75367c79d0689a408a868dfd1f73a2c8ea8fa9ba175c87e4d591aef1a3f840f8

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e5ab4b640aa75f016e8ab6d086b7574.exe
Size

2.2MB
MD5

7e5ab4b640aa75f016e8ab6d086b7574
SHA1

6f1210989b64ff9fd590005be1769e29afbea34c
SHA256

75367c79d0689a408a868dfd1f73a2c8ea8fa9ba175c87e4d591aef1a3f840f8
SHA512

17a925a052f096880e330ea4b8505e6d87b07e451190b5732fce7895cce266cd8e1072961b5f7f9b2c388549b1205ecd8c8dfd1901633e0b25abc3c349cf6be4
SSDEEP

12288:Qp4pNfz3ymJnJ8QCFkxCaQTOlOHiN6LTMMpXKb0hNGh1kG0HWZApN6LQ2:qEtl9mRda1T6LTMMpXS0hN0V0Hh6LL

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	ð§ûÜ
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	ð§ûÜ
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	HelpMe.exe
2656	ð§ûÜ

Loads dropped DLL 4 IoCs

pid	Process
1632	7e5ab4b640aa75f016e8ab6d086b7574.exe
1632	7e5ab4b640aa75f016e8ab6d086b7574.exe
1632	7e5ab4b640aa75f016e8ab6d086b7574.exe
1632	7e5ab4b640aa75f016e8ab6d086b7574.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\H:	ð§ûÜ
File opened (read-only)	\??\L:	ð§ûÜ
File opened (read-only)	\??\V:	ð§ûÜ
File opened (read-only)	\??\Z:	ð§ûÜ
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\A:	ð§ûÜ
File opened (read-only)	\??\E:	ð§ûÜ
File opened (read-only)	\??\W:	ð§ûÜ
File opened (read-only)	\??\X:	ð§ûÜ
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\I:	ð§ûÜ
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\M:	ð§ûÜ
File opened (read-only)	\??\R:	ð§ûÜ
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\N:	ð§ûÜ
File opened (read-only)	\??\U:	ð§ûÜ
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\O:	ð§ûÜ
File opened (read-only)	\??\Q:	ð§ûÜ
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\J:	ð§ûÜ
File opened (read-only)	\??\K:	ð§ûÜ
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\B:	ð§ûÜ
File opened (read-only)	\??\G:	ð§ûÜ
File opened (read-only)	\??\P:	ð§ûÜ
File opened (read-only)	\??\S:	ð§ûÜ
File opened (read-only)	\??\T:	ð§ûÜ
File opened (read-only)	\??\Y:	ð§ûÜ
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	ð§ûÜ
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	C:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	7e5ab4b640aa75f016e8ab6d086b7574.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	ð§ûÜ
File opened for modification	C:\Windows\SysWOW64\HelpMe.exe	7e5ab4b640aa75f016e8ab6d086b7574.exe
File created	C:\Windows\SysWOW64\notepad.exe.exe	7e5ab4b640aa75f016e8ab6d086b7574.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe	7e5ab4b640aa75f016e8ab6d086b7574.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1632	7e5ab4b640aa75f016e8ab6d086b7574.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2176	1632	7e5ab4b640aa75f016e8ab6d086b7574.exe	28
PID 1632 wrote to memory of 2176	1632	7e5ab4b640aa75f016e8ab6d086b7574.exe	28
PID 1632 wrote to memory of 2176	1632	7e5ab4b640aa75f016e8ab6d086b7574.exe	28
PID 1632 wrote to memory of 2176	1632	7e5ab4b640aa75f016e8ab6d086b7574.exe	28
PID 1632 wrote to memory of 2656	1632	7e5ab4b640aa75f016e8ab6d086b7574.exe	29
PID 1632 wrote to memory of 2656	1632	7e5ab4b640aa75f016e8ab6d086b7574.exe	29
PID 1632 wrote to memory of 2656	1632	7e5ab4b640aa75f016e8ab6d086b7574.exe	29
PID 1632 wrote to memory of 2656	1632	7e5ab4b640aa75f016e8ab6d086b7574.exe	29

C:\Users\Admin\AppData\Local\Temp\7e5ab4b640aa75f016e8ab6d086b7574.exe
"C:\Users\Admin\AppData\Local\Temp\7e5ab4b640aa75f016e8ab6d086b7574.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\ð§ûÜ
  C:\Users\Admin\AppData\Local\Temp\\ð§ûÜ
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1603059206-2004189698-4139800220-1000\desktop.ini.exe

Filesize
1.2MB

MD5
02b6a517a7a5ac737005f88c898e4b23

SHA1
2ca856103bbc458d836f54e0d4312a428ad748e1

SHA256
e771131d674b4346fbad89a8ef6de1beb4bf3f0ba7c7dfda78ba4aba516816f3

SHA512
41bd155bd5c88cd9ba767acbc7082cd148775351ac5354e3ee438bf56939e1b878b4dc6bf1481e5656f29c83f3a728aff5e25f7b9a2134b20b2ecc7883acc808

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
243bf2e440add9fdcff0e42930e57fca

SHA1
47182db368000a69b36df4b5248e4e96421976aa

SHA256
38259377e915f26cf42bf12dd428d9f6d77d2e8df07cd8557a16caae41c57404

SHA512
87014e3d991e55ebb8a9639dcbee64bc9d35c32d709676ccafdd15a4f5e25c2607c95ec215b62f3e2315aa20b375c24dfc3a953765121f2d9301c2ee0154e5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
999B

MD5
2076ad0d6d11d6bdd98d44129bc7ea7e

SHA1
6b984b8fa63da54428bd7c7362db70aa47cf1847

SHA256
87a80e8be795c13747e493b899211b4a74eed51bb3d4ae89a4410230a075bb99

SHA512
42326c3f76b43abd247861e632ef937f7dcb055884e1496a0889d666e6830eb365f6b6fe8119695e4fab16ffea49403a888bda0d80951a411d1be4017666b244

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
\Users\Admin\AppData\Local\Temp\ð§ûÜ

Filesize
2.2MB

MD5
7e5ab4b640aa75f016e8ab6d086b7574

SHA1
6f1210989b64ff9fd590005be1769e29afbea34c

SHA256
75367c79d0689a408a868dfd1f73a2c8ea8fa9ba175c87e4d591aef1a3f840f8

SHA512
17a925a052f096880e330ea4b8505e6d87b07e451190b5732fce7895cce266cd8e1072961b5f7f9b2c388549b1205ecd8c8dfd1901633e0b25abc3c349cf6be4

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
1.2MB

MD5
a8bb25ec8b864b64d88c830e72e48781

SHA1
4f8dd6699a192283c89e633b392ba757f90b2818

SHA256
67ce6b345c4a0af8d3dbc8386735cc0c617a7df6fda684107538de130e976673

SHA512
e458af7d083d7bb9ea968600879daad7341cf953e1ddbd48aea7c0b2801b0e4c27e02ea1b96f0dbe373b63e71fdb126ad4e7cc6d0ee0d42200ef3cef910d7a44

Download Submit
memory/1632-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2176-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2656-249-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download