7a594a1a5faee5de90b6730de40f8c768d81ec6c612879d0c1c4e63cd06e755d

Analysis

max time kernel
176s
max time network
141s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31/10/2023, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
Size

23.8MB
MD5

33a23f4d5daaa89eb8d8670d6905e2b6
SHA1

d8f5fda873300d62264476857127aec2630ac69d
SHA256

7a594a1a5faee5de90b6730de40f8c768d81ec6c612879d0c1c4e63cd06e755d
SHA512

fa79e6b0705ab6afed75da132b457752c9e68f7ff9c211060ea41f8faff60cba43a46ff34db98ebb28635f68f8cfa05d73e21a45355443d523f808f4be71995d
SSDEEP

98304:9E2RpMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMMMYJMMzMF:9nwngnwnBRs

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
2716	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
3016	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\R:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\S:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\T:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\A:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\I:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\M:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\N:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\J:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\O:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\V:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\Y:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\Z:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\X:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\W:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\Q:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\B:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\H:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\L:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\U:	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened for modification	C:\AUTORUN.INF	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2716	3016	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe	29
PID 3016 wrote to memory of 2716	3016	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe	29
PID 3016 wrote to memory of 2716	3016	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe	29
PID 3016 wrote to memory of 2716	3016	NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2023-09-09_33a23f4d5daaa89eb8d8670d6905e2b6_ryuk_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3425689832-2386927309-2650718742-1000\desktop.ini.exe

Filesize
23.8MB

MD5
e85cac498ebaf37128539bf1b4b515b5

SHA1
8d15dc2d63799d77969a1717c427959c49c91357

SHA256
ee8998935ec2d19d049d64435a3e82064bf0d768e4cc3063c1686673e5089102

SHA512
563c4ff50d0a826541dacc24d6180c420caae4d465c05fae3690795b9cca7c0661b3be929ce2c560483b284c16e244a996269c76862b75255c647bc754a3c953

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
833a80d1a602a2e7a91bc26fe8ea9105

SHA1
00271636d2d723e4e1c5e20f501d15007f2925ff

SHA256
7d5988d6ad1c4305051a075fadeaaadf56bc6e9a42c87e3294207aee68244f96

SHA512
874ff13c2e4d71967567352fa9cb782f8b426f7a0c689e235a5463b0d632ac59820a93c459e4cf44b5957289494f70ad55cdf0148e6603f928cfe10f1271e529

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
f67f0df14699263c43e9cb528b4f4bc6

SHA1
dcccd2c0720b3da2716ee7a59ad90789389e2e14

SHA256
64025758745ad90f080bdae802293dd832a9a9face5efefd0a0df0d2bfb333cd

SHA512
ccb664f09f5d4ee6e9f21e5e0bfe8347f0d57319310f661611edb2d4cee0eddb89bc8cc8ad57a2e37420ee091105c5c3de7c66ee8098d8619cb59779f3c4ad51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
c0b62a03b25592dcbc3935694128dc4b

SHA1
b88da8ff5bb03954d57e76826ae3cfe823e1b78a

SHA256
4e22c6f1677b98eb0625dfa74142a8b1e48c7013d62c86953f3b10f270f0dffb

SHA512
cb9deb6a104c47ee77b1b89aae5ea7b25a6ad3425b1629cdff16e6dd64355e3b47bdf01ad2716f523b5747f6f783cb4c68569f4de9f59258045e4fbb52fec853

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
23.8MB

MD5
391789ab1e8a0d746a0b1427855e43f1

SHA1
85867cb80c74ed2005c804bd931b0f990a084744

SHA256
f5176edb1a501786f367e3711d5844a41ef2cbbd3f2b3757ea569be4075a8386

SHA512
c950bcace586604d46514c5f91402597eefa8bee828fd37a67df62f9c9056f61cbe911c76772ae7af14a467bdabbd3f63da9a7c983a5fff06c3e2647ae849104

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
23.8MB

MD5
391789ab1e8a0d746a0b1427855e43f1

SHA1
85867cb80c74ed2005c804bd931b0f990a084744

SHA256
f5176edb1a501786f367e3711d5844a41ef2cbbd3f2b3757ea569be4075a8386

SHA512
c950bcace586604d46514c5f91402597eefa8bee828fd37a67df62f9c9056f61cbe911c76772ae7af14a467bdabbd3f63da9a7c983a5fff06c3e2647ae849104

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
23.8MB

MD5
391789ab1e8a0d746a0b1427855e43f1

SHA1
85867cb80c74ed2005c804bd931b0f990a084744

SHA256
f5176edb1a501786f367e3711d5844a41ef2cbbd3f2b3757ea569be4075a8386

SHA512
c950bcace586604d46514c5f91402597eefa8bee828fd37a67df62f9c9056f61cbe911c76772ae7af14a467bdabbd3f63da9a7c983a5fff06c3e2647ae849104

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
23.8MB

MD5
33a23f4d5daaa89eb8d8670d6905e2b6

SHA1
d8f5fda873300d62264476857127aec2630ac69d

SHA256
7a594a1a5faee5de90b6730de40f8c768d81ec6c612879d0c1c4e63cd06e755d

SHA512
fa79e6b0705ab6afed75da132b457752c9e68f7ff9c211060ea41f8faff60cba43a46ff34db98ebb28635f68f8cfa05d73e21a45355443d523f808f4be71995d

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
23.8MB

MD5
391789ab1e8a0d746a0b1427855e43f1

SHA1
85867cb80c74ed2005c804bd931b0f990a084744

SHA256
f5176edb1a501786f367e3711d5844a41ef2cbbd3f2b3757ea569be4075a8386

SHA512
c950bcace586604d46514c5f91402597eefa8bee828fd37a67df62f9c9056f61cbe911c76772ae7af14a467bdabbd3f63da9a7c983a5fff06c3e2647ae849104

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
23.8MB

MD5
391789ab1e8a0d746a0b1427855e43f1

SHA1
85867cb80c74ed2005c804bd931b0f990a084744

SHA256
f5176edb1a501786f367e3711d5844a41ef2cbbd3f2b3757ea569be4075a8386

SHA512
c950bcace586604d46514c5f91402597eefa8bee828fd37a67df62f9c9056f61cbe911c76772ae7af14a467bdabbd3f63da9a7c983a5fff06c3e2647ae849104

Download Submit
memory/2716-15-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2716-14-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2716-72-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3016-11-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/3016-71-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/3016-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3016-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3016-3-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3016-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads