Overview

overview

10

Static

static

7

ca228795e8...cd.exe

windows7-x64

10

ca228795e8...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca228795e828f8502ef63d1eb3e010cd.exe

  • Size

    2.2MB

  • MD5

    ca228795e828f8502ef63d1eb3e010cd

  • SHA1

    8e83715b82711016200693d7308052b78fd01ae5

  • SHA256

    c85e9d8b5ad00bee5d4252f36f6596391df2ad2183fec93495086bedff7d971e

  • SHA512

    db9a32ead99eff1daf0a8fd2da1c2cfd980bb7a2f9584072f5e532d98d141819fd11230cf864cdba7cef17a8244abb209b88280a72f4b90c95ac6984c2666a96

  • SSDEEP

    6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvR+/WOcPf7SLrffMWC:5MMpXKb0hNGh1kG0HWnALb+/KUgWC

Score
10/10
aspackv2persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca228795e828f8502ef63d1eb3e010cd.exe
    "C:\Users\Admin\AppData\Local\Temp\ca228795e828f8502ef63d1eb3e010cd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3787592910-3720486031-2929222812-1000\desktop.ini.exe
    Filesize

    2.2MB

    MD5

    724f645c62df9303a174a6ee5a6144ef

    SHA1

    abd5c181aaf2b7dbcf44d48eb64fd503b9758de1

    SHA256

    7fda5a57f6b9b23986fb2f40d19b13cfeaf0b575101f5b7268a336d3b7df47ce

    SHA512

    4523855dfe9ba18cc678532f0096fab7fdc578ada90f012eeb3126301e618425bb09c9c7a05088d9f792b4ac2168831e29833535dd9b5863191bbe8618bf3948

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    4d31fb3a1b4166b9fd0cc6aed84fcc2c

    SHA1

    40fab1f14920e920fd3a2e35953645c4b51ad5ef

    SHA256

    15f9523af8291dde2b5769270879a1acb375e7610e5c09725ea5559a106c6f73

    SHA512

    daf857979eaf92370cabc3e191586ede0ff3b45eb3f3549ada7538e5923da87286da585dd0c894f36ec0f1911d73d85c082d1c77dc1a4a9bfc24fe30de2da42a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    6a3d694a6872387361f04ffa7b3bfe50

    SHA1

    dcc10989f7062ad5fc404b5ed211e26b44ecaa0f

    SHA256

    be2eff777d1f266d80ba228a8a61ab99ee019846b679442388abb8f1c7f45952

    SHA512

    663b81fd8a7aa36cfc6a0820c97e5a5561a27631f52b93b703b0f5714f91f02abffc6b0fe0e1d879a0e1dbb08a9d39fa40e44d5ac944c9a08f144241f4032e19

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    616c34d878c7311d94317b0bc782826e

    SHA1

    0acb4de5a810d4910180148d73af9697d6b00b16

    SHA256

    7fdbc5ca89cb8f39f82be92897791f02927e90174f128305e0142754fd1921c0

    SHA512

    e7c534384d45215744fd9ab8adcb8c14324bf0a2257b15430cc61d90689c2c2cac7438f6b5698fb767b5bc3ee27bff4a09d0e8f403499fcfdf0d22c74598a858

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    2.2MB

    MD5

    ca228795e828f8502ef63d1eb3e010cd

    SHA1

    8e83715b82711016200693d7308052b78fd01ae5

    SHA256

    c85e9d8b5ad00bee5d4252f36f6596391df2ad2183fec93495086bedff7d971e

    SHA512

    db9a32ead99eff1daf0a8fd2da1c2cfd980bb7a2f9584072f5e532d98d141819fd11230cf864cdba7cef17a8244abb209b88280a72f4b90c95ac6984c2666a96

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    2.2MB

    MD5

    df0f12e033829ca89bedcbce612651c6

    SHA1

    29978392a30e5ca702d2a4aeb50e82ad3850f56d

    SHA256

    fbc226d92ee36bbabc0d70896809461eded64ab2fc58c6eab236c73b25fdf9e1

    SHA512

    446424aab66ba0addd006099859d263f1f4631a4757a0f72b6e0ec1b0bdc2b65a9c3627803a646bf3506f4e6311be3e456a73fb77d3c9f7e9bf278cecf6c75d2

    Download Submit

  • memory/2100-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2100-77-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2236-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download