Overview

overview

10

Static

static

7

e3f84259e3...9N.exe

windows7-x64

10

e3f84259e3...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/09/2024, 23:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e3f84259e31817c4b23b46af4c4f8f73d26f205af4ad1f6acbda430baaf53969N.exe

  • Size

    3.3MB

  • MD5

    ce0cfa774b5453a216b53a6cdf7241b0

  • SHA1

    3600aa18d9f92eaffd7dea724d5f008bdf0b61ab

  • SHA256

    e3f84259e31817c4b23b46af4c4f8f73d26f205af4ad1f6acbda430baaf53969

  • SHA512

    046fc8001698df63988bc9b413bb864ffa2db2fc807ba6de616d393c19c3008a19bae5af183e6ae285088166ddfdd68e98ebb4f1559b4877b5b55bd3c116e605

  • SSDEEP

    24576:5MMpXS0hN0V0HYSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Nf:qwi0L0q1piyx5W1

Score
10/10
aspackv2discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3f84259e31817c4b23b46af4c4f8f73d26f205af4ad1f6acbda430baaf53969N.exe
    "C:\Users\Admin\AppData\Local\Temp\e3f84259e31817c4b23b46af4c4f8f73d26f205af4ad1f6acbda430baaf53969N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1596

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.exe
          Filesize

          3.3MB

          MD5

          3053919d56e913a4b8b05f8d00495f24

          SHA1

          5fda9746cd4b6333d8817fbffce83fb02ba8ce93

          SHA256

          90c11217aa4d23eba63bdea39cbec7a01fd609f00ad1295f3c2dff01e770f2f8

          SHA512

          7b8c2606400787bde48aa7a87660d3b6dd361174a7b67d0de99327f90c0467bb5e40c3343e4ec4611191fa4a3b5ccb8ae9606f5867b09a8e5b948f9298b67356

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          e35eb0f0a0842f0a4e4ee35d2c210e81

          SHA1

          1f0c779d91f2b3e2f1c45313744d39f2e2e36b06

          SHA256

          986e65af59f0ef20b2e31015406e5fcbd2a202ff523f3618f61802cf31292a69

          SHA512

          bb22a9b3f46fe8b21b97b57eda1d68108d541bacde8fd790f7c714722384eba39aeadc276ce24ca7008b47c345f8b07b16bf640f27ca98f9838eefdfe832efba

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          950B

          MD5

          914b9f950fbbb66b7943c49fe7ad209b

          SHA1

          89959b46090317805182a019d994a1b7e945f043

          SHA256

          f09c049ed53237cc0303bfe92cbb34752af0c56157adff9b784c919c02abfb0d

          SHA512

          305724a5c87e54afca02a2bcf92e85e16f5ca0b95d0ced8181d86e00e744329023d07c580295518b695f3197430635f8345de70831f377b3f717300875dc4d3f

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          3.3MB

          MD5

          ce0cfa774b5453a216b53a6cdf7241b0

          SHA1

          3600aa18d9f92eaffd7dea724d5f008bdf0b61ab

          SHA256

          e3f84259e31817c4b23b46af4c4f8f73d26f205af4ad1f6acbda430baaf53969

          SHA512

          046fc8001698df63988bc9b413bb864ffa2db2fc807ba6de616d393c19c3008a19bae5af183e6ae285088166ddfdd68e98ebb4f1559b4877b5b55bd3c116e605

          Download Submit

        • \Windows\SysWOW64\HelpMe.exe
          Filesize

          3.0MB

          MD5

          be89d2050f52e31ccb97e942f6986d67

          SHA1

          b843c9b6e67a7915d555298827ae5887637e632b

          SHA256

          226bdff312854ab8975b430130aceccdf6c0802e7ef1f2a37892a447feb1f7d4

          SHA512

          e43936db01290a33df2aa7e557d6a3ae9fe910080b8e8a7730be1c31de0ea0fdb3ee952ac1d25e4393cb22fdc9477d8e586652f05c970250285d9cc424e58956

          Download Submit

        • memory/1596-10-0x00000000003A0000-0x00000000003A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

          Filesize

          4KB

          Download