Analysis

  • max time kernel
    146s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2024, 05:16

General

  • Target

    b3e12127b76ce34e00b09e1afc4360c2.exe

  • Size

    516KB

  • MD5

    b3e12127b76ce34e00b09e1afc4360c2

  • SHA1

    9c90473a5cf95c8bc30390f593ffaa95a617301c

  • SHA256

    41e253056520087685c68a854acd8a18f0a4fe13182a0c7e2030470545adc927

  • SHA512

    cd62026164ddd579e09a8a38b374c4e233b1f38ca8a1d4bd111bb5aa26487a5e40d77e8dbe1d0113a478772cfe305d2d7a5e77beaaa227c564a93f3d92e0cb03

  • SSDEEP

    6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvR2hQy+jvujZFaV:5MMpXKb0hNGh1kG0HWnALbd

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3e12127b76ce34e00b09e1afc4360c2.exe
    "C:\Users\Admin\AppData\Local\Temp\b3e12127b76ce34e00b09e1afc4360c2.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2024

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini.exe

          Filesize

          517KB

          MD5

          50f01016c2063e14d12fd4827109ce2c

          SHA1

          779bb70ec3d028f4dc14c5a820774c4055496d72

          SHA256

          b8dd33fe46fd5799929182a5782fd196de237ae480ec518ffc9b72bd76a5475a

          SHA512

          443f7af96fa30e409f101a52732ed5adc862bbe0f5288c83d6a0855acd00d1e4641b30f3d03353477934f484493659d8bfe8d54888601e943b21b9acc0956b0b

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          950B

          MD5

          6a1e3ca8bcf242ebcbdba9f1f22d57a8

          SHA1

          79bfc567f9a91202d32f307f17f7fc283c7c21c3

          SHA256

          f5f73b1e4dde8952dcbcf72524e4ecf66e113e1b24ee8b678e8c1cc0698266cd

          SHA512

          b556ace6f6af3fddcf2370d0da0db64be99f2925f90e1e44308d9a18464b5cbb657fc31b6d779b70022d9a07c1820c0733271bf1a0ef23928b73dc12234356ab

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

          Filesize

          1KB

          MD5

          794ac7aa1f221149c21262dc9dae5009

          SHA1

          39426073556bbc56d2e9dab663f4a66e249562c6

          SHA256

          41638c0cacd761a8bd4fc53a2da6dad132d3a8b5a6a08c5dc40dae46bcd94e29

          SHA512

          89279297a3f2db44ed7a5aa5d118b3b649c90a869333dbf201fbd7023ec9ea82b512a14e1d8c3948f5413c2084c8441a77270432ecdb0849666efd13822f3a62

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • F:\AutoRun.exe

          Filesize

          516KB

          MD5

          b3e12127b76ce34e00b09e1afc4360c2

          SHA1

          9c90473a5cf95c8bc30390f593ffaa95a617301c

          SHA256

          41e253056520087685c68a854acd8a18f0a4fe13182a0c7e2030470545adc927

          SHA512

          cd62026164ddd579e09a8a38b374c4e233b1f38ca8a1d4bd111bb5aa26487a5e40d77e8dbe1d0113a478772cfe305d2d7a5e77beaaa227c564a93f3d92e0cb03

        • \Windows\SysWOW64\HelpMe.exe

          Filesize

          516KB

          MD5

          fe4a5b4dc878b26bc53841ea105ab102

          SHA1

          a4f55846d83290e45c8d05007d96d16ff1df02cd

          SHA256

          7dc17b8cdb35e0d5b18b07fb3530b0fceadf5cf245de5343169d1cd6689af283

          SHA512

          ce6e264b5f87f55a9f22113ed97fc880ae6e20f82949da21a81bf79f1914a2eda601440040b16659177c9d49f9cfa846e9319b8c7c0cffc7312edcf21b2f7d14

        • memory/2024-10-0x00000000002E0000-0x00000000002E1000-memory.dmp

          Filesize

          4KB

        • memory/2072-1-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB