9a5b768679a82140e299f3845f53a7156a2c179d4f6e2ba11b883f0e98fb3174

Analysis

max time kernel
253s
max time network
296s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0900d3c3c10879419b17809610e4b269.exe
Size

2.9MB
MD5

0900d3c3c10879419b17809610e4b269
SHA1

2628631d4907d397c7fff1ef4c4881f3046c7b83
SHA256

9a5b768679a82140e299f3845f53a7156a2c179d4f6e2ba11b883f0e98fb3174
SHA512

bbafbe58d34362890f00b3c979057c4d33c6d211cefedadedf16646650bb3ec7b68581ea61a5c146e9b81d3ed3ea594c3c76fa3f1f1017cecfbcc1bcdf763227
SSDEEP

12288:Tp4pNfz3ymJnJ8QCFkxCaQTOlOb47MMpXKb0hNGh1kG0HWnALue:tEtl9mRda1rMMpXS0hN0V0Hj

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0900d3c3c10879419b17809610e4b269.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0900d3c3c10879419b17809610e4b269.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0900d3c3c10879419b17809610e4b269.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1580	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1864	0900d3c3c10879419b17809610e4b269.exe
1864	0900d3c3c10879419b17809610e4b269.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\P:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\Q:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\S:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\Z:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\R:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\J:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\T:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\U:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\V:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\Y:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\B:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\G:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\L:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\O:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\H:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\I:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\W:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\X:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\K:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\N:	0900d3c3c10879419b17809610e4b269.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	0900d3c3c10879419b17809610e4b269.exe
File opened for modification	C:\AUTORUN.INF	0900d3c3c10879419b17809610e4b269.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	0900d3c3c10879419b17809610e4b269.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1580	1864	0900d3c3c10879419b17809610e4b269.exe	26
PID 1864 wrote to memory of 1580	1864	0900d3c3c10879419b17809610e4b269.exe	26
PID 1864 wrote to memory of 1580	1864	0900d3c3c10879419b17809610e4b269.exe	26
PID 1864 wrote to memory of 1580	1864	0900d3c3c10879419b17809610e4b269.exe	26

C:\Users\Admin\AppData\Local\Temp\0900d3c3c10879419b17809610e4b269.exe
"C:\Users\Admin\AppData\Local\Temp\0900d3c3c10879419b17809610e4b269.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3308111660-3636268597-2291490419-1000\desktop.ini.exe

Filesize
1.2MB

MD5
1547d35430d81b39d49ba38e76767783

SHA1
30041ae9bba766420341c5f23b5c2c0ff58d2771

SHA256
ec65c248fd0959198e4f4f34c52d58e64c45b8dddbd0a1922ef0fee0c54f9b5d

SHA512
d29a8817b6dde999d089136697796c822ef67e30f60325eb25c0441fd196300f414df81f97e02692e5ede1af2dd951333b29dc771fb14c225bb9bb86cb08467a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
e4bc9f7ef91b7dd11332677cc8a2528c

SHA1
2f7ef481f972f3093997ea2b16bc07d74e806f55

SHA256
8de3644f28ae6a0482abf78835ed33858b669005cdcfb937379da32ce706a0e3

SHA512
3f5e82583b489b0c6c37ed0e4123a88b8109b91b1ee8986fefd84ea631c48a786a40dfbeb84d159d48a9a142ed23e78052c4cde8ec1738c7b1b2bdee8334ec9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
220adf19e72048b1aea52dd9e6fcd4d3

SHA1
f725e81f9447a0652f0721bdd5416fc2016f2b5e

SHA256
e019e8c478990943ee8b4a53ca8feaec67251828d7550950f9fbb6fa40ba1b98

SHA512
535fd2c346efc77cd9ea744e9b3c2401dee88d970ceeccc6d42216313578c2471cfef975e635d9c74b2b511e6267a1963a5096dc5f9241c989d51a16ca2342a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
2f884edebc07ac140e5216bcb52aef34

SHA1
c47c407733302358596a9d055fd62006688291b5

SHA256
aaaf000f28711fb04220c67cd6f95e2cd5b3dcafa146029f6ab197e1b71f4502

SHA512
feb9867dd797ae30554a44f0718a0514d61245061253d06e73857eb2260158551a87852214c6c90d3c16fcb4056f2347c7f22472ed2559650bd96235774f0820

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
1.7MB

MD5
1c59d74183e95f61d56587eb68d2abeb

SHA1
f4516014dcde9d28a9a957dc82d2ec18bfc8c65f

SHA256
43532b5ba72c2554598197c3f5e73077cb25cf3854bab27e359a51d972e9ef56

SHA512
ec2038313a4df84172cf7da799d64e1b402dbe82fda74966fba977cdc56d47b972580ec07bc8de4435f243f5835f99777227db92da51ca2219a65aefdb54647f

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
1.5MB

MD5
6ec0b9b2fb9563b44a960515bc678c6e

SHA1
6848902499a8d64aa4f4d6b8763f843e1ef75e8c

SHA256
b178935e946339120e7dd9d3ba0901ef9abf3d6f9d3e5aa9b80256b58d1881ce

SHA512
251c25fb668901d45a3d9bda932890208f47b082c7621b062fc8a5e0bcffa9c3eb3759a5d9f12f05c11e8de6e1966e62375bdc2dbe4be5e7e6a1cb28b2892243

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
1.4MB

MD5
aebe05c574053800cfee43986b3f305e

SHA1
68acd76b4cd41d353cf9b09c8e9ab54c7b6bdb8f

SHA256
20e3cec02716cd9f700b8a019556a1c9488bc9b51f7384911c7484e72ef2565c

SHA512
0c1f7321451bf7fa6afbb5c6d0706248fe3b437dbd497e69ea8731f03de40d2b1e3bb0fb85c5c36994d7a64cbc3defbf70b96bf62a22f76b30e3c35d5a84af2c

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
544KB

MD5
a18f9930bbf2c5c9b2f8648058e8d4a0

SHA1
b09f7995947265fb75baeee2a07adbc9ba76fb35

SHA256
fec2c096d99d190785e6ea40c2fac8c41a90bfc9f974286109088dac6cf80aad

SHA512
936cd1203faec377b23810b41a28d647f8216db553b0b1a9ede194b04c749cc50b216f2e40c734bf7ec0b2cfce40a027f86a565affd6a1820057bd58341dd208

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
1.6MB

MD5
35e0ad46f40769baec8ce66484c9b7be

SHA1
eacbf39610cc1421d5e8e296d434e233ca7eb0ab

SHA256
dd1147172a1bd508f79605832e91d8b6b908b3792dee50da1d15d96620a1a15f

SHA512
d619f20a866ceddaca5aaae8f73f1f4ffcd658aa154f34cf421ea49e7a72eeb88dda0e5c061e16b9baa93dd639bf73ea47b00e0e42c444575fe6eb9a75032bec

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
1.0MB

MD5
ffc98fb0510210ae8e27e086ffcfd5b2

SHA1
132f887c4f0c6e68f5cb93a0edd809402c3852dd

SHA256
b5e5fbec79c0b717f7179e84c8bd2f25bbc882f80a9989215e8ed67f95f8a6fe

SHA512
8495721deddc83d7f7a9ae0f1a32706455deb828857fdb34c76a08cbb337d8fde8b7a84c2d349ed03dc1f816f5652f367b2fe684cbccd22f4e71c4b3ce604137

Download Submit
memory/1580-9-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1864-69-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1864-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads