59b72688edee94c7a394d2fbde8c4c92ebe9afa641ff12672a2e47d325ed19d2

          SHA512

          141d7d9111b0bd3f1ef868319c599559b075f757ca9a9d728bb4a77ca247326340a6306bf57d954d9e5d74f2be52d45ec9d2a657977034155982b3b6f3d9a385

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          1.1MB

          MD5

          b32f8e38b6835b37ce52f3aca570ef8a

          SHA1

          bb15c07e0bf974d09e45954556de0592c4b57d08

          SHA256

          dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814

          SHA512

          dd2833c1efe50cb5f220bf28bf1ef57394db8aad34b34499352c68306ed6b753efc0afb7038daef388380cb4a34eecf0ea85a099e4ce5eb3efe024c311e18b73

        • \Windows\SysWOW64\HelpMe.exe

          Filesize

          1.1MB

          MD5

          6ec7fc7dfb5c78eec8a56ba45493f029

          SHA1

          18cd2ab17678a0f4c3153b00363c549586343c79

          SHA256

          2d21f38e5de7d7a8b7a40b5fc7b463e9b7ca9077ebe899018e9242b51864d17d

          SHA512

          9d621ea7fbd2ebc3ea529eb28130f7426fb0ca3cbcd473e04d9c17a57748700650b66e5e8e23e54b361faafc7aec44aca9296d3f86fc36a8497947ae62f7a3db

        • memory/1296-9-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/2928-1-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB