Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30/12/2023, 22:17
Static task
static1
Behavioral task
behavioral1
Sample
1e3a04c6a1b9a3569a656a45fa2ff15a.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1e3a04c6a1b9a3569a656a45fa2ff15a.exe
Resource
win10v2004-20231222-en
General
-
Target
1e3a04c6a1b9a3569a656a45fa2ff15a.exe
-
Size
6.2MB
-
MD5
1e3a04c6a1b9a3569a656a45fa2ff15a
-
SHA1
1e5ee399066ea2284ec7325c96d5bc73d6ac7544
-
SHA256
191885b5edaf68153062c17e9ed14fcd0189d78af052135351d5c0bffd5d2e8b
-
SHA512
a7bc8d9effdd7c402f656889f39efc9224215624d5827c37ea4209d14d31aec98d89c2798eb73397ef6c50023391c397c5b90a80cca4184b55a43fcd0f8100ce
-
SSDEEP
98304:mE2ji0F/LR5Wj+hMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMM/:mn+0ltNI2lyH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 1e3a04c6a1b9a3569a656a45fa2ff15a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 1e3a04c6a1b9a3569a656a45fa2ff15a.exe -
Executes dropped EXE 1 IoCs
pid Process 3064 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2084 1e3a04c6a1b9a3569a656a45fa2ff15a.exe 2084 1e3a04c6a1b9a3569a656a45fa2ff15a.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\A: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\B: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\R: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\K: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\L: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\N: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\U: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\V: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\W: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\Y: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\H: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\J: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\M: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\P: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\X: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\Z: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\S: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\E: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\O: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\T: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\G: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\Q: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\I: 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened for modification C:\AUTORUN.INF 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 1e3a04c6a1b9a3569a656a45fa2ff15a.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2084 wrote to memory of 3064 2084 1e3a04c6a1b9a3569a656a45fa2ff15a.exe 28 PID 2084 wrote to memory of 3064 2084 1e3a04c6a1b9a3569a656a45fa2ff15a.exe 28 PID 2084 wrote to memory of 3064 2084 1e3a04c6a1b9a3569a656a45fa2ff15a.exe 28 PID 2084 wrote to memory of 3064 2084 1e3a04c6a1b9a3569a656a45fa2ff15a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e3a04c6a1b9a3569a656a45fa2ff15a.exe"C:\Users\Admin\AppData\Local\Temp\1e3a04c6a1b9a3569a656a45fa2ff15a.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5d9554c558ed74599095dc2cd5f29916e
SHA11326606c483ba836ca724ed51178cea1570594c5
SHA25684280a70eab85af07157034da5c85d0338b7e26cadadcdf678ddab07b878f3f6
SHA5127a402388cc8d87eba504e0f926402836ab1f5f46dc9300fc95a51bf33322def4f9ea58c12a5f173a125d1ec57003db67542eb5aed149c226de7ae9f8bcfa7ec5
-
Filesize
1KB
MD5dec653e9df9448e192c2d4d5311d284b
SHA139439d43254ec309ef4863026fdc7a4db06d8bfd
SHA256b0141428a2cbb63821465af7f23e4501e0c42139923231514d47ab420949d1dd
SHA51210f3c9e7caac326c692d6b99b0d0daaabef00b846ea0e6f5fe30920fbf6471f61e1be096b00b5f4188e9446629b27fd05bbf9e6548ffd3fac364644a86bb7131
-
Filesize
954B
MD53b1a5bb724b05bde4b5d413a64eff870
SHA13407352a295509d484a05f099d03c5dfbd91a90e
SHA256703bb88d6d6d75c6d72d89553545006e69b1206c553889efc2989a46940bc9f3
SHA5120de903699401caa7ad7324cd04f9b0e1b3fe0ceaf29cad8f79ab6143a705d1134a628f351e9aafbfb3b8aeee4ddbf55bcb5917a12d8b913153abdaf67c06f8b4
-
Filesize
2.4MB
MD52b1132fc2cf38b209e7e2da56d9d12d8
SHA1f53286e74f1e9c281175162a215213f400c43cc2
SHA256fcd652139cc73cef15e130aafa9a3e88b91c72ba963c5c98ddff96b0b1cf2a1b
SHA512ead2ed17d07554940abfba8e96a049fe8a605f0d1af4fe678da1d847b185767a05e6a319f00d216ffe33bef2edd4a17f5a8f8c97212e530f38362c3c18f07f15
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
4.6MB
MD536c41bcc288d08ffb1bdde7d5cbf3d63
SHA163fd0ac79e41bd26e0e263aa0a8695e087ec90f9
SHA256a3145b14781773ec9417b69b60db04bf9ae811514309ddb974ffa5fe3c306968
SHA5123e598ef8adf46de774b20f7bd6765ae3668d569ff8bc41eb795555b0d2f727e6cccf8b51e2fef0f313fc9e8d6d1770b8d1995b9b1beeac064686143a483c6d31
-
Filesize
4.8MB
MD5b39bf86dba551aca11aa373c6780d375
SHA1138f62686345b11f86271b0b4969c50e6f1e6801
SHA2561a13fb2588c88c303e9e871ca23a89e8d2dd72b3a699f41d4f8e7f126e8e3130
SHA51287347e0021539fc5136482e18166eeeff6d36577697b04a4a4776c5bfc3894744a13d30f48bf1662cf7df001894b88be8ca9b418bdfce32d6352f551613979fa
-
Filesize
2.8MB
MD547a97940406217c01978f0f4cb0fe263
SHA12a235e623881421da65683a11ced83e7c7c57831
SHA256d03e67560d9df1676806d628f35d5a756605750c80eb1dc2a51837a3b37c96fc
SHA5123406fb0718644306392ea77bc4903de44114d319766fe18554bcefac6307d567ae7541bb254b901141f1b5105a1c8f2a342c9394b23b8a78f1ebba47978d4a65