e39d180c833e4047aa2ab2b8fa6f2e2e47d078739740889a77ce0bbe32f282d8

Analysis

max time kernel
145s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

139231a2b6bd765a0a0f315270f255b6.exe
Size

704KB
MD5

139231a2b6bd765a0a0f315270f255b6
SHA1

a9995484a3ebc3eeb1ee2ceea8e88016eaf07cea
SHA256

e39d180c833e4047aa2ab2b8fa6f2e2e47d078739740889a77ce0bbe32f282d8
SHA512

120c134e52e1e44c47137937db93165494a2c2bbb16f2d1dc5de676478029122b9a54d8d005cfbeee8ed89172eea0bf3429f690a4737913ce3f6039caa508957
SSDEEP

12288:gp4pNfz3ymJnJ8QCFkxCaQTOl2GVq/ZFhTohS1:aEtl9mRda1VI/ZFhTohS1

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	139231a2b6bd765a0a0f315270f255b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	139231a2b6bd765a0a0f315270f255b6.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	139231a2b6bd765a0a0f315270f255b6.exe

Executes dropped EXE 1 IoCs

pid	Process
1124	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	139231a2b6bd765a0a0f315270f255b6.exe
2976	139231a2b6bd765a0a0f315270f255b6.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\H:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\I:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\P:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\Y:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\M:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\S:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\V:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\K:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\U:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\Q:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\W:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\A:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\E:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\O:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\R:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\X:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\J:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\L:	139231a2b6bd765a0a0f315270f255b6.exe
File opened (read-only)	\??\N:	139231a2b6bd765a0a0f315270f255b6.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	139231a2b6bd765a0a0f315270f255b6.exe
File opened for modification	C:\AUTORUN.INF	139231a2b6bd765a0a0f315270f255b6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	139231a2b6bd765a0a0f315270f255b6.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1124	2976	139231a2b6bd765a0a0f315270f255b6.exe	28
PID 2976 wrote to memory of 1124	2976	139231a2b6bd765a0a0f315270f255b6.exe	28
PID 2976 wrote to memory of 1124	2976	139231a2b6bd765a0a0f315270f255b6.exe	28
PID 2976 wrote to memory of 1124	2976	139231a2b6bd765a0a0f315270f255b6.exe	28

C:\Users\Admin\AppData\Local\Temp\139231a2b6bd765a0a0f315270f255b6.exe
"C:\Users\Admin\AppData\Local\Temp\139231a2b6bd765a0a0f315270f255b6.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
44adcbc58b81c702af79c2c6a1019581

SHA1
8305b2b35888d658fd7aed9e380906ad42a4dbc2

SHA256
bbc20f3ae451cf892b712a8b5b23c8ae7ebdf6795ad2c12f7ce75c95e2c8e571

SHA512
0fec1eaed31bccdea20c15a333f281dbf6770069ff64ccf39032f5c2ea4f1e0233ff08ccc2267079db9c8e49368816f496e3c9533500e68f7506370ee0a00aed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
33087ebc816518f84f4831bc6b0a013b

SHA1
315084118c94676404d166869df8b6f68023339d

SHA256
44ad3f462188b1b26d203219207d6b77c1946b8082a0df17fefe8497619da63c

SHA512
0443c7eec8a4b3b52029236e49b82dc90a6eba854a355cda9b421f14735ee9fa53b181333a716ecbe91e98dcb05413d1dc796d2b2bec5706bb249fac6c6a50ab

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
92KB

MD5
bf6776af1db02718fc39db2bd70b17af

SHA1
5b0d737841e2858616cf7e4186efb29d03a28acc

SHA256
eccfe353b6552c68d905773566180b079dd28004ae9120c590d68773ace23223

SHA512
cd198acf39eca69b75e1415a57509209d360289314069cdd39aa769edcfaf0cf9533a704d0a320bf6a6a4ab074e120aa589e60e0833e5c7ae8645ff8f6ca3fcf

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
689KB

MD5
843cf03f8b77640543fe0f815534c965

SHA1
63cbddb8cc7fc2c2c35d0d2eca1d09ec1ce9cd7b

SHA256
79286676e35d81d733843bba451209b954a17f27b80f28b210b3874b90b9864a

SHA512
77940984d9ddb44966c73d9309d502088873981b8d6b0c333247eb4ea0d26b8a0c1644ca108241b2b0c247e99cc8b8b4c2d43283b07d642ceba6e272549294aa

Download Submit
memory/1124-236-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/1124-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1124-11-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2976-4-0x0000000001E30000-0x0000000001EA9000-memory.dmp

Filesize
484KB

Download
memory/2976-241-0x0000000001E30000-0x0000000001EA9000-memory.dmp

Filesize
484KB

Download
memory/2976-235-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2976-0-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2976-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads