Overview

overview

10

Static

static

3

421118bd57...2e.exe

windows7-x64

10

421118bd57...2e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    04/01/2024, 22:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    421118bd571a834357ec49375308462e.exe

  • Size

    845KB

  • MD5

    421118bd571a834357ec49375308462e

  • SHA1

    30df90656713ea3847b0caf7296aa65d149c55c1

  • SHA256

    1d516331c26fc4b1a10921da6c8866fefdaa138d8d9c8d3da021218e962a482a

  • SHA512

    b8297a0ef67fa97942ef6849ff1fa564811d3b7529f9545224fa8913f0d75c028cf21f9404bb7802866543c18ca76f59d7e75108465b7c0293e100e0765303ec

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2K9KB8NIpYJTCiJ:xEtl9mRda1rKB8NIyX

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\421118bd571a834357ec49375308462e.exe
    "C:\Users\Admin\AppData\Local\Temp\421118bd571a834357ec49375308462e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2992

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini.exe
          Filesize

          260KB

          MD5

          08eb34506ff7fc730620eb840b9c4ae1

          SHA1

          0814525d1e88866a10f4085fd7c6fd622bf03dc7

          SHA256

          969d0bc4bb71a5a2b551a3d46aee96cb04d6490ddf652a829fbe608887f1693a

          SHA512

          056f42767970bae61a2d26a21163285a78b910f4588d1a19927af77bd4f131e7427e7e71f2f95c41912e187c10a92d429a556737bb5b1ed4126c42a479a5ca62

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          4d515e55bdbfc89a7f7bdffc2604a389

          SHA1

          88418f75338f49afba5bc6398948dac330865734

          SHA256

          fb235de09fa1a7756c2cd0a5792d2659a698487fb582edfc902db91d2cb0b766

          SHA512

          efacf880da502638f206a126ce669b8f5bd2ea650a4ae0c1e0508e0a898d4aaa4db5663957509de91967b03560b9910478d5b9989ac847f27c48c47b44f11505

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          950B

          MD5

          cfd5104c82653e8c4cfe0e30d0930d9f

          SHA1

          4b0e16e5f64619fe8d0fb79efefc53967334d2a4

          SHA256

          7ca2d708114b982011724bf304810ca56fa3e86f6b966ec9136bcc36ee0e9458

          SHA512

          4360a895611d6efd1689dbae974d4074986fccfc42a928ea8f1b21b4653135eee62278a06007f4fe804e591cbd34aa8f7fc82b38e0144eecc02d7179dc3b4d0a

          Download Submit

        • C:\Windows\SysWOW64\HelpMe.exe
          Filesize

          385KB

          MD5

          1bcd4d59da0c647f940839276ac9e7d2

          SHA1

          11fae1d6c7dd6937fd5542df74058b0b4a5c105c

          SHA256

          b7f46633e6e0ed83258284984406577aec7478605d56f55f4d4d1d82a98dd307

          SHA512

          fb0caaa6d3f0c80c553a7cf6efc56da033ac3dfb0a890f6da66147a64783c1a5557627473875f1c72d7762f868b0bdfe5a8984b0c609f6afd20ed92bcedb6f12

          Download Submit

        • C:\Windows\SysWOW64\HelpMe.exe
          Filesize

          392KB

          MD5

          07a2155a07c53c924f83f17d31731a4a

          SHA1

          1cd9fd9198fc5641f5aaf1391fb627b362d624a4

          SHA256

          2e6a83f156d5a21ea8692a8a5aa79fdaa98388cc45fbf3015f92953c5a2d08ef

          SHA512

          7f42767a506be17a3e4159edf8b3d93f45f7babd102139328163a40143ca8e85619a4133f26da9ddc169744ebbfe8c456dae156bfc1dda8decc911ff17734ef6

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          193KB

          MD5

          b5902c0f74063f326a876d44e64fdc86

          SHA1

          a90efac297696f3238c04cb74effdd663671aca8

          SHA256

          65a386833c968ec12457904b93e42d4b949e0774fa1061688fa65a66e9c46a04

          SHA512

          2246358211eac0b7d3e69a9fa4bbba5f4d6ae267d4cdd45b0e3477c112f21ce9dd6e809fa0c35e9b393333a148fee7bdb93e1dd710b689923bb87556bbcf4bf2

          Download Submit

        • \Windows\SysWOW64\HelpMe.exe
          Filesize

          840KB

          MD5

          9ceab6b4251f70590a4cf63e4289e8ae

          SHA1

          a554029c53b79af300aaff7d4949ce661d9f5df5

          SHA256

          67c12fe54530b040271b70e8e746a5fe243c4efa9ddacaa058f9a7396888116a

          SHA512

          4838407fd58a5b484cdf400197047a5ed24e4e5631fcde66646b11e49d56884192ddd06d217987a9379cc8c2b760732e02c9814ad9d2880878a3ab4fd92fd33e

          Download Submit

        • memory/2216-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2216-236-0x00000000003C0000-0x00000000003C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2992-9-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2992-237-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download