Analysis
-
max time kernel
146s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
11-01-2024 11:01
General
-
Target
5357555a362d46343601b6b9dc6fa33a.exe
-
Size
939KB
-
MD5
5357555a362d46343601b6b9dc6fa33a
-
SHA1
b66a013a7485290bed5d5df3fe80fc45c22cd4e6
-
SHA256
c0ce4187cd5edd6933c3f33ec59b5c27aec6d846d30fa0f2777c1900a783767b
-
SHA512
102b8811babfe97485cfc6afea4fbdd523bc1d37c5dafc5cd2d385d8985c888a2fc78af5ac9ba17281266a9316e53a8efde24062282ef9bbd3a933f5cba35254
-
SSDEEP
12288:gp4pNfz3ymJnJ8QCFkxCaQTOl2GVqCw+57U:aEtl9mRda1VICwWw
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5357555a362d46343601b6b9dc6fa33a.exe"C:\Users\Admin\AppData\Local\Temp\5357555a362d46343601b6b9dc6fa33a.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
939KB
MD53d65e43816bbd47c1acfdeb5b04fcfc7
SHA1fd4063e16e061fc477c71757b913771a4657ea47
SHA256c6815cc84e6fe277afd9148f076be588a9a773872c928118dd97ba24e01a6fff
SHA5123f3c9709c36be4c492c657608d54ee5a5efabda71b173cd17b7cfd978c032f45d647eff4f6177a6e57b6a1a184e14d82efdc9ce51d177591c4f4c90bbae5c0cc
-
Filesize
954B
MD520d03a752a6a691fb2755a59a39cabec
SHA10f8d9b99be5613376ec52a7c081a5b81c639cbb2
SHA256ff3fe57ef764613522df42133f5cbb6493ec8c6f0b3d0acf28b6c46cf3f901a1
SHA512da5a5b9db7dae0875f2ae87d392700c36950b31010571a53da3f50707e9fce6ff92d509078e3b3155f468fb84e82211768e8ca9f2fc228abedc7e4aa6bf6defd
-
Filesize
1KB
MD5446b98bb0837a4260a49b7bd190b4067
SHA1d051e13a01c4e601124ceaf8132252654d1c0465
SHA2565a316650891797dd7da9f832376e880d1f76e4ae9374c1b9a4226d687463dd72
SHA512bedf76f4654f6527a019da6c4399eaac85da1e7ec207384008786c907643064cf97b619b97c78b56d9593bc492f15852444b1843d8c0e05ac79349218a382bc2
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
939KB
MD55357555a362d46343601b6b9dc6fa33a
SHA1b66a013a7485290bed5d5df3fe80fc45c22cd4e6
SHA256c0ce4187cd5edd6933c3f33ec59b5c27aec6d846d30fa0f2777c1900a783767b
SHA512102b8811babfe97485cfc6afea4fbdd523bc1d37c5dafc5cd2d385d8985c888a2fc78af5ac9ba17281266a9316e53a8efde24062282ef9bbd3a933f5cba35254
-
Filesize
824KB
MD5c853a168279977cd88639426e1af524d
SHA1b7901437e3c439106b6fefee2ac2fb549248d402
SHA256e07428c9a6eb8f2332a668b011a432b61f736ad65c0516ed2ffd0ffe436aae9a
SHA51282eae8c0d2e3747d643cc8ca9c79cad608d7956ecb1c9c7ccad952643aa59a837a89d3551cc16e9236f28b7b409347f44acb7f7a7c41b5a2aee67284bd1f238c
-
Filesize
482KB
-
Filesize
484KB
-
Filesize
4KB
-
Filesize
482KB
-
Filesize
4KB
-
Filesize
484KB
-
Filesize
482KB
-
Filesize
4KB
-
Filesize
482KB