695b8f49da3fa8c8afa912755719c5a01eb4b20967299a6ed63afbbb78ce0454

Analysis

max time kernel
241s
max time network
314s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe
Size

19.8MB
MD5

2b2d26de887a3de7e7b6518c1491ac99
SHA1

e6fdb93a41ca732b9f71546ecc77de51ab86b4d9
SHA256

695b8f49da3fa8c8afa912755719c5a01eb4b20967299a6ed63afbbb78ce0454
SHA512

659a6817f6589bc9466c87bbffc7279432c2c96a3bd1c93588dcebd7b7b3b8e0d87d20aa9168b9b238da5eb679a9d0066e90395b811f7e1cb262a2a5e561a314
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzM1:9nwngnwny

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	MZ

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

pid	Process
2692	HelpMe.exe
1236	MZ

Loads dropped DLL 4 IoCs

pid	Process
2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe
2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe
2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe
2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	MZ
File opened (read-only)	\??\B:	MZ
File opened (read-only)	\??\O:	MZ
File opened (read-only)	\??\U:	MZ
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Z:	MZ
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\J:	MZ
File opened (read-only)	\??\R:	MZ
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\I:	MZ
File opened (read-only)	\??\K:	MZ
File opened (read-only)	\??\L:	MZ
File opened (read-only)	\??\M:	MZ
File opened (read-only)	\??\N:	MZ
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	MZ
File opened (read-only)	\??\S:	MZ
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\G:	MZ
File opened (read-only)	\??\T:	MZ
File opened (read-only)	\??\X:	MZ
File opened (read-only)	\??\Y:	MZ
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	MZ
File opened (read-only)	\??\V:	MZ
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Q:	MZ
File opened (read-only)	\??\W:	MZ
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\H:	MZ

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	MZ

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	MZ
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2692	2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe	26
PID 2872 wrote to memory of 2692	2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe	26
PID 2872 wrote to memory of 2692	2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe	26
PID 2872 wrote to memory of 2692	2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe	26
PID 2872 wrote to memory of 1236	2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe	27
PID 2872 wrote to memory of 1236	2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe	27
PID 2872 wrote to memory of 1236	2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe	27
PID 2872 wrote to memory of 1236	2872	2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe	27

C:\Users\Admin\AppData\Local\Temp\2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_2b2d26de887a3de7e7b6518c1491ac99_ryuk_JC.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\MZ
  C:\Users\Admin\AppData\Local\Temp\\MZ
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3750544865-3773649541-1858556521-1000\desktop.ini.exe

Filesize
19.3MB

MD5
53aafb48665fa00216c1c560f962738c

SHA1
f4dba571f681f811967634be8ee6c4acb78f46f8

SHA256
6309408ca7d99528074dc472eaf915a7d9bf990efebe140a2b213fd89260b5c5

SHA512
1b55a09e1cd88d0a251c01781ef834bf1f1c9a8ab3c8f151982122d742824bac6b1de3fbb70aa443232d9fbd3b42abf42b896942b49ac92c8c7c167428e9876f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
19.8MB

MD5
2b2d26de887a3de7e7b6518c1491ac99

SHA1
e6fdb93a41ca732b9f71546ecc77de51ab86b4d9

SHA256
695b8f49da3fa8c8afa912755719c5a01eb4b20967299a6ed63afbbb78ce0454

SHA512
659a6817f6589bc9466c87bbffc7279432c2c96a3bd1c93588dcebd7b7b3b8e0d87d20aa9168b9b238da5eb679a9d0066e90395b811f7e1cb262a2a5e561a314

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ

Filesize
19.8MB

MD5
2b2d26de887a3de7e7b6518c1491ac99

SHA1
e6fdb93a41ca732b9f71546ecc77de51ab86b4d9

SHA256
695b8f49da3fa8c8afa912755719c5a01eb4b20967299a6ed63afbbb78ce0454

SHA512
659a6817f6589bc9466c87bbffc7279432c2c96a3bd1c93588dcebd7b7b3b8e0d87d20aa9168b9b238da5eb679a9d0066e90395b811f7e1cb262a2a5e561a314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f3c372f962807d62f15c91ef53d733cd

SHA1
8f795b374705f6b6a859bdbbdcf12bfb1a155e7f

SHA256
9a78c295d099d4eb7d701239463aac32bf1355f88c1ac3be18c5bfb43b809db0

SHA512
3b3abb8ac023072580ee5addcdb6477ac878fc94e5ed49b110d151a7705036009259f8507cfbb84d86bfbec5fb6c0e043ca69eb4907f4f7189ea3106890ae16a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f1db71cd6ad935ad812a48c6ebf6f00a

SHA1
b74183baf782ab31543ded81f8f34885e482f4c3

SHA256
4f3e37a7942e9de824c3ed0b81638c90bd289eeec17bbfaa9b7120d24fb8900b

SHA512
452ec6e8b4f414379074d5469a5619a990fef5047d84c6cc26b16435ed9e77f668cb078040f7597557010e70302aac5a509ae88a1b6ef908b28033ba4e761630

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
19.3MB

MD5
bcd2a4ce4b577d6a0c0d0c8fe1f6fafa

SHA1
ca30375d1541c708b37a75b9dbf65f4f137cd5fc

SHA256
ada6ddfc84670222d1f430a34d608e9e39cc1c01567b267349cfcda2d0811f37

SHA512
6daa8166c366034d7695b55d0caa6658faabd57c42743eaabbcabbf8a46d3f1de6237d86f2da1883a22b3b91eb392d33e7f2c1869302569d82e15d2410fa3781

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
19.3MB

MD5
bcd2a4ce4b577d6a0c0d0c8fe1f6fafa

SHA1
ca30375d1541c708b37a75b9dbf65f4f137cd5fc

SHA256
ada6ddfc84670222d1f430a34d608e9e39cc1c01567b267349cfcda2d0811f37

SHA512
6daa8166c366034d7695b55d0caa6658faabd57c42743eaabbcabbf8a46d3f1de6237d86f2da1883a22b3b91eb392d33e7f2c1869302569d82e15d2410fa3781

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
19.3MB

MD5
bcd2a4ce4b577d6a0c0d0c8fe1f6fafa

SHA1
ca30375d1541c708b37a75b9dbf65f4f137cd5fc

SHA256
ada6ddfc84670222d1f430a34d608e9e39cc1c01567b267349cfcda2d0811f37

SHA512
6daa8166c366034d7695b55d0caa6658faabd57c42743eaabbcabbf8a46d3f1de6237d86f2da1883a22b3b91eb392d33e7f2c1869302569d82e15d2410fa3781

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
19.3MB

MD5
bcd2a4ce4b577d6a0c0d0c8fe1f6fafa

SHA1
ca30375d1541c708b37a75b9dbf65f4f137cd5fc

SHA256
ada6ddfc84670222d1f430a34d608e9e39cc1c01567b267349cfcda2d0811f37

SHA512
6daa8166c366034d7695b55d0caa6658faabd57c42743eaabbcabbf8a46d3f1de6237d86f2da1883a22b3b91eb392d33e7f2c1869302569d82e15d2410fa3781

Download Submit
\Users\Admin\AppData\Local\Temp\MZ

Filesize
19.8MB

MD5
2b2d26de887a3de7e7b6518c1491ac99

SHA1
e6fdb93a41ca732b9f71546ecc77de51ab86b4d9

SHA256
695b8f49da3fa8c8afa912755719c5a01eb4b20967299a6ed63afbbb78ce0454

SHA512
659a6817f6589bc9466c87bbffc7279432c2c96a3bd1c93588dcebd7b7b3b8e0d87d20aa9168b9b238da5eb679a9d0066e90395b811f7e1cb262a2a5e561a314

Download Submit
\Users\Admin\AppData\Local\Temp\MZ

Filesize
19.8MB

MD5
2b2d26de887a3de7e7b6518c1491ac99

SHA1
e6fdb93a41ca732b9f71546ecc77de51ab86b4d9

SHA256
695b8f49da3fa8c8afa912755719c5a01eb4b20967299a6ed63afbbb78ce0454

SHA512
659a6817f6589bc9466c87bbffc7279432c2c96a3bd1c93588dcebd7b7b3b8e0d87d20aa9168b9b238da5eb679a9d0066e90395b811f7e1cb262a2a5e561a314

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
19.3MB

MD5
bcd2a4ce4b577d6a0c0d0c8fe1f6fafa

SHA1
ca30375d1541c708b37a75b9dbf65f4f137cd5fc

SHA256
ada6ddfc84670222d1f430a34d608e9e39cc1c01567b267349cfcda2d0811f37

SHA512
6daa8166c366034d7695b55d0caa6658faabd57c42743eaabbcabbf8a46d3f1de6237d86f2da1883a22b3b91eb392d33e7f2c1869302569d82e15d2410fa3781

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
19.3MB

MD5
bcd2a4ce4b577d6a0c0d0c8fe1f6fafa

SHA1
ca30375d1541c708b37a75b9dbf65f4f137cd5fc

SHA256
ada6ddfc84670222d1f430a34d608e9e39cc1c01567b267349cfcda2d0811f37

SHA512
6daa8166c366034d7695b55d0caa6658faabd57c42743eaabbcabbf8a46d3f1de6237d86f2da1883a22b3b91eb392d33e7f2c1869302569d82e15d2410fa3781

Download Submit
memory/1236-95-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1236-100-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1236-94-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2692-34-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2692-14-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2692-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-86-0x00000000004F0000-0x000000000056B000-memory.dmp

Filesize
492KB

Download
memory/2872-93-0x00000000004F0000-0x000000000056B000-memory.dmp

Filesize
492KB

Download
memory/2872-92-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-5-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2872-99-0x00000000004F0000-0x000000000056B000-memory.dmp

Filesize
492KB

Download
memory/2872-4-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2872-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download