Overview

overview

10

Static

static

3

727176a938...a4.exe

windows7-x64

10

727176a938...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    24/01/2024, 14:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    727176a93823f1e50143ed28a14527a4.exe

  • Size

    1.1MB

  • MD5

    727176a93823f1e50143ed28a14527a4

  • SHA1

    8974bacbffeaf72e739e98a8eed796cf2e081b0c

  • SHA256

    c1a902ea477a36f56c456eb165f4a13d55362701f088b30df357a58093c6047f

  • SHA512

    46dff2fcf0fca3e2b5fc36cc2575103e93ac2406736cf59a86efcdd8c5f3cdff98cbdb39a08e14327651a3658a43bc0911b545373ebfcf3946099f29f4aa9af2

  • SSDEEP

    6144:k82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBilK:Cp4pNfz3ymJnJ8QCFkxCaQTOl210

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 31 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\727176a93823f1e50143ed28a14527a4.exe
    "C:\Users\Admin\AppData\Local\Temp\727176a93823f1e50143ed28a14527a4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1848

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini.exe
          Filesize

          1.1MB

          MD5

          c3e53ffde7c6e5f71c07f6f1e0244da1

          SHA1

          e0f2781752d3a9293a5c2c532f4885c014a789b8

          SHA256

          8adb98c67177c52f72a0244a6b3371951dc4eff0c0904d095282794e692e25c4

          SHA512

          6d561c78dd9a2da4131c80f7b10e52fce14aef6357c9fcbc69950eacf5b6437bac72c599bb1a0a31d66e97e763b97e4022deec36f127cab3c79713dcde920b2a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          a86582f2b52892997a0dfdacc769407b

          SHA1

          79739b17054dc81fce9081fae5030764b236cb74

          SHA256

          77ee655e950ff091b005dbf0e53413491706d0a6cf7fac8e296b5790cd325f45

          SHA512

          6e0186f1a002490ba3268892a2c7c248a3946dcb7c0dd0877cfd0b0ab07bae764307642e07ef8cf64256cb8133a8c4c5ca393493ebb42178b9f8cce1b375aec4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          954B

          MD5

          5dfeb5b86733e1e37b5adc0b35c533b4

          SHA1

          400c437260055bae18507306a046690045f648be

          SHA256

          a9a2766091d3531aabdcc727ba0788a296ba335e72762f00cc673a318963f40f

          SHA512

          d35b09f8bef65ee2e37201cb1ae5aee9c3a085a6a31657eaf3652a1e7a81ec54e6532e0206f1d51a5fe4713d320f4819c5cd6d91c6d260550a388c89f8a82656

          Download Submit

        • C:\Windows\SysWOW64\HelpMe.exe
          Filesize

          435KB

          MD5

          73165a3b64fea356419ebebf93e78687

          SHA1

          bdec62cf2d946543a7649262dfdbfb595402615e

          SHA256

          7d46374fbc379a7e4d878b80f6f97fd1e9f46539f6d21e8c6b89dc650ad06a08

          SHA512

          f2ed454fe06253c6804cd49929bd15ef32d4e6ae8d529b2a0fa2fc409b179c36e161c16091f0cdab951e1ba0892847ac5affe04ddf7b8839bcd77dbb58568f0d

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          1.1MB

          MD5

          727176a93823f1e50143ed28a14527a4

          SHA1

          8974bacbffeaf72e739e98a8eed796cf2e081b0c

          SHA256

          c1a902ea477a36f56c456eb165f4a13d55362701f088b30df357a58093c6047f

          SHA512

          46dff2fcf0fca3e2b5fc36cc2575103e93ac2406736cf59a86efcdd8c5f3cdff98cbdb39a08e14327651a3658a43bc0911b545373ebfcf3946099f29f4aa9af2

          Download Submit

        • memory/1848-10-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2152-0-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2152-240-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download