Analysis
-
max time kernel
146s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 17:13
Static task
static1
Behavioral task
behavioral1
Sample
f8284b3f320cc80e70e3b01c476da012.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f8284b3f320cc80e70e3b01c476da012.exe
Resource
win10v20201028
General
-
Target
f8284b3f320cc80e70e3b01c476da012.exe
-
Size
316KB
-
MD5
f8284b3f320cc80e70e3b01c476da012
-
SHA1
22f630a082d927c357723a43471df1fc985d87cc
-
SHA256
bb62cacb307f74c1b3c29fc6b878c2ca3f243808a846bf7ba4e5d2eb7691f0d4
-
SHA512
1c917a4abcef6691972da7c7e0ec152d90427557703662df53daa52b37ef28ae453b4c62249b1e1ae7127a57716356b42d1f15035b815837d085d4e6fd68270f
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
HelpMe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\HelpMe.exe aspack_v212_v242 C:\Windows\SysWOW64\HelpMe.exe aspack_v212_v242 C:\Windows\SysWOW64\notepad.exe.exe aspack_v212_v242 C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe aspack_v212_v242 C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
HelpMe.exepid process 4156 HelpMe.exe -
Drops startup file 2 IoCs
Processes:
HelpMe.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HelpMe.exedescription ioc process File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\F: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 6 IoCs
Processes:
f8284b3f320cc80e70e3b01c476da012.exeHelpMe.exedescription ioc process File created C:\Windows\SysWOW64\HelpMe.exe f8284b3f320cc80e70e3b01c476da012.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File created C:\Windows\SysWOW64\notepad.exe.exe HelpMe.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe f8284b3f320cc80e70e3b01c476da012.exe File opened for modification C:\Windows\SysWOW64\notepad.exe.exe f8284b3f320cc80e70e3b01c476da012.exe -
Drops file in Program Files directory 2 IoCs
Processes:
HelpMe.exef8284b3f320cc80e70e3b01c476da012.exedescription ioc process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe HelpMe.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe f8284b3f320cc80e70e3b01c476da012.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
HelpMe.exef8284b3f320cc80e70e3b01c476da012.exepid process 4156 HelpMe.exe 4156 HelpMe.exe 4804 f8284b3f320cc80e70e3b01c476da012.exe 4804 f8284b3f320cc80e70e3b01c476da012.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f8284b3f320cc80e70e3b01c476da012.exedescription pid process target process PID 4804 wrote to memory of 4156 4804 f8284b3f320cc80e70e3b01c476da012.exe HelpMe.exe PID 4804 wrote to memory of 4156 4804 f8284b3f320cc80e70e3b01c476da012.exe HelpMe.exe PID 4804 wrote to memory of 4156 4804 f8284b3f320cc80e70e3b01c476da012.exe HelpMe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8284b3f320cc80e70e3b01c476da012.exe"C:\Users\Admin\AppData\Local\Temp\f8284b3f320cc80e70e3b01c476da012.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini.exeMD5
88eb8c9b7489bf856b43315f9ed0b534
SHA140fb90960e13c7098cf822e6d670476ff0732455
SHA2567a9134e8f57191533f3784307f6c07a86ab4b94fb36ccaab5e9e49e965b13ac6
SHA512f4332a75a7048766678eff2afa51cee6ec60f61f63539eb7e1c4d9fc6365da48cb50f5dfde78ca0062e4bff2d99414a61d5c054e8349789815d10855ffddc8cf
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exeMD5
a270ecb5d2829a3594310d67cf8dd5cb
SHA11f8ec35e9277a544e9cc040a4876fbb25d7848b0
SHA2563df290bd47320d4fcabacc5f492f3282b891573ee1b65d04a596234262cb8474
SHA5124b11aa527f66ac902a35241ba450d6225aec0a82f178554254a2152422c44203e6c617754de9ea56fff00d24d4cefa19e91c3c489bde4e078547e64bc0688447
-
C:\Windows\SysWOW64\HelpMe.exeMD5
8133b3e4b12a42133167c4d5f2591415
SHA14b89ae560fc5d50359aa2f226db7aefe3441fbca
SHA2569cef339a376022ddf7476594bf458c842dfd71f7dcab94427674c0b08bd29377
SHA512cb657bb3b9f726af7ebcadcf1697e5768f42eafb74202c510a54e408d1fe697308d0c901ad5488116c5ca9056ef2d0381ef7a33ab73a200bae7a1ea0c3cbf1a8
-
C:\Windows\SysWOW64\HelpMe.exeMD5
8133b3e4b12a42133167c4d5f2591415
SHA14b89ae560fc5d50359aa2f226db7aefe3441fbca
SHA2569cef339a376022ddf7476594bf458c842dfd71f7dcab94427674c0b08bd29377
SHA512cb657bb3b9f726af7ebcadcf1697e5768f42eafb74202c510a54e408d1fe697308d0c901ad5488116c5ca9056ef2d0381ef7a33ab73a200bae7a1ea0c3cbf1a8
-
C:\Windows\SysWOW64\notepad.exe.exeMD5
e4188c8870ffa4983b5a90c427849daa
SHA1e93f7c65e7fa3af65b21a28530063bd03c84857b
SHA2563558236d8b33ce3327e92eb1de118f5e10099a99bbc7e2973a1149d75a63aa1a
SHA512d06bb22842566616f2019174aeb806cd1c4cef751c51fb40548120d529d265915d1c8cc3c763edaca96224bacf501ba0868e2f41352d71cbe72fd43a7128f047
-
memory/4156-2-0x0000000000000000-mapping.dmp
-
memory/4156-5-0x0000000002B20000-0x0000000002B21000-memory.dmpFilesize
4KB
-
memory/4156-6-0x0000000003320000-0x0000000003321000-memory.dmpFilesize
4KB
-
memory/4804-8-0x0000000002FE0000-0x0000000002FE1000-memory.dmpFilesize
4KB
-
memory/4804-7-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB