Overview

overview

10

Static

static

10

013e80dc8e...a8.exe

windows7-x64

7

040677c072...cc.exe

windows7-x64

3

0ba3a15c5f...6a.exe

windows7-x64

10

19d029dd80...b2.dll

windows7-x64

10

1ac4f94c2d...83.exe

windows7-x64

7

1efeb07862...bb.dll

windows7-x64

3

27861dacdd...03.exe

windows7-x64

10

31860041f6...ff.exe

windows7-x64

3

3c49ffd8bf...86.dll

windows7-x64

1

41edb742c1...45.exe

windows7-x64

6

4ad4c837ce...e1.exe

windows7-x64

1

50682871a2...53.exe

windows7-x64

6

5f3bfe76bb...b6.exe

windows7-x64

784f3902fd...12.exe

windows7-x64

10

816c0e4deb...6c.exe

windows7-x64

7

81b49d3c61...a9.exe

windows7-x64

10

82d1e979d2...67.exe

windows7-x64

7

8ba3f20419...4f.exe

windows7-x64

10

8d8576432c...fe.exe

windows7-x64

5

962bbb1929...e2.exe

windows7-x64

10

96f295d08c...d1.exe

windows7-x64

7

96f2bcea04...28.exe

windows7-x64

10

9972304b5c...64.exe

windows7-x64

10

9ff988d7ea...09.exe

windows7-x64

7

bfddb59433...b0.exe

windows7-x64

3

c0ca77690a...a5.dll

windows7-x64

1

cb0f8c9180...69.exe

windows7-x64

10

cfbcc54f36...29.exe

windows7-x64

7

dd0f55e997...a3.exe

windows7-x64

8

ded033da36...58.exe

windows7-x64

7

ea55e146fe...59.exe

windows7-x64

10

fffd0cdd49...d6.exe

windows7-x64

10

Resubmissions

14-11-2023 17:31

231114-v3qg7acf42 10

14-11-2023 17:21

231114-vxdw7sdg61 10

28-10-2023 19:29

231028-x7cs1age56 10

24-10-2023 13:29

231024-qrn3rsdb6z 10

18-10-2023 12:04

231018-n8ybnaeb31 10

07-09-2023 12:10

230907-pce1wahe2x 10

Analysis

  • max time kernel
    26s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    07-09-2023 12:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe

  • Size

    585KB

  • MD5

    f1334ba4ffac39c0df566bcc6b5c5c6c

  • SHA1

    dea070a650abacb26f0a76276dcd501828546b50

  • SHA256

    9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64

  • SHA512

    9dbb7c6e67a03fc0cb371b73ebd454a0216598b290eedbcd7fcd22686c4c26b862acd7af229a595e9c34397254156f083771d270de4bcc67ff0f77493cbbc5d2

  • SSDEEP

    12288:Lp4pNfz3ymJnJ8QCFkxCaQTOl2+U866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFa:FEtl9mRda1nSGB2uJ2s4otqFCJrW9Fq8

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe
    "C:\Users\Admin\AppData\Local\Temp\9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-686452656-3203474025-4140627569-1000\desktop.ini.exe
    Filesize

    586KB

    MD5

    a8f80ee7987d9fef7f7bea88a367c95b

    SHA1

    6dc715c14cefaa0fec764e9f487b10cf3d0cd903

    SHA256

    3ca838893a482b99ba22279f6a39c7f02303323d98958195c6886a3daa71af4c

    SHA512

    24957ac403d1356e5496b15954306dfc53b2cc1e60647d6909012e5d4147f0360e6ee768c4eae65dd7cbaf9194e60f2e0ec97701d4f49fd37c1f4098113ef357

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    7a7007c3b9a5439d48634b224a5ed927

    SHA1

    c2f2893ba962b7ce6fa065d320f1b9be4dc3918a

    SHA256

    3af8d242fc57e6a7e1bd0b12836684b404d83ff5e527063b927eada423cae47c

    SHA512

    fceac3644cd7d148fdbd5b636efc5d0341d17c581c95e2dde75c425cdcd09ee57bf7cf1fdaf493ba8cfbf43df62337684b533def5c46a6d3c1ec99afdf875b2c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    c1cfbc5b457571ad8a3aca525dd45dac

    SHA1

    cba3d4fe9bf9575b1753d9187fefc82581a9dc9f

    SHA256

    340eeb37906e7bc20b78e70d7cea0fbd1c41c40c3462d4fb84aefff1a0c75289

    SHA512

    5cb9a2c8ebe00a7b6173bd1ebc6cc79faa11cf97d572d1803e355f0ff3296884d037b268d9d15f9dee75b9fd524868b4e3dcfd0cd6ba61e176532ebad1835001

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    7a7007c3b9a5439d48634b224a5ed927

    SHA1

    c2f2893ba962b7ce6fa065d320f1b9be4dc3918a

    SHA256

    3af8d242fc57e6a7e1bd0b12836684b404d83ff5e527063b927eada423cae47c

    SHA512

    fceac3644cd7d148fdbd5b636efc5d0341d17c581c95e2dde75c425cdcd09ee57bf7cf1fdaf493ba8cfbf43df62337684b533def5c46a6d3c1ec99afdf875b2c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    7a7007c3b9a5439d48634b224a5ed927

    SHA1

    c2f2893ba962b7ce6fa065d320f1b9be4dc3918a

    SHA256

    3af8d242fc57e6a7e1bd0b12836684b404d83ff5e527063b927eada423cae47c

    SHA512

    fceac3644cd7d148fdbd5b636efc5d0341d17c581c95e2dde75c425cdcd09ee57bf7cf1fdaf493ba8cfbf43df62337684b533def5c46a6d3c1ec99afdf875b2c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    c1cfbc5b457571ad8a3aca525dd45dac

    SHA1

    cba3d4fe9bf9575b1753d9187fefc82581a9dc9f

    SHA256

    340eeb37906e7bc20b78e70d7cea0fbd1c41c40c3462d4fb84aefff1a0c75289

    SHA512

    5cb9a2c8ebe00a7b6173bd1ebc6cc79faa11cf97d572d1803e355f0ff3296884d037b268d9d15f9dee75b9fd524868b4e3dcfd0cd6ba61e176532ebad1835001

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    c1cfbc5b457571ad8a3aca525dd45dac

    SHA1

    cba3d4fe9bf9575b1753d9187fefc82581a9dc9f

    SHA256

    340eeb37906e7bc20b78e70d7cea0fbd1c41c40c3462d4fb84aefff1a0c75289

    SHA512

    5cb9a2c8ebe00a7b6173bd1ebc6cc79faa11cf97d572d1803e355f0ff3296884d037b268d9d15f9dee75b9fd524868b4e3dcfd0cd6ba61e176532ebad1835001

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    c1cfbc5b457571ad8a3aca525dd45dac

    SHA1

    cba3d4fe9bf9575b1753d9187fefc82581a9dc9f

    SHA256

    340eeb37906e7bc20b78e70d7cea0fbd1c41c40c3462d4fb84aefff1a0c75289

    SHA512

    5cb9a2c8ebe00a7b6173bd1ebc6cc79faa11cf97d572d1803e355f0ff3296884d037b268d9d15f9dee75b9fd524868b4e3dcfd0cd6ba61e176532ebad1835001

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    584KB

    MD5

    24ab532cf48bff7e1027ff265711f433

    SHA1

    8f231fc846e548c2ed8c7cc863d973f13ebc89c6

    SHA256

    469fc930acf3f5846877f61398c75b757c12f059624e95cfd00262ffe3b90c8f

    SHA512

    6e0fdc0562ac6253ace9be42426197eb03182b418cd5e70224c50fa251b19b1cd6e556d7e5d92bf9c9485748d6a11ca1ef68b4e792f3f1950ac7572f917b10e5

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    584KB

    MD5

    24ab532cf48bff7e1027ff265711f433

    SHA1

    8f231fc846e548c2ed8c7cc863d973f13ebc89c6

    SHA256

    469fc930acf3f5846877f61398c75b757c12f059624e95cfd00262ffe3b90c8f

    SHA512

    6e0fdc0562ac6253ace9be42426197eb03182b418cd5e70224c50fa251b19b1cd6e556d7e5d92bf9c9485748d6a11ca1ef68b4e792f3f1950ac7572f917b10e5

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    584KB

    MD5

    24ab532cf48bff7e1027ff265711f433

    SHA1

    8f231fc846e548c2ed8c7cc863d973f13ebc89c6

    SHA256

    469fc930acf3f5846877f61398c75b757c12f059624e95cfd00262ffe3b90c8f

    SHA512

    6e0fdc0562ac6253ace9be42426197eb03182b418cd5e70224c50fa251b19b1cd6e556d7e5d92bf9c9485748d6a11ca1ef68b4e792f3f1950ac7572f917b10e5

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    585KB

    MD5

    f1334ba4ffac39c0df566bcc6b5c5c6c

    SHA1

    dea070a650abacb26f0a76276dcd501828546b50

    SHA256

    9972304b5cf97f0369e5b287583931d87dfe984aa698c9123b7061379db68e64

    SHA512

    9dbb7c6e67a03fc0cb371b73ebd454a0216598b290eedbcd7fcd22686c4c26b862acd7af229a595e9c34397254156f083771d270de4bcc67ff0f77493cbbc5d2

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    584KB

    MD5

    24ab532cf48bff7e1027ff265711f433

    SHA1

    8f231fc846e548c2ed8c7cc863d973f13ebc89c6

    SHA256

    469fc930acf3f5846877f61398c75b757c12f059624e95cfd00262ffe3b90c8f

    SHA512

    6e0fdc0562ac6253ace9be42426197eb03182b418cd5e70224c50fa251b19b1cd6e556d7e5d92bf9c9485748d6a11ca1ef68b4e792f3f1950ac7572f917b10e5

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    584KB

    MD5

    24ab532cf48bff7e1027ff265711f433

    SHA1

    8f231fc846e548c2ed8c7cc863d973f13ebc89c6

    SHA256

    469fc930acf3f5846877f61398c75b757c12f059624e95cfd00262ffe3b90c8f

    SHA512

    6e0fdc0562ac6253ace9be42426197eb03182b418cd5e70224c50fa251b19b1cd6e556d7e5d92bf9c9485748d6a11ca1ef68b4e792f3f1950ac7572f917b10e5

    Download Submit

  • memory/748-9-0x00000000002D0000-0x0000000000348000-memory.dmp

    Filesize

    480KB

    Download

  • memory/748-79-0x00000000002D0000-0x0000000000348000-memory.dmp

    Filesize

    480KB

    Download

  • memory/748-78-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/748-67-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/748-0-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/748-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2224-91-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2224-86-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2224-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2224-11-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download