f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7

Analysis

max time kernel
189s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe
Size

440KB
MD5

7072bf381660ae357c61793d5c479700
SHA1

51b273858735fe2b23c2e56456f72bf9039f5e1a
SHA256

f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7
SHA512

db441cf5ac412a8df6eb51edf33c58ba59398312cfd07810c446dd11150f578e0522c25ec6a8fb13373692314954b67d6d9533d39f1cf312de151fc614df8e6d
SSDEEP

6144:k82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBilu:Cp4pNfz3ymJnJ8QCFkxCaQTOl2u

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
3836	HelpMe.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\F:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_elf.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\ado\msado15.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\verify.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jfxrt.jar.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font_t2k.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\ado\msado25.tlb.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\sawindbg.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\deployJava1.dll.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_pt_BR.properties.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ca.pak.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.exe	HelpMe.exe
File created	C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\w2k_lsa_auth.dll.exe	HelpMe.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2native.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\el.pak.exe	HelpMe.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fi.pak.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c.exe	HelpMe.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dcpr.dll.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu.xml.exe	HelpMe.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.exe	HelpMe.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
456	f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe
456	f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3836	456	f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe	81
PID 456 wrote to memory of 3836	456	f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe	81
PID 456 wrote to memory of 3836	456	f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe	81

C:\Users\Admin\AppData\Local\Temp\f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe
"C:\Users\Admin\AppData\Local\Temp\f641d4e36be88ba77ab876cf53c8b65602d43fa93560f128a8ccf48cf3297dd7.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops startup file
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini.exe

Filesize
434KB

MD5
20a0cb37dae6b73653950d206e0e91ac

SHA1
4f790a5486b6a7f43a08b37ffbd057d637d71f74

SHA256
cdad51ed90e235561757c8b40cba4ca93ed17e78949163f44583515a34325969

SHA512
1aa4535e2db628793ee86eaf14b6d5392fceb601dc1bee8b582e0a02073aedf36110448563e76755ed58e80215d01208260c33d23eb97eb16ff546f2cb11ef9a

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
434KB

MD5
335596ffc2f7b5664cf4ff527efbe304

SHA1
197683f4b769defe3b02d6df6213785e3357e4d7

SHA256
abc95fb81ba83dec5810478585eb6da4f57efd5140e645bbe85ef5fab3a7c88e

SHA512
3af1d8548e0359b60a414d81ce13a725781da99c4e5b7810fec5f0fe4e4afce2aead314d0dfb34467830278fa685635d690631de585c1587b44e4c84b87720cc

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
434KB

MD5
335596ffc2f7b5664cf4ff527efbe304

SHA1
197683f4b769defe3b02d6df6213785e3357e4d7

SHA256
abc95fb81ba83dec5810478585eb6da4f57efd5140e645bbe85ef5fab3a7c88e

SHA512
3af1d8548e0359b60a414d81ce13a725781da99c4e5b7810fec5f0fe4e4afce2aead314d0dfb34467830278fa685635d690631de585c1587b44e4c84b87720cc

Download Submit
memory/3836-132-0x0000000000000000-mapping.dmp

Download