9a2050975d64a4555022767549de73a45570e0d492817541425c94b617a8fefc

Analysis

max time kernel
5s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

458feaf157dc30c9aeebc7b939487648.exe
Size

3.4MB
MD5

458feaf157dc30c9aeebc7b939487648
SHA1

02ea664dae6229f391789e6d6debdc20d42deff9
SHA256

9a2050975d64a4555022767549de73a45570e0d492817541425c94b617a8fefc
SHA512

d556d490cae2471adddd5ed63a35479432cb52d0ea887335ddc673294abd1f9270e1e0e6a8d7efb5b2c4b6faca81de4093cf1294c414e5d56df95fc6cba6a5f7
SSDEEP

24576:OEtl9mRda1CKB8NIyXbacAfUSunEp+XRGEUvkXw6zezNFtcyyRvx+z94sY8x:NEs1hB8NIMI8Sfpwotkzaxc1OGz8x

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	458feaf157dc30c9aeebc7b939487648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1204	HelpMe.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\P:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\G:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\I:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\R:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\S:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\W:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\B:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\V:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\J:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\K:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\O:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\T:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\X:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\E:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\U:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\Y:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\H:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\L:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\M:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\Q:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\Z:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\N:	458feaf157dc30c9aeebc7b939487648.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	458feaf157dc30c9aeebc7b939487648.exe
File opened for modification	C:\AUTORUN.INF	458feaf157dc30c9aeebc7b939487648.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	458feaf157dc30c9aeebc7b939487648.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7z.exe.exe	458feaf157dc30c9aeebc7b939487648.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	458feaf157dc30c9aeebc7b939487648.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	458feaf157dc30c9aeebc7b939487648.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	458feaf157dc30c9aeebc7b939487648.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	458feaf157dc30c9aeebc7b939487648.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	458feaf157dc30c9aeebc7b939487648.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	458feaf157dc30c9aeebc7b939487648.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 1204	4976	458feaf157dc30c9aeebc7b939487648.exe	21
PID 4976 wrote to memory of 1204	4976	458feaf157dc30c9aeebc7b939487648.exe	21
PID 4976 wrote to memory of 1204	4976	458feaf157dc30c9aeebc7b939487648.exe	21

C:\Users\Admin\AppData\Local\Temp\458feaf157dc30c9aeebc7b939487648.exe
"C:\Users\Admin\AppData\Local\Temp\458feaf157dc30c9aeebc7b939487648.exe"
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1bae4bb7a02b9ccb6f00972b6c113939

SHA1
1d2fffe79a1f24fd2198737b50215971869b562d

SHA256
d36ba4f1c8e4b78f9149c25016075942be48650e8911314047788fdd9a328cf7

SHA512
5df4d219f1624eb8f67f758851763175a94f828242c5794945153aaccd5b38832381d118166afa2571354b2214118b608df2e779d7818ee4b0f4e7e33ca7b404

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
87c75401c6890b36cdf176076e9c4d33

SHA1
91168d3cd4871061a1e92f54e25ea27de7230072

SHA256
e93cff7310f4003532c7d94ac651efaaeb3af8096a4af4aec7ad4994b2748512

SHA512
cb1fe1eb17ec3bc01e725bf10a616bbdd4955ddc31b2e0a02e884d7ff8581b0b63c7e1af83d0c2155a2dea2f7c2f65a3bee9334712b9918c72fe160388acd5e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
f6c87aca0fec56ee8e6c469fdb740ed2

SHA1
8d8c093c3ec6371ea321c4491afc991052e1bcab

SHA256
3770cdc2feda120f328ea44703bb35899ae56bb98cfa2bc7e5b97fa82fdb8af1

SHA512
be2b93905b8c642cc8146eb37d5202309e580930c2a9983a628c5d1585420470b35fe9e2dfd3ff6f1b7fa493e42d5d82ef048e2c69c512d6968b811cbd2a46d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
8879a92541985efb999d23101e7666b9

SHA1
3beaa9e5a4cd59855462cbeb116b13b6717df9a3

SHA256
710fa36ae027ddc17f3cfc7a5a9104fcaf66a8e6599ac1bc3f523991bf85766f

SHA512
d0e6ff907236ac26f1fa611d80c15f21efa1fcc6c3a2ff932fb3df37e1ae2645a048728d134aed20d5f2987f4294b3b8afb2f5286deb0099f0b5ab0894fccc32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
e2bba0ac261476bc6160f7aeb5e66740

SHA1
1d7d3a934a0a95f33a082baa6cb6e6348fc0ed8a

SHA256
9ea38c16065a3b7c20aa18f2af4f8bd6bb53b9ab199ff458354c8a68263fea97

SHA512
dc50e13b09b1eff760a5d11b410d8da2e08b50124131fb7090c631a467690df529cfcbe1c2a67dbbcc83d71d0cfba17e6cf86eb21543ba3a80f54f620a7ebf02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1023B

MD5
2ad3182e66fde908bc1458d32ea131e3

SHA1
76b629da19bc9523c4e3bdd26539e111d038fd2b

SHA256
15f711da4f1c97078f8d6ea1663be098340de6e485d64eaab05c64229926833c

SHA512
28c88ebce2148efa3cfa176c821d57e6983dbc4281043605bc335cf1c62d8ce79667ba0a4ab0d5df4b4c8cc6bf2221f9a4523b3e05b6a4b57ef022ff59ff3e25

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
532KB

MD5
7971ded1b8976eb623073300cf5872b2

SHA1
f35de42fed3affa395666910efd5aeda379505f6

SHA256
a454497918e0f10702ae8ca331da5db136a02cce6e9dfa284042eb6f685779b3

SHA512
00c3a8ee4f4acceee2cc5c6c28e1747881152472e211338c11f7c13083b5bb3802a3cfb205a5d8236840cd47e19b5a447f31c5fc73c4709a0998974ef57a0996

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
98KB

MD5
ede1aa83115d5c7b54f2cf437aeb2963

SHA1
bbadd71e14be2e8bf95ee047a57350b211ae2472

SHA256
28463493b99b7c86d621e9f0c0c0c3d672be4a94d4d28e2097c67b0e568a8dee

SHA512
385787c7a76535b861b49e45636dad53694886d3494e827005fe0544ea859788d9e2d2f0ab9c9dea6e569f0a14ad77a60a7eeab2299b80f520c0db4c028837eb

Download Submit
memory/1204-7-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1204-6-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1204-3920-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4976-1-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4976-2877-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4976-0-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads