aab24fcb8d398b1a8b1af7b2fbb4dcb1708857dbe96b661fbc8a8c82daaa5d83

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b21e1149051218c49d7cf1f850cd37e.exe
Size

629KB
MD5

0b21e1149051218c49d7cf1f850cd37e
SHA1

8f2a8a734c91ebf60abc6b65bf6dd21e93c4bd1b
SHA256

aab24fcb8d398b1a8b1af7b2fbb4dcb1708857dbe96b661fbc8a8c82daaa5d83
SHA512

8a0fdc4fd8133e60ca110f2839ed25520f410767f9d1582beac0d64d3ab4f4f1d71be9a184e8dd308d682e6c186fbf276e0b55e010ae3abf612af64d2c9e6db7
SSDEEP

12288:pp4pNfz3ymJnJ8QCFkxCaQTOlxSU866w0B2uJ2s4otqFCJrW9FqvSbqsHasgXhFR:DEtl9mRda10SGB2uJ2s4otqFCJrW9FqT

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0b21e1149051218c49d7cf1f850cd37e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0b21e1149051218c49d7cf1f850cd37e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0b21e1149051218c49d7cf1f850cd37e.exe

Executes dropped EXE 1 IoCs

pid	Process
2196	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2220	0b21e1149051218c49d7cf1f850cd37e.exe
2220	0b21e1149051218c49d7cf1f850cd37e.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\P:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\O:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\U:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\W:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\K:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\H:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\X:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\Q:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\R:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\V:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\Y:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\E:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\J:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\T:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\L:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\Z:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\N:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\S:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	0b21e1149051218c49d7cf1f850cd37e.exe
File opened (read-only)	\??\M:	0b21e1149051218c49d7cf1f850cd37e.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	0b21e1149051218c49d7cf1f850cd37e.exe
File opened for modification	C:\AUTORUN.INF	0b21e1149051218c49d7cf1f850cd37e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	0b21e1149051218c49d7cf1f850cd37e.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2196	2220	0b21e1149051218c49d7cf1f850cd37e.exe	16
PID 2220 wrote to memory of 2196	2220	0b21e1149051218c49d7cf1f850cd37e.exe	16
PID 2220 wrote to memory of 2196	2220	0b21e1149051218c49d7cf1f850cd37e.exe	16
PID 2220 wrote to memory of 2196	2220	0b21e1149051218c49d7cf1f850cd37e.exe	16

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2196

C:\Users\Admin\AppData\Local\Temp\0b21e1149051218c49d7cf1f850cd37e.exe
"C:\Users\Admin\AppData\Local\Temp\0b21e1149051218c49d7cf1f850cd37e.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6a0d427faf811c1eed245deb0daa789a

SHA1
03dc8c79ad0fb53131950b8693838b4db05346be

SHA256
b98089d3a4923f4ed0d136d52f331aa229abc65263623c739af2918835ad89b7

SHA512
cf34f19a9137d1bc0b5581810c9d58a36a7f1d67f90a5160a3100648485561b017c9d6095c1162aefc1fc4e6f6d6579184fa5ab9189bc8f1034f1641636f19f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
5e95e029ad54408520f9305ccb4fd67d

SHA1
6aa97fa45d9812a1bb9b3fb94a9bbb217fbc40b2

SHA256
8577159f84277dff597dc1cdf12f6774d34941c42eee2687f9c12c10b3f72b18

SHA512
f7fdebaa7d764d87ff6916b182e31ceb6e7446e3c99cda58421804f83f2cecff81101c784c4b3cf793ff7795db39a7c0e575666e1d85bac73530be2e0e930238

Download Submit
memory/2196-14-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2196-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2196-241-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2220-4-0x0000000000380000-0x00000000003FA000-memory.dmp

Filesize
488KB

Download
memory/2220-10-0x0000000000380000-0x00000000003FA000-memory.dmp

Filesize
488KB

Download
memory/2220-2-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2220-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2220-232-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads