Analysis

  • max time kernel
    147s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 22:17

General

  • Target

    1e3a04c6a1b9a3569a656a45fa2ff15a.exe

  • Size

    6.2MB

  • MD5

    1e3a04c6a1b9a3569a656a45fa2ff15a

  • SHA1

    1e5ee399066ea2284ec7325c96d5bc73d6ac7544

  • SHA256

    191885b5edaf68153062c17e9ed14fcd0189d78af052135351d5c0bffd5d2e8b

  • SHA512

    a7bc8d9effdd7c402f656889f39efc9224215624d5827c37ea4209d14d31aec98d89c2798eb73397ef6c50023391c397c5b90a80cca4184b55a43fcd0f8100ce

  • SSDEEP

    98304:mE2ji0F/LR5Wj+hMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMM/:mn+0ltNI2lyH

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e3a04c6a1b9a3569a656a45fa2ff15a.exe
    "C:\Users\Admin\AppData\Local\Temp\1e3a04c6a1b9a3569a656a45fa2ff15a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini.exe

    Filesize

    6.2MB

    MD5

    d9554c558ed74599095dc2cd5f29916e

    SHA1

    1326606c483ba836ca724ed51178cea1570594c5

    SHA256

    84280a70eab85af07157034da5c85d0338b7e26cadadcdf678ddab07b878f3f6

    SHA512

    7a402388cc8d87eba504e0f926402836ab1f5f46dc9300fc95a51bf33322def4f9ea58c12a5f173a125d1ec57003db67542eb5aed149c226de7ae9f8bcfa7ec5

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    dec653e9df9448e192c2d4d5311d284b

    SHA1

    39439d43254ec309ef4863026fdc7a4db06d8bfd

    SHA256

    b0141428a2cbb63821465af7f23e4501e0c42139923231514d47ab420949d1dd

    SHA512

    10f3c9e7caac326c692d6b99b0d0daaabef00b846ea0e6f5fe30920fbf6471f61e1be096b00b5f4188e9446629b27fd05bbf9e6548ffd3fac364644a86bb7131

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    954B

    MD5

    3b1a5bb724b05bde4b5d413a64eff870

    SHA1

    3407352a295509d484a05f099d03c5dfbd91a90e

    SHA256

    703bb88d6d6d75c6d72d89553545006e69b1206c553889efc2989a46940bc9f3

    SHA512

    0de903699401caa7ad7324cd04f9b0e1b3fe0ceaf29cad8f79ab6143a705d1134a628f351e9aafbfb3b8aeee4ddbf55bcb5917a12d8b913153abdaf67c06f8b4

  • C:\Windows\SysWOW64\HelpMe.exe

    Filesize

    2.4MB

    MD5

    2b1132fc2cf38b209e7e2da56d9d12d8

    SHA1

    f53286e74f1e9c281175162a215213f400c43cc2

    SHA256

    fcd652139cc73cef15e130aafa9a3e88b91c72ba963c5c98ddff96b0b1cf2a1b

    SHA512

    ead2ed17d07554940abfba8e96a049fe8a605f0d1af4fe678da1d847b185767a05e6a319f00d216ffe33bef2edd4a17f5a8f8c97212e530f38362c3c18f07f15

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    4.6MB

    MD5

    36c41bcc288d08ffb1bdde7d5cbf3d63

    SHA1

    63fd0ac79e41bd26e0e263aa0a8695e087ec90f9

    SHA256

    a3145b14781773ec9417b69b60db04bf9ae811514309ddb974ffa5fe3c306968

    SHA512

    3e598ef8adf46de774b20f7bd6765ae3668d569ff8bc41eb795555b0d2f727e6cccf8b51e2fef0f313fc9e8d6d1770b8d1995b9b1beeac064686143a483c6d31

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    4.8MB

    MD5

    b39bf86dba551aca11aa373c6780d375

    SHA1

    138f62686345b11f86271b0b4969c50e6f1e6801

    SHA256

    1a13fb2588c88c303e9e871ca23a89e8d2dd72b3a699f41d4f8e7f126e8e3130

    SHA512

    87347e0021539fc5136482e18166eeeff6d36577697b04a4a4776c5bfc3894744a13d30f48bf1662cf7df001894b88be8ca9b418bdfce32d6352f551613979fa

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    2.8MB

    MD5

    47a97940406217c01978f0f4cb0fe263

    SHA1

    2a235e623881421da65683a11ced83e7c7c57831

    SHA256

    d03e67560d9df1676806d628f35d5a756605750c80eb1dc2a51837a3b37c96fc

    SHA512

    3406fb0718644306392ea77bc4903de44114d319766fe18554bcefac6307d567ae7541bb254b901141f1b5105a1c8f2a342c9394b23b8a78f1ebba47978d4a65

  • memory/2084-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/2084-236-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/3064-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/3064-239-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB