ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e

Analysis

max time kernel
154s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe
Size

9KB
MD5

98aa3681bcab570815288f7722d290f4
SHA1

6f64fc4cd28020c7fee334bf6e4c60869c11935d
SHA256

ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e
SHA512

9e1e39cefe05100ce7b212defcaea53f7b91e1d627a91bb15abca42a3a5255e6e41be19e5a7a0adaffffaad21bc8d2fbe06cb4067d73805f645956f28cef1c07
SSDEEP

192:kTcVyB9fNLYQEXNk/9gOr8593DgxvlM3tQBy2j:bY3lLdqagOr8L3DgplOMB

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	Help360wmgj.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000005c51-55.dat	upx
behavioral1/files/0x0008000000005c51-56.dat	upx
behavioral1/files/0x0008000000005c51-58.dat	upx
behavioral1/memory/820-61-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1020	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe
820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe
2032	Help360wmgj.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 2032	820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe	27
PID 820 wrote to memory of 2032	820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe	27
PID 820 wrote to memory of 2032	820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe	27
PID 820 wrote to memory of 2032	820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe	27
PID 820 wrote to memory of 1020	820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe	28
PID 820 wrote to memory of 1020	820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe	28
PID 820 wrote to memory of 1020	820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe	28
PID 820 wrote to memory of 1020	820	ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe	28

C:\Users\Admin\AppData\Local\Temp\ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe
"C:\Users\Admin\AppData\Local\Temp\ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\Help360wmgj.exe
  "C:\Users\Admin\AppData\Local\Temp\Help360wmgj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\test.bat
  2⤵
  - Deletes itself
  PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Help360wmgj.exe

Filesize
9KB

MD5
98aa3681bcab570815288f7722d290f4

SHA1
6f64fc4cd28020c7fee334bf6e4c60869c11935d

SHA256
ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e

SHA512
9e1e39cefe05100ce7b212defcaea53f7b91e1d627a91bb15abca42a3a5255e6e41be19e5a7a0adaffffaad21bc8d2fbe06cb4067d73805f645956f28cef1c07

Download Submit
\??\c:\test.bat

Filesize
249B

MD5
547906b5b47f01627006e6383fd986cc

SHA1
45ba7bbbf85c941d18a2307d8a7255a4f8590bfe

SHA256
8a32703c692031c839bb2b465fb75c0be602e8a258f9258bdfd3a896796432f7

SHA512
4e7a9cc31bf9a4d3f7645c66f4230e0094f2b2fe851d656d6665402643cdce25bc649ad4a1f3dec7282b4ae2023cd72700e59e12bfc879c635199ca92b6629ca

Download Submit
\Users\Admin\AppData\Local\Temp\Help360wmgj.exe

Filesize
9KB

MD5
98aa3681bcab570815288f7722d290f4

SHA1
6f64fc4cd28020c7fee334bf6e4c60869c11935d

SHA256
ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e

SHA512
9e1e39cefe05100ce7b212defcaea53f7b91e1d627a91bb15abca42a3a5255e6e41be19e5a7a0adaffffaad21bc8d2fbe06cb4067d73805f645956f28cef1c07

Download Submit
\Users\Admin\AppData\Local\Temp\Help360wmgj.exe

Filesize
9KB

MD5
98aa3681bcab570815288f7722d290f4

SHA1
6f64fc4cd28020c7fee334bf6e4c60869c11935d

SHA256
ba0f4f9acc28419845357411ec51f0bb209744b1c4a0cd91e58cf5be7a79279e

SHA512
9e1e39cefe05100ce7b212defcaea53f7b91e1d627a91bb15abca42a3a5255e6e41be19e5a7a0adaffffaad21bc8d2fbe06cb4067d73805f645956f28cef1c07

Download Submit
memory/820-54-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/820-61-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1020-60-0x0000000000000000-mapping.dmp

Download
memory/2032-57-0x0000000000000000-mapping.dmp

Download