2497676cc466ed3ec9d862a92d96c53941cfe40f00574908a447dec02eaeec8d

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7675fd593ef2c42942787ebf9f35b1a.exe
Size

274KB
MD5

d7675fd593ef2c42942787ebf9f35b1a
SHA1

a24022f1e69eb487c313d47b9308e41d4d9e79a4
SHA256

2497676cc466ed3ec9d862a92d96c53941cfe40f00574908a447dec02eaeec8d
SHA512

a7fca31263e0eda569c512ba4b459f68dc80a5ee2ba5f7e7b0589d2540f7d2365aab03ee09ae4b0dd9ddc9bf52036bfb75676e97972108616cea562c7fa2d2c8
SSDEEP

6144:riMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyAp08Y:ZMMpXKb0hNGh1kG0HWnAO

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	d7675fd593ef2c42942787ebf9f35b1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b000000013a88-7.dat	aspack_v212_v242
behavioral1/files/0x0035000000015d39-38.dat	aspack_v212_v242
behavioral1/files/0x0001000000000026-55.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	d7675fd593ef2c42942787ebf9f35b1a.exe

Executes dropped EXE 1 IoCs

pid	Process
1588	HelpMe.exe

Loads dropped DLL 31 IoCs

pid	Process
2768	d7675fd593ef2c42942787ebf9f35b1a.exe
2768	d7675fd593ef2c42942787ebf9f35b1a.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe
1588	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\O:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\Q:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\W:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\K:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\P:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\V:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\I:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\J:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\M:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\Y:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\E:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\L:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\S:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\N:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\R:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\T:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\U:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\Z:	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened (read-only)	\??\L:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened for modification	C:\AUTORUN.INF	d7675fd593ef2c42942787ebf9f35b1a.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	d7675fd593ef2c42942787ebf9f35b1a.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 1588	2768	d7675fd593ef2c42942787ebf9f35b1a.exe	28
PID 2768 wrote to memory of 1588	2768	d7675fd593ef2c42942787ebf9f35b1a.exe	28
PID 2768 wrote to memory of 1588	2768	d7675fd593ef2c42942787ebf9f35b1a.exe	28
PID 2768 wrote to memory of 1588	2768	d7675fd593ef2c42942787ebf9f35b1a.exe	28

C:\Users\Admin\AppData\Local\Temp\d7675fd593ef2c42942787ebf9f35b1a.exe
"C:\Users\Admin\AppData\Local\Temp\d7675fd593ef2c42942787ebf9f35b1a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

Filesize
275KB

MD5
b2afe012a69d3ddf132e9885a4c545e3

SHA1
65c758128251be054a99568f73a2872a5c257353

SHA256
bc2d022b0621d5b550c2551fb24109434069a720a763f6e6dac1ad0968a651cb

SHA512
307f7bb2e34ddbfaa28f80d4a197e6d3b4e2d20011ab7ca8fb213aecf05f02e7d7efa91e6e1ff3d16edd7ae789859cb54ecfad65a3410357b0e303f8b40a1584

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
464ad26b04a22860cd73ed5d77d21b0a

SHA1
e9bb913159f7df2a739074d22b832116a986e013

SHA256
02396a1692316c84440060799f82a6eea9c193a510c778194f604f6d60b69eae

SHA512
081966691731cd9527ec2ec19ad7ca81c7f51ee4c1fd2a1844337a805fb9a3edb95b3a9304eae381ad0d7ab17493b286324051e0dd76002b88660418098e00ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
f65149eb1f585e8703b026e1cba5ced1

SHA1
4493dc1be12a67ed8e8b45c644da8ac117520f5c

SHA256
3e4160c1f84c08e3e8f99b1a779eba095d592a31b73dd8d33a77bd287985a2fd

SHA512
af04869038cca15ac2eb9f6ecc01cf737a54e2120371103adfd27ee383d621199838897dd01ddebd85430550853dda8e7793376dcfe42fc0a6e376e9b82512cf

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
273KB

MD5
2a38138ec8863c64692be7931e0219b1

SHA1
aa4fc2a216226d8701f87d35fbabad737f58a340

SHA256
35750725047b846160521163bb8d75cbf6268751e0fd056f3dd7b522bcb87413

SHA512
865611833f67a9a9f5563ee414512a6a53d843a4d2b944c6d833e6525f4831fc8fc3fd86e29dae76dbf856ebd240816477b730c525ad3a52cb8a5d94e2e299d9

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
274KB

MD5
d7675fd593ef2c42942787ebf9f35b1a

SHA1
a24022f1e69eb487c313d47b9308e41d4d9e79a4

SHA256
2497676cc466ed3ec9d862a92d96c53941cfe40f00574908a447dec02eaeec8d

SHA512
a7fca31263e0eda569c512ba4b459f68dc80a5ee2ba5f7e7b0589d2540f7d2365aab03ee09ae4b0dd9ddc9bf52036bfb75676e97972108616cea562c7fa2d2c8

Download Submit
memory/1588-231-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-255-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-364-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-305-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-358-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-243-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-352-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1588-346-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-269-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-340-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-281-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-329-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-293-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1588-317-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-230-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-316-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-304-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-328-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-292-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-339-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-280-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-344-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-268-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-351-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-254-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-357-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-242-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-363-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2768-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads