bb62cacb307f74c1b3c29fc6b878c2ca3f243808a846bf7ba4e5d2eb7691f0d4

General

Target

f8284b3f320cc80e70e3b01c476da012.exe
Size

316KB
MD5

f8284b3f320cc80e70e3b01c476da012
SHA1

22f630a082d927c357723a43471df1fc985d87cc
SHA256

bb62cacb307f74c1b3c29fc6b878c2ca3f243808a846bf7ba4e5d2eb7691f0d4
SHA512

1c917a4abcef6691972da7c7e0ec152d90427557703662df53daa52b37ef28ae453b4c62249b1e1ae7127a57716356b42d1f15035b815837d085d4e6fd68270f

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

HelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\notepad.exe.exe	aspack_v212_v242
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

4156 HelpMe.exe

pid	process
4156	HelpMe.exe

Drops startup file 2 IoCs

Processes:

HelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HelpMe.exe

description	ioc	process
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 6 IoCs

Processes:

f8284b3f320cc80e70e3b01c476da012.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	f8284b3f320cc80e70e3b01c476da012.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	f8284b3f320cc80e70e3b01c476da012.exe
File opened for modification	C:\Windows\SysWOW64\notepad.exe.exe	f8284b3f320cc80e70e3b01c476da012.exe

Drops file in Program Files directory 2 IoCs

Processes:

HelpMe.exef8284b3f320cc80e70e3b01c476da012.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	HelpMe.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	f8284b3f320cc80e70e3b01c476da012.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

HelpMe.exef8284b3f320cc80e70e3b01c476da012.exe

pid process

4156 HelpMe.exe
4156 HelpMe.exe
4804 f8284b3f320cc80e70e3b01c476da012.exe
4804 f8284b3f320cc80e70e3b01c476da012.exe

pid	process
4156	HelpMe.exe
4156	HelpMe.exe
4804	f8284b3f320cc80e70e3b01c476da012.exe
4804	f8284b3f320cc80e70e3b01c476da012.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f8284b3f320cc80e70e3b01c476da012.exe

description	pid	process	target process
PID 4804 wrote to memory of 4156	4804	f8284b3f320cc80e70e3b01c476da012.exe	HelpMe.exe
PID 4804 wrote to memory of 4156	4804	f8284b3f320cc80e70e3b01c476da012.exe	HelpMe.exe
PID 4804 wrote to memory of 4156	4804	f8284b3f320cc80e70e3b01c476da012.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\f8284b3f320cc80e70e3b01c476da012.exe
"C:\Users\Admin\AppData\Local\Temp\f8284b3f320cc80e70e3b01c476da012.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4156

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini.exe
MD5
88eb8c9b7489bf856b43315f9ed0b534

SHA1
40fb90960e13c7098cf822e6d670476ff0732455

SHA256
7a9134e8f57191533f3784307f6c07a86ab4b94fb36ccaab5e9e49e965b13ac6

SHA512
f4332a75a7048766678eff2afa51cee6ec60f61f63539eb7e1c4d9fc6365da48cb50f5dfde78ca0062e4bff2d99414a61d5c054e8349789815d10855ffddc8cf

Download Submit
C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe
MD5
a270ecb5d2829a3594310d67cf8dd5cb

SHA1
1f8ec35e9277a544e9cc040a4876fbb25d7848b0

SHA256
3df290bd47320d4fcabacc5f492f3282b891573ee1b65d04a596234262cb8474

SHA512
4b11aa527f66ac902a35241ba450d6225aec0a82f178554254a2152422c44203e6c617754de9ea56fff00d24d4cefa19e91c3c489bde4e078547e64bc0688447

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
MD5
8133b3e4b12a42133167c4d5f2591415

SHA1
4b89ae560fc5d50359aa2f226db7aefe3441fbca

SHA256
9cef339a376022ddf7476594bf458c842dfd71f7dcab94427674c0b08bd29377

SHA512
cb657bb3b9f726af7ebcadcf1697e5768f42eafb74202c510a54e408d1fe697308d0c901ad5488116c5ca9056ef2d0381ef7a33ab73a200bae7a1ea0c3cbf1a8

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
MD5
8133b3e4b12a42133167c4d5f2591415

SHA1
4b89ae560fc5d50359aa2f226db7aefe3441fbca

SHA256
9cef339a376022ddf7476594bf458c842dfd71f7dcab94427674c0b08bd29377

SHA512
cb657bb3b9f726af7ebcadcf1697e5768f42eafb74202c510a54e408d1fe697308d0c901ad5488116c5ca9056ef2d0381ef7a33ab73a200bae7a1ea0c3cbf1a8

Download Submit
C:\Windows\SysWOW64\notepad.exe.exe
MD5
e4188c8870ffa4983b5a90c427849daa

SHA1
e93f7c65e7fa3af65b21a28530063bd03c84857b

SHA256
3558236d8b33ce3327e92eb1de118f5e10099a99bbc7e2973a1149d75a63aa1a

SHA512
d06bb22842566616f2019174aeb806cd1c4cef751c51fb40548120d529d265915d1c8cc3c763edaca96224bacf501ba0868e2f41352d71cbe72fd43a7128f047

Download Submit
memory/4156-2-0x0000000000000000-mapping.dmp

Download
memory/4156-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/4156-6-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/4804-8-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/4804-7-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads