cd184bfbd69579b92d2e8536af03917c16ed65f975454bade24dc8ea5147dc07

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2023, 21:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
Size

20.8MB
MD5

efb6199b2d91dc194d6602abe0554797
SHA1

3f161d997a45b224ba083e97f6e09082e487e009
SHA256

cd184bfbd69579b92d2e8536af03917c16ed65f975454bade24dc8ea5147dc07
SHA512

69a10d08660e933f050fdec5d51d48938693a4bd1cd84f6c2e41a3334a4b6e6acf969a7f2abe2b14badbe3f9bbc8e1d4febd22db33449eaa7bc9b45a58d18f5d
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMM:9nwngnwnBR/

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
2352	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\N:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\U:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\Y:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\G:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\K:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\M:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\R:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\T:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\A:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\B:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\H:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\I:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\S:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\W:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Z:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\L:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\Q:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\V:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\X:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\O:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\P:	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened (read-only)	\??\H:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\mlib_image.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Windows.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\eula.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\j2pkcs11.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-uihandler.xml_hidden.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\odffilt.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-pl.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\javafx_font.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ucrtbase.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\java_crw_demo.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Core.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ppd.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART12.BDR.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.FileUtils.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-utility-l1-1-0.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_f_col.hxk.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\THMBNAIL.PNG.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SpreadsheetIQ.ExcelServices.dll.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties.exe	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 2352	4564	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe	86
PID 4564 wrote to memory of 2352	4564	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe	86
PID 4564 wrote to memory of 2352	4564	2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe	86

C:\Users\Admin\AppData\Local\Temp\2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_efb6199b2d91dc194d6602abe0554797_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini.exe

Filesize
20.8MB

MD5
0dc6f83a18b318a82512c8bcd831be09

SHA1
4f6e28dfa9ba465cc1d104ae11bdc67104ea3459

SHA256
7451eb3b61c28f8cae10624ca3852b8a4b52e0c2fafeecfc99442c49524fbdb9

SHA512
ba3e4562af7c3828ddf14816ab2c2439d7a7860774062617ef7e6fd28dc333a7ba8a74c257f0104478cd5594cc845f52c9f94e168486da5952aeaaedf05954b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
d2c96060408b92b22b7274124fdac204

SHA1
82751aacafcd0a4b6ed081b931a2c898a500ac88

SHA256
0bd11cf7e9ddcfa66e31f5ceb81a54d51e9f5cdd6de9b008937c03057648f6e8

SHA512
337590dfa0eedb38c48fc6e1062b668d2c719723179818432c900a027d44148d5433d6cdcb66fd27881d6b5450d5cf2a9ae3287d5eadbe42b670ff9cb62728d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
d5cddefad556e41b54140f3c45a1e10e

SHA1
7fccc94e264808170d22ccd9d53b3f8a712c98eb

SHA256
de74fce6399cbae8aabde31326c14e88f3cf4bbcb95826dcfa9492f716385f0a

SHA512
e4161cc6d7964b910f5e398b95b753b4c2f7c6a0ffbb0746ffd28b2b1e7d5e7f76fb102261280cf70830ea2c4ed6c27a27fc1f4896094209ec75b121de790144

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9fc7093ad0766da0779d9c23c007dfb5

SHA1
6a049a73d21d3567b070371fbd113b82242615a0

SHA256
dbc9e40a78e4adce46700aab11f3db406de9659a907a0180c15de0a572c04e28

SHA512
5eda3d9c42115baf76ea7a47c797be2f12321aff7eaa323badd0df54514b779a8138afdd9739fb466225eca7398004b2593cb58638d90f1ef5139d662012e82c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
00d7ee145d5696b2f06c5fa8960dfefe

SHA1
dd875167faa482e7faa4da4f19202f639de91c40

SHA256
199d2c1fc6625b01ca575b2b70a0347deb3b6683bab65ee956928475cdf0aa67

SHA512
606fb959de8db52f1e74d7ed8e643ec5fd32b6897eb88cb8f471a53d8454fbf8cabe967a92199019fcb4b5342b00ac04badc9b8c296f6ea6050c58db76ae5c26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
cde40829c9d101a6e7b2b7b5acab11ea

SHA1
fbba027b7a643b84042777226dfd1cbe8c5d62d7

SHA256
35544cff877e0b441b182e6c7b21520f3a9762f6b5ae3c594c6fbed6002a4e97

SHA512
d79d31b625f0e917f70a08d4ff5041db7f5d1b1bf8b0ba50c9ee98e387b71c8b3a2fe1501bc234543d7a797e145600274119891f107bf9e655b4da29c048a2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f1c096d131ce9bc74b4014c731d9ca05

SHA1
f73f362a83d5dfaefc6e5667a6dd2936bd1a4a2e

SHA256
331ca742d3f1eb36fd70871c9ea6a3b1bcd5d6e98446072452717cf09d2799b5

SHA512
eb052886162633bb14ea0d54039854d9bb9e324906266c0e9aba31cb3733124d41a37d7b67c9af75da4e200f271fa16ed676e9dd1a50477bcc4a9bdc141e4235

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f3b61542f4f501507f010cfcc40843d7

SHA1
9026b9479c1ca9dfab11e467e9c384a73ec0af46

SHA256
2473406c03922fdcfe5ba85bc2146d7d891ee13325f25c7135620660408adf34

SHA512
6647f92e773bd71a1186e30367db7d6075091ad030e0a63de1b01cf7777ed40b8333a6ab4125dbf3d1b6b059b5c7bd1b03c411fe355f8d4ea8a8a3351878601f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9d271bb4d8bb02792eff69c00493fe6d

SHA1
a66c2f0af557031f8d9903e66306b71b23c032f4

SHA256
0ee8bd8b23add28b0444383db74fa4698a4d93ef423d719ea160a165d7b79555

SHA512
565be50e4783df92be861bfd015de0121d62740384123711c29e2d67b948b6116095886312baeb99be6dab78f499623809dc65c7a9ed11334a8071e361ac543c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
ca08fe36c25154ba69020d7d24f7a1a3

SHA1
69ae4860e8e54201e7d5d6ee1d6f9d23628ab04b

SHA256
c3f9cc38c6d1bb5a2a47dc5d209e6770b46ef1b267808bd9277fc217b13378b6

SHA512
072cbbca41385b068d4e107edeba9bb293e3b570bc6ebfe2ca821b7a6c223c7567c3f6606e50943fb44a30e1316b29dd419cb62165f2395c01f41f39150af1be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
769bf510e8a304d656d0cdd5e15f7fce

SHA1
ed0fb84aa031e5c25d10fc293cfaa5ccbc8d8867

SHA256
2811e942b25e5b0cc88ae4e403af8996ace1fb01e331905f14f506a3bdfaa4e4

SHA512
3a88b778bb625baa80303d01bfd1b79e3d082758f8b6dcbd4d58afc985e3f42774df9303446da20009a8e15c1fa2bbdbfbee9aaa534ac7178f686b47e6e645fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
72f60b7708ca9382de203bd65f91cac7

SHA1
172e263f1944d1d5f4fb7e46ad8658acabb0930a

SHA256
fc47bbf707c2db68fc307a4a1e2951c9cf94ffa35015003361b806875244876a

SHA512
6a18b2717cc31ebea1ac45ff3a12c6f47ce0ce46e1df9c4bfaad080fb9b0eb2c1e9baf059e3d9f57931af5cb6b49f7b7e3e70b3160fc63258ea08eb725bd5a25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
8a5bfefd98e0871c8caaf3b8846c8301

SHA1
c232b192a5c308d2f8796e83ff60a6301836c128

SHA256
f53c8d13c65c963282dc14451f7fee70d8d0630e47d7f07e08d45f1a96e325b6

SHA512
e86f3d31b64291c0b9a42bf99b224ec734029c11bfacd0bbfc7a693e7e1a8debe3d49e70fc59f6d847b9c63429ea5eb5513cd575c7e317d32dbd878a5bc53177

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4bc8b68061189e0834981b5771e36f7e

SHA1
080bb9adc5d54eefdb6df79f46ba58e47ecffc4c

SHA256
29fdd7e141345a4dfa69608c8a2a6b044fa6555bb19a882c77961f3e871d2afb

SHA512
d0b8548eb263679e6ba99cb8bfd73a114f3fcc0c338519e1c4e2061f947c8fb5bc3100351c53b4c56863f5100942e0c4ee2df2d51791df12c66fa2bf65e74a2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
939d0a7dd251f08e39e9f1c8e9fc9603

SHA1
cc23212b7bdcacfe18da7444f4809628932dffd7

SHA256
89d5f9b512ee3bb301868f2b63baead368f5b1df4ece956caa8afbd886db5732

SHA512
f2b4b4eaf94e163d8368bdfab693d555d3f19e3025ff3b7804563eb5352fad0253ee1b67bd37a4dd318d56b02e43d917a1d9d517da471a97fa0c41b7fe8c3d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f359dc7bee4445d2b18971ac9330e355

SHA1
a5b1fa8c323a422dd68f191c92e999e849805359

SHA256
3bf72ea1c8f5cb189bdcbb68971fd672a3b0880b1d9c69b38ec7e78f2f55d7b6

SHA512
148ff0bc246a2443ab645203b7825971d9eb48468e8577d7dbcc53b4b15d46a8474c536d925d3b9c82fe6424259c05295a7abaaaae9e5fed558a2c37fb6d593e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
29f174b5a64064d2abb39804d35fa3cb

SHA1
490f2d403fb40fba70c730182ee3c000c149532b

SHA256
f909d26b662946fb39b0c2f77b983087ff954499dbad69e70758e72b9df480ab

SHA512
270bc1df54b4a36b775334cc08a24a25a3864f1504bb56b7ac963637555527e87e8dca0077627cfff10dc09b9f2cfefeb50ee72a30c74f1b817ae5144069b8ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
fc990e2fb7a4ca4621e8f150a05dd300

SHA1
00f0149aecd2038dd0e8c1154bb7ff6b5eb8cdda

SHA256
ba03fe3feb8892238a1a2158971e1e6da2fe8c311a73297b744810616979a134

SHA512
24cd566fe04f496ecb33db9e684231292524ba2908d92b299f391013368596c2e077ac7afdf475756f79de870bcc92325712413ee5fd39288dae41eb098b99b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4821535359b2a00eea73e27da16ee65f

SHA1
f361b9d2b8991ef215f999c3c96aa0552cd084f9

SHA256
0d285d30c14c5aa32d4b489869175dcf2f5276c6e21394686a8c9f6530c09792

SHA512
47928a9b06603fe68e8cabb186f0c93f59b9fe3b93aee8029ed3d474307bff0f197bc6c238616ed76d1f5072f8534bb7b97e5626b80ba5b0ff4a8557cb673cda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
34778cb5793165c72f80ff75b7b4f346

SHA1
bcdce60294e908090aa684db7bb4d03be20b2446

SHA256
b72a6d3cc2873f6959c7d5089edfe1b4706b70e03b0e27ea7ca214f998918ad6

SHA512
19c5610685580fb4080de357f61bd6b116d3c55d39d8e4ea456cf6975c6e8de4e8ce013b66d397e97d9bdd4a6d4d3f54c56dc5e5f64c7e1718fb017c51830e12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
97bee2897281f6f5da2d1478d516956f

SHA1
4fae32ac57d597c11cc45f319bbaaf7103f2a8be

SHA256
f9e8a247ba1f4e3ac4188226239e6219c254330ce094a435b96ff55bc367ab94

SHA512
19588aad356939d189642b0569321cb66cad2512dd2f312da75a30e2402872f35a49744f18fd7ecdca9fc2d0c6ed5518d5b5bba7fd76e08b930b885a47967158

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
9560fbe2165162c7efcdd90f0a0bb37e

SHA1
790c3cf99ec569448bdaa9c7ebcc1ba93437b546

SHA256
d0235e84dd2fc20ab8fdf3d97d52457b0e1772689e2e04405a6d05c34ad37754

SHA512
7a1ba09d033281634bb817e45dd8dc313280006c9939976592e0555d30cf3ba93358391a620c49873385bf67915fe3a31031b118b6f7e1c8ee03056f3908a9bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2fc0cefba141484c5068cfde918ad56f

SHA1
13d0f8169e9108b3561b757c820b610b5229a996

SHA256
f2d3d2c9bef5b1730069175aaadddbf9f1f6b42631c5488ae1ed3c948a69e32b

SHA512
810327848ea800cc4d0eb6e8a9c85ee99bc19c02019f545b5467cca8bfa329de56eed82aea38d444b848f490a671f6c0154fa557803a364268161f89b22ed99f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
2c714a86443f1ef92c0b06f98ca12773

SHA1
3af566d0a26d2ba6f98d8bd60338fa246e56597b

SHA256
e5c562cf7f6a72b5df415bb4121f5b7f7d5a64fd6816005c7bb2039fd371ba1f

SHA512
603b0d667ea3526a614e1a56cc2cefb5ef6182acf1e8b78d85facde2b99ba82fbc15269f22558da2855a3504b6cb306afde8fdf7589682173cb30d297e983a76

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
2803f478fdef769ea6ac1c75e2bfcb9a

SHA1
f60cd1ab46ab2789e07d53ed6346e688a9bc6b9d

SHA256
923da8b5d770dbc2591059c1fe61eb65283d40aaf5f849ec2efb10d6ac63a7e7

SHA512
9231d694a208c758bef76f4d2dfe4497879f6b7482e9443e3737cbafed56323be97be3203e2ca4a32791116929775f15da924b7729a61b7c48458f30c9a960f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
f0496d848042e2e9be56a6a9bf8ee322

SHA1
18b48ce44b27a571c9a87ab68c36cf5eeccfb2f1

SHA256
426524f8f0c025a5e6aa3578b08283511e161b4375f12b39ad891aa26ef86a6a

SHA512
392b96b7ab986647ff56f5e61465f86e041cb1c88b3f5700e01582cefe3884fbb600de54a533b667d21fc71717ea10ac496c33de9ba518c83cec0190f7519392

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
5ca44246183aeb72f8ec46fac8626570

SHA1
c1817c0d704be30c7bb5b9e34520f253ba700e9c

SHA256
a8c45560a8c4951eb4922a42cce0c3dd16c0d802b5a57a68bbfe5afbf8d9b537

SHA512
242492c151b1826f8c00e419647fa96e59ba3e9fc839cda135ad8732995deb84312704014b7ccabd38179cc1c0913effb30ffee1760e31dc3158c95df20f4de5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
620767f0b8edd5ff96d8302195852680

SHA1
34251f60c93540775aff97af277307a9b5555f45

SHA256
911cf479e36935560eea8689eb49d158c94a74e34902f0461aee374fdacbb8f3

SHA512
72c07eaf1f1d41f12b2ac726c3196db2a6ed5e2469eeb6953d7c1ead583dcbd4ba5936203cb85af236c99801844abb8195b75ddaeb93f18b399c5690d8d9ad4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
a6e9875a94ba88880b13c0b29032de61

SHA1
332d9658e5cdc438a968139ed08833688ef095f2

SHA256
57429344fc6f3d239720d911f28cc014005970fe32be36baabe0695675cfc1c9

SHA512
0f0a4b3b2175400b8018d77c478965194f7103ad0411254b11710b4334b3920a9c69ff8507a9056f0493b853603a0119275020cefce0d181d293141e16442e8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f112619a48aaaa815e19fba001e64361

SHA1
b141551d17875da95b67e2be0a56c9f3eb632810

SHA256
8eb097222a77600c923cbe82a7b06b297eac4d09670c64376f9d894f62a014fc

SHA512
837d534c2773f90199e4bebe127b67089b749b56bbc949df8ba53d60b26572d365e25932fb137a12f20838bd19be047bda4a952bb871f1b088a2b145c582f426

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
4406f1c566a87aaa48f36cbd3c309ddc

SHA1
27ec8ac458d590f0231fd7f8dab11b0f230c161a

SHA256
fd86a86182da776d4bbea973890d4a243e0f5230b5e6757c7756af79d45e79c9

SHA512
006fde767eb816052961482a4b7e5cc6d6d96531ea07b69bb82a33ba3094c10d278eef39b8d7a7cb255e4166dfff817cf02f94c27436af08fcb0bc01ff0c0e93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1019B

MD5
30c671e4a0392ed9f39da7c6d8461556

SHA1
cca58fb35249e7bcb489307ba25d7660db0f6812

SHA256
b01b2ac9201677fd338d73d0aaeaf9dd2d41f97fcb983099dc8637ee0bcf662a

SHA512
0a4ec797b5fd4a016978f17517f25d01a4babffd5a9537b6bb424cfc7e24d2602111a021cc0f5133e701cb0c159094fc80e99a4b9de6948f7d61d504b9abdf6e

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
a61874611a687bab425bea93bcb96522

SHA1
79ae3e8c7ad26a4f465beea9ef547af0d6fc9524

SHA256
fb8e0cc1af2e9c536cbf91bd33726a99e9657531fe77d51397e28ab063d95ed7

SHA512
8b5ef28f1e6a4474011bccd8494048b6e45a940be81419abe84ed96ed6640a125f5a86214758fc4f51c5edecda39a03762e992df09eb033216b6258bd55348dd

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
20.8MB

MD5
a61874611a687bab425bea93bcb96522

SHA1
79ae3e8c7ad26a4f465beea9ef547af0d6fc9524

SHA256
fb8e0cc1af2e9c536cbf91bd33726a99e9657531fe77d51397e28ab063d95ed7

SHA512
8b5ef28f1e6a4474011bccd8494048b6e45a940be81419abe84ed96ed6640a125f5a86214758fc4f51c5edecda39a03762e992df09eb033216b6258bd55348dd

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini.exe

Filesize
20.8MB

MD5
ec933055a62d08dd6fbbe4caf2160412

SHA1
acde3c9a53ab1b371a7810044dd9b54334483b22

SHA256
4d0fae98f9f141856ff09ea66721ad236213c74d264e2a2e0a7df4de30c946ea

SHA512
01b65ca04fca8f96799f7e4b43b68982e12f60d1a1108874fa12837e282b97005524f8fef702826e70cf78fce3513f83e666f5ebebe5692c531eea9add387a4e

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
20.8MB

MD5
efb6199b2d91dc194d6602abe0554797

SHA1
3f161d997a45b224ba083e97f6e09082e487e009

SHA256
cd184bfbd69579b92d2e8536af03917c16ed65f975454bade24dc8ea5147dc07

SHA512
69a10d08660e933f050fdec5d51d48938693a4bd1cd84f6c2e41a3334a4b6e6acf969a7f2abe2b14badbe3f9bbc8e1d4febd22db33449eaa7bc9b45a58d18f5d

Download Submit
memory/2352-6-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2352-106-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4564-70-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4564-93-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/4564-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4564-1-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads