7185e8c694984f512a44f240e4b89647c759ba756bd9e9947414941e4342d466

Analysis

max time kernel
1797s
max time network
1558s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
Size

716KB
MD5

cc3f68e8a50b05aa77d88b6119583b9e
SHA1

71c7b93a8947265fe30e6928730504a5456ca788
SHA256

1dd70e803623d5311b71129976710b11a8942d206a5d8d86cdf8417255f15725
SHA512

e4fe7c8ec1d88c0bc81834de0a1212902849d7c9f6228e26fb8aaf3f046011f934d6de01becb339ab88169533ff8dc0d6fad7d6d7ff7e956e408242a21809e55
SSDEEP

12288:ZMMpXKb0hNGh1kG0HWnAsaHy41Dxm1zRRaMMMMM2MMMMMu:ZMMpXS0hN0V0HYah1I1zRRaMMMMM2MMd

Score

10^/10

aspackv2 persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral12/files/0x000500000001a452-4.dat	aspack_v212_v242
behavioral12/files/0x000500000001a475-38.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\P:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\Q:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\V:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\B:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\L:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\N:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\S:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\U:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\R:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\Y:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\Z:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\E:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\G:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\I:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\K:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\O:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\X:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\A:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\J:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\M:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\T:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened (read-only)	\??\W:	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened for modification	C:\AUTORUN.INF	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2368	1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe

C:\Users\Admin\AppData\Local\Temp\1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe
"C:\Users\Admin\AppData\Local\Temp\1DD70E803623D5311B71129976710B11A8942D206A5D8D86CDF8417255F15725.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini.exe

Filesize
716KB

MD5
cf86111c648bc631d3a494dcafaf8f83

SHA1
a2366c519105d060b11295b2037a9a51f942655f

SHA256
0b9afdccc1a62c283e429babbc6a17a7a290f463db1979177b6f64376ab5dad0

SHA512
a8d362eb363cdcacf4574c9b22327b08b532d5aa2f96ddd9c0775ea6ee784e854927425cd9c8ca3a022cebec95dac45e7dce76f74161d4c6ca2f49c10a2d19eb

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

Filesize
1.5MB

MD5
00709f631c95c65bcb892ceb77cdf1b3

SHA1
b96b206680bc2e6de481dc4766e97940390209d7

SHA256
1f4e8b11cd9ae6c43309a6ad5e8e831c86672e4399470ce4c669e8e3f366ebd6

SHA512
c568eab6a79d94817058d10474ab088329857cd5dba3144ce1f8d59889a2d6586a3a5729df4e4c429ef6164e9f2ccff0c578a5364eb621923d31f4d54f6f207d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
17d1d3a3620bbcd2ce7cf43dee67725c

SHA1
9e3f58761bfd594e6daf723efa70d8165659c100

SHA256
ff680f2c2341de9b07ac1c6b303aab76d8c06b5c0bb01823446d007c61a60cf4

SHA512
531228a7fc184083b72668a52dc6b368dcfb0df6673f817b149892ee2b9d2f0a8ae1569070693ef200128cdda6cb2529b160846a82834eebece52d0aca3ad172

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
memory/2368-6-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2368-227-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-230-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-233-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-237-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-240-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-243-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-246-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-249-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-252-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-255-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-257-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-261-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-264-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-267-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-270-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-273-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-276-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-278-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-282-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-285-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-288-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-290-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-294-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-297-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-300-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-303-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-306-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-309-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-311-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-315-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-318-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-321-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-323-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-327-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-330-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-332-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-336-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-339-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-342-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-344-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-348-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-351-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-353-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-356-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-360-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-363-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-365-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-369-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-372-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-375-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-377-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-381-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-384-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-386-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-389-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-393-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-396-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-398-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-402-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-405-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-407-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-410-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-414-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2368-417-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download