Overview

overview

10

Static

static

5214f774aa...05.exe

windows7-x64

10

5214f774aa...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    225s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2022, 03:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5214f774aa6c32a3044b8886aee129f32c91dd27a483eee106ba838c32a58b05.exe

  • Size

    474KB

  • MD5

    80426d9fb58e322c1643e6ac12257c00

  • SHA1

    859d681f0bfaa76eb014750e99175f5fb2122998

  • SHA256

    5214f774aa6c32a3044b8886aee129f32c91dd27a483eee106ba838c32a58b05

  • SHA512

    c173e7a3da75eeab3e7fa82365a9ce942c55045fd94cd4d4b5afb0cd674eae5c0c4457f8030a80c31786b5519530b9d031aead25c1715a7e10160e0ce120b164

  • SSDEEP

    6144:k82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBilO:Cp4pNfz3ymJnJ8QCFkxCaQTOl2jq

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5214f774aa6c32a3044b8886aee129f32c91dd27a483eee106ba838c32a58b05.exe
    "C:\Users\Admin\AppData\Local\Temp\5214f774aa6c32a3044b8886aee129f32c91dd27a483eee106ba838c32a58b05.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Drops startup file
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      PID:2768

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini.exe
    Filesize

    460KB

    MD5

    8ea4fbd72a892e218eb8cee13682d9ea

    SHA1

    b31e61d74e652682ee0de4f1ac708913601e903f

    SHA256

    5846edd2087927866b7f76443ea75cef5df70bbf6ceecebff3853cac8412895a

    SHA512

    9d6fdceacb309dcbf69438ee8b31fc20f740d7c3a7764aa708be2921adfb2a5a91a489f430b4883d31e73b93d622809f50dde7f7c4cdc9a7a2dcd7824040f882

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    459KB

    MD5

    fd4d6ea614f5bb79a5a805f0fec892b7

    SHA1

    115dfdbef71d8569574d5d98fd3f5bed173f8dbf

    SHA256

    2c5336f8f93fb76f50554cde98ecce3be4da05629075e994bdbb787e8c2b6980

    SHA512

    64ef659b9397af968235af46007f196bc7062687ec1a6504ca9d30198241c21acb54ac9b6c4c2584b5c4a34091af13c6d0f0722aa02c7ef81c1f86321d9553c1

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    459KB

    MD5

    fd4d6ea614f5bb79a5a805f0fec892b7

    SHA1

    115dfdbef71d8569574d5d98fd3f5bed173f8dbf

    SHA256

    2c5336f8f93fb76f50554cde98ecce3be4da05629075e994bdbb787e8c2b6980

    SHA512

    64ef659b9397af968235af46007f196bc7062687ec1a6504ca9d30198241c21acb54ac9b6c4c2584b5c4a34091af13c6d0f0722aa02c7ef81c1f86321d9553c1

    Download Submit