3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157

Analysis

max time kernel
187s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-07-2022 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
Size

690KB
MD5

05fd27db47dabe28246f7749e8d48bf0
SHA1

9501a3d42ae13d2574e36ef1517d7cc471cc576b
SHA256

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157
SHA512

dab21f22abc846fffce3b23b5a174d28bc1c90aa8190f8d9077ae534c6e3b80df34abb24523a1dfa0f910184f728fa5cd911b0f528f30a56aa70e3e2ea0f62f9

Score

10^/10

aspackv2 persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\Windows\SysWOW64\HelpMe.exe	aspack_v212_v242
C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe	aspack_v212_v242
C:\AutoRun.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

1636 HelpMe.exe

pid	process
1636	HelpMe.exe

Drops startup file 3 IoCs

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\L:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\S:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\I:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\Q:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\U:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\H:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\E:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\R:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\T:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\Y:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\A:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\F:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\M:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\W:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\K:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\P:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\X:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\Z:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\J:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\N:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\O:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\G:	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exeHelpMe.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\et.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\History.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.exe	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe

description	pid	process	target process
PID 1092 wrote to memory of 1636	1092	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe	HelpMe.exe
PID 1092 wrote to memory of 1636	1092	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe	HelpMe.exe
PID 1092 wrote to memory of 1636	1092	3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe
"C:\Users\Admin\AppData\Local\Temp\3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini.exe
Filesize
691KB

MD5
3c56a1a6c2aa0478e1579e43914b6948

SHA1
565aa7c27225ca234902e7506c96c774715112a9

SHA256
8d14bb89d045396f1606e4b52e88d47f66e51b7f065964e13d5824bbf5e7985f

SHA512
e334c3dcac330656765e55fb0f8565c22bab2a998063159eb637f559c732cd58504e7c4e879a3ae2fe6523758793be226296ffe0d944aad4591ade9ed33213e3

Download Submit
C:\AutoRun.exe
Filesize
690KB

MD5
05fd27db47dabe28246f7749e8d48bf0

SHA1
9501a3d42ae13d2574e36ef1517d7cc471cc576b

SHA256
3becff98c9a3e0d91076ad16ffd87780e5f7d697b70e8e7769c4be3f19104157

SHA512
dab21f22abc846fffce3b23b5a174d28bc1c90aa8190f8d9077ae534c6e3b80df34abb24523a1dfa0f910184f728fa5cd911b0f528f30a56aa70e3e2ea0f62f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
dcc356726c4f2e388f73056f3ac5f116

SHA1
dd8d7cca6aca39c09f4e79d6c56f82b9988d90a0

SHA256
997f7cdfe499c71c306f7ed14fb7761ed23a2b02aed6e832310d96373b05facd

SHA512
c93ad6031164e7767b97fee7822c543014747bc6c609d1ed498e368b9aa12ca54aa6bad10f56e3f07d53a07f714bd13c70775bef8ba1356c9338954290f8d1e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3d7ff8ed1a04cd5fb1b2cb391a90024f

SHA1
c16d0e94257f6030b080f94971e0d6143e910bc1

SHA256
b56cf96cdae09d94106a904f17130c2eb902112dbab0825c08b8b7eb8bff9026

SHA512
2e104da79b76242d643f9d8c2a113b740c9ad16a0fbd92840e397b1d57d0b1082c3e0e3e1306614e02e9573cb0c12c014e4e2c829dcdb780f5db9a87ff708d96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
5f9c5cf388fd6ff8e20f287921a2ea48

SHA1
f46544925bd8df735661e1260f68e035ea5106db

SHA256
e42edf3e5663020706d776ea612220ff60b85d20b7fd66d4df788ffad274abc8

SHA512
09bbb3010937beb663f9bae71bc94b51cb3a4fdf2dc5c5d4d2bde5423ae2ffddb55d13f7ed106c7a1c10c3b1c89a935c6990bd1c689b4abbaca8cf71a5e4e3d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
1b072a416f203b9ee146c2b35e57df8b

SHA1
22dbf136cc9d406ba5c7afa480a69415550088b0

SHA256
8e7c9ac55589a38ec5d165b301e48c64c578897cf2175dd14d87ee59decb069b

SHA512
6f99836fd6a759a341a8fefa6f4250f3d1ae66e7816335eafbdfa7c1b552bfc37e216c78d8971f1fda6c2f62c593c08e937a9d64b7d79b76451b3a085920ce72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
df046d8d0cd5cba68cd6e74f27f074ca

SHA1
6e6cbc080e3f54c6afedc6376110dfaba2774e0b

SHA256
53a3c635226f154b03040bc767b78e86d872625802a0be45b3b1a07ff06baa97

SHA512
b8d1cdd7cedecf1ed18fc8c90f08491a938bcd558538f634187869ebba07643fdec43372a5484e27b4ead62db7feb09ac0d692233d326db27dbcda5fa26b8596

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
05c7835d8b292f659d305bd5fefbdfc3

SHA1
16bda19a3db22bbb952f8d2ad585e3f801b8f968

SHA256
9ebfc61e971642c4e11222591dc1536f908392fd16993bcf5746878264cdbab3

SHA512
a7ae222508092935eeef26004c5c49a5e50d1d8c4e87686c38209dab598b34c8d89c6cbac39e9a578cd04cb29d131d5675df8aec6543e9e2bd5d8860df2ea7b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
9c930626e7d3fb35216655eaa8822aa8

SHA1
2301fbdaf690e590bbeaf90cf5bf167e8dca2801

SHA256
83f1dbf89e92151c02ed277d8a9f1a4b76dc9c1d9f768833677814d8a4876fe2

SHA512
a750e0371fe8b89acda26a1df7b7a50f7348e5385cacadd2a7e963985898950d0ea21f979b5f453c3574d0acb20cf34016eac81c96061b4c6b452695ca1762b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
17fc287bcca6dc1836b3ba5d4301a1e2

SHA1
e0bf59e68ef9eb36745c9fe63d809734ab813682

SHA256
238bc5f08accb6901dd67d20108769119e96c0e4282b68d82cb99e726bcf0d38

SHA512
81fc343f5f8f086ffaf98be249bcc50876f73d00b6e93bbce131c02e3895181648e3d726e9e3d94edae251af4811a82ce40119ebb85dd1e82dc2a3f93e9a4ce2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
a9143ad72fe716d349c5cdd6f2315d94

SHA1
318ea0a2c4bc6b52da913f43d29d20c65a80d25a

SHA256
3eceb193b25456d9512bf97d50a8b7ccc9097fb6bae73516dc59e7d3b890c057

SHA512
3a3b58f435e1a1ac1817aa87d2b2e5cd9a25d61f60eeceb5f0a2cba83de71fe81af9890463417c62976b93fbebff4cf94e987e754aee787e06ec16d01c91089d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
45b816e05e624ee6822362872779db7f

SHA1
45040625d1fea844b1c4e690f7edf2133614ee11

SHA256
645e883e303efa6502440f9d0c1565eae80c5c6ef8d3cedca7bec51947ed6d76

SHA512
7b170937026284fc3c90f19a15fe945d6dae041b305b7416b1dd23356925c7731f253edeb20afcc63cd0fb63a2fa1ecaa540ad65f5c3beaf37218d206d6fe119

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
7272532a971bbbc40e32264b1573208a

SHA1
d6075aa241628374ef3ac6019854cf26e91a3664

SHA256
d5d2ea00285744b982d7af951e24ad8af8689643524cbcddf9c90b7ad40f556f

SHA512
d48404682d0431b72f30a8c39e729438dedfb06fe4664d883784f98aee895d8856af069a37731e984b2fc409bec4326ad471430bfc70bc5edacd22e7f4b322ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
2ef4a21891d6769f9c310ecd54e01e73

SHA1
124135ba2884120fd935b812b76026f23a9dc654

SHA256
52d0ca8723f7eb68eebf9ec6404e136a653166c8abb16fbaa03ffc31ffcf938a

SHA512
c9e58ef167139a4d82cb70411338450d160c251fe9d77b36ad1d6a1c20d3637b4f1f04ed9746199e362c3a5f330791dc4f8528c2baf933d1121c55e7fce5f934

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
cd47da494744c86868c49c96b8cfb887

SHA1
70fbe912e66ef781fc3f6cec2915006783ddc61d

SHA256
cc6102e9e243b1f5c6ae34371217c3596cea954c7aaadae6dd101053dfc9bc5f

SHA512
f6160a05e6dd11f4433e017b9fcbd0a68d0b13fc71605868554bc903d09e48fbf42c7edbff8c7f7dcbe0784bb4a3b3fdab20a41dbeaacd1dc49a0f6247775257

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
8f0983155162145f70582dc6a678198d

SHA1
a913a4ead5e5762a829643c6e8494058078b5de1

SHA256
5e643429b442ee47a47c424694a0291795a9d3b0bab4cbd88edd5d663cc66ac3

SHA512
1dd65264c7cc804218ba662a39edc92a43bb41f85249bf5c012d7483ba2df8565184ea78429aa7c31d4745750e83e5c9f79744b31fdbf2a1de769af07a581275

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
788bf70369201976ce092b5e5d67cda7

SHA1
88d3d5adb67db904d7b9928430284b0b8f816aa5

SHA256
b640644460ec5a5e30c32e674195883a3c4d9b4e7a6b407fa6c0a2ba5190b726

SHA512
6f821d7c5786aa97ce1958c3f170a5d4bfef1806f8c4800d3cde597d4d3af276261b5977d23a37d786ea8b95456ea2c0995676c90cd1d60eeb860228aff4369d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b2a0fadcb71983b05c009130a7f54a35

SHA1
4b4baf8c4bf6fb6f5128ee7e5b9d493c708ea780

SHA256
2088c67c204daa29edece99733b4827b747b05be0bf4c101b569cc311f963eaa

SHA512
bca30de11a20d798011f2c8acd4b8a1e1e582a2b4fba9c058f002b229c4b6c52856301629be01db396f2b241a501c01ca9627360a8c859ae59aae50618a64e64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
b2a0fadcb71983b05c009130a7f54a35

SHA1
4b4baf8c4bf6fb6f5128ee7e5b9d493c708ea780

SHA256
2088c67c204daa29edece99733b4827b747b05be0bf4c101b569cc311f963eaa

SHA512
bca30de11a20d798011f2c8acd4b8a1e1e582a2b4fba9c058f002b229c4b6c52856301629be01db396f2b241a501c01ca9627360a8c859ae59aae50618a64e64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
3984531c274a7f2dcd5450b587f951ef

SHA1
b50fd78667837958610c2be4ffeccc93fe1f37e5

SHA256
b2750bb2110c21db2283718ade98a331faade68c4f318b0df0660eae7c331ca0

SHA512
9294091608fe76ede1aff4e209febd39e6d2997e0b15127c4970465112b6f1e7d850b86ef24d655d59960246dba896de55d0946323eda2f69aa3a48639b85b77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
32fa2c9de5fc91222c0d36f9587961ac

SHA1
01bd43a109e7452596bc4e41e41ecf739d1b46ae

SHA256
7ab41137467085ea1dca5c88905f394feab9a21074a59fdb7fd5603a3da04da9

SHA512
c957c6a48a6dca51ae1f038202ae2c15fc62d5e16bbae5a11daf12141bdf0b98bba26b2441f30e1d38ec40131795b22544795396ee4dd2f5eab452901a2d99e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
17860013f0e70e04c571ddf16c9f4fe4

SHA1
8a0edb69bf41454770a705637516c9cb8f641fe2

SHA256
a2dc54c7a3bd128e9808c35a78237a2393fa0800b61fc774d87b0a635db333a4

SHA512
db6182b9c18d9959dcc99caeafa4dcc03369d4d23b8d36ee92b2431b6648b6469641c5a08f987c80c6c863e8e1d75b553ea1444109f22f8c2ea5cf369eba13b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
db5e18f79152455206007e03ca48ba90

SHA1
daece17daa5fef6217fcf7234aecee1d22a0e828

SHA256
5843a9f183e0db937fb0cd6c8bff8da82534fdb8f0de559131ac3713c55999ea

SHA512
68168dd828585e55195760ce602ae79e43ecc9652b26ed755ff2c78a746f61c0b6538df7a446ce80fba91f4345b223d0e8fadce57226d162d400eaee8e2db695

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1023B

MD5
29d6291cf769c9140afa1095f1ea81d8

SHA1
cd55b67fde096a90ecdd5024ff9a4dfb1ecaa262

SHA256
3201a1e8c0b7ec8c6cc855186ec9c62bd8ec8854cecb8df2dfb813a7fb68487b

SHA512
401fa1f04f03dfe9e6385512d76371a125a6c48d7743218bbd352ea517f1336613c82d16f5b5fe722656003cd8d02be6a111d490bc58fa0997c94ea861605b49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
0a79c23184f1ec3d2e5cfb82c069e00e

SHA1
61b4230e420dc7a18fa6281554c7e4d33595fdee

SHA256
379d933a9c6bfb90c7f13bfbca760e5f56a2a7ecd7e571a9b090e188ba3145ae

SHA512
468cc3d5507454187bfdd7f9f2ba59b70bdc8cbeeb61eb0d2602fae5cb967acc2d7dea2fa1eb1727f3ca8dbec79a68d55113bbc2566b437e081266d08361d640

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
690KB

MD5
9852cdf393e138bafa1eb17ad07a1c02

SHA1
2f7ed34abe320e9e699f67b9832486b9c71359f6

SHA256
80d0b9e741d19b1fd68043e01c0a6f5c5d8966e08993ddd807888d51f5bc2986

SHA512
13a301a9fe1e80cd08b841b55bb4a08c299d4296af6709dcfff82449d1f9fb3420e216c086547f40e5f7c631815409ebdeca5569f3d41aeb9c899c81103e73eb

Download Submit
C:\Windows\SysWOW64\HelpMe.exe
Filesize
690KB

MD5
9852cdf393e138bafa1eb17ad07a1c02

SHA1
2f7ed34abe320e9e699f67b9832486b9c71359f6

SHA256
80d0b9e741d19b1fd68043e01c0a6f5c5d8966e08993ddd807888d51f5bc2986

SHA512
13a301a9fe1e80cd08b841b55bb4a08c299d4296af6709dcfff82449d1f9fb3420e216c086547f40e5f7c631815409ebdeca5569f3d41aeb9c899c81103e73eb

Download Submit
memory/1636-130-0x0000000000000000-mapping.dmp

Download