520c414a8cd0eee6c94feca774f0b6e356bddf7236813b9359e79a986b40a5c4

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 00:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e6ad1d5704ff61f7f7c29136708b754.exe
Size

693KB
MD5

7e6ad1d5704ff61f7f7c29136708b754
SHA1

d4c70ea46f25554dedc57d69fa5cbc5dbd1f84c2
SHA256

520c414a8cd0eee6c94feca774f0b6e356bddf7236813b9359e79a986b40a5c4
SHA512

9a2cc181c6fda294452445047f0316a44659c2f7e086def793fc5697a50cf3ead95faccbc3d1ca0d1bfc89e086bd73d57615fdfd9e5f4e9c19ab93f2e284ad14
SSDEEP

6144:L82p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBilN:Pp4pNfz3ymJnJ8QCFkxCaQTOl2N

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	7e6ad1d5704ff61f7f7c29136708b754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	7e6ad1d5704ff61f7f7c29136708b754.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	7e6ad1d5704ff61f7f7c29136708b754.exe
2020	7e6ad1d5704ff61f7f7c29136708b754.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\R:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\V:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\L:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\P:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\U:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\M:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\N:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\Y:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\X:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\W:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\B:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\O:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\S:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\K:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\Z:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\E:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\H:	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened (read-only)	\??\J:	7e6ad1d5704ff61f7f7c29136708b754.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	7e6ad1d5704ff61f7f7c29136708b754.exe
File opened for modification	C:\AUTORUN.INF	7e6ad1d5704ff61f7f7c29136708b754.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	7e6ad1d5704ff61f7f7c29136708b754.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2752	2020	7e6ad1d5704ff61f7f7c29136708b754.exe	28
PID 2020 wrote to memory of 2752	2020	7e6ad1d5704ff61f7f7c29136708b754.exe	28
PID 2020 wrote to memory of 2752	2020	7e6ad1d5704ff61f7f7c29136708b754.exe	28
PID 2020 wrote to memory of 2752	2020	7e6ad1d5704ff61f7f7c29136708b754.exe	28

C:\Users\Admin\AppData\Local\Temp\7e6ad1d5704ff61f7f7c29136708b754.exe
"C:\Users\Admin\AppData\Local\Temp\7e6ad1d5704ff61f7f7c29136708b754.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1268429524-3929314613-1992311491-1000\desktop.ini.exe

Filesize
324KB

MD5
d9b8cd302ca210f33e1c8eae5886b86c

SHA1
3d9118e7d5345838715deddcd4c07d1511502bcb

SHA256
9e36f74b53578116ad49c54a58ef9e0bcbfd77fb3e047c74899cae12008cb6c4

SHA512
edc9b843b17ee60548da76f11cd9908784e623d56aac65e68adc30632bc0414db3de17264ec08bd32b08ee0a935caedf1759ba2e9dcb958b6286fbd781d1e08a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
963e61bc178ddb09ed2634ac4e7cd447

SHA1
497929c21972f2878e40454d4b727ba3a97bf8ba

SHA256
1fc86fca1be1c2d8ee68455310dd7369c5c1d7add0ce6080c94ee1aec59f1271

SHA512
93d380ad9036b896d03bb9c5713665d1614413f1aa34897f42c61041f885bf9f9d5eddd29f1d946f6751f7ec90bed234a9a2474a1f575f2cc70051e3370a126c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
131518654cce387d5e392f079d3b4853

SHA1
9398c89dafc086775d8e9c9291167cf542fb7e3f

SHA256
6dfa400a45c401ac8fc644821240cd271f2754838f96879f1ff1be3e6c0f54b2

SHA512
0f88b36ba4cd6b9b63db2f140c6dbcfcd23d1a8e0fdd84da4ab1d161d7fb68f8c911444d1859aca6a577225f53a1dfebf0985f0488ac5887f349735f6a83ef14

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
620KB

MD5
0364dd4c7ab4cd4b26e241a21328fac9

SHA1
eaf7bbe109a19d98bb6f606ec46ab223fccfe03b

SHA256
eedc3d0cf329caceba331fbbe8ac164c76a4862431bf2237da8dfc2877193295

SHA512
56377dc724d6ce859fc73c4c54dce434de2c49b5c74160b853aec1a5f4a5623077a5c913c66f20aceca25ccd62f88d37a207a9109897de062810572b17b71fa4

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
693KB

MD5
7e6ad1d5704ff61f7f7c29136708b754

SHA1
d4c70ea46f25554dedc57d69fa5cbc5dbd1f84c2

SHA256
520c414a8cd0eee6c94feca774f0b6e356bddf7236813b9359e79a986b40a5c4

SHA512
9a2cc181c6fda294452445047f0316a44659c2f7e086def793fc5697a50cf3ead95faccbc3d1ca0d1bfc89e086bd73d57615fdfd9e5f4e9c19ab93f2e284ad14

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
692KB

MD5
d5cf958c4f8b0cb4c100336a05fadd53

SHA1
9f7a99ec26fd387a6fa49c13c1aca7cd7f15113e

SHA256
5f3d8507e341173289f3b3157c1ed0e4aa2dd833a44880b76ba19403fd4d8554

SHA512
f51bc96b3b67b85ba0f0b1acf5a8d9a68d19b6fe037a6872bb546fbcdb6bc6e83a1af5f50aa62b76c2b23b39bd0ec7aad00b77089c72a906f52c8972aeb4119b

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
605KB

MD5
d96674833e77172a42b49a6658344b4e

SHA1
3c25ee87d368e5cbf366a7516cd85936a335456a

SHA256
4f54a18ca49dee638b9b1575d454202854642c55681a8ae56520c4fee9610886

SHA512
85036f25b58c7e8c7d943ce0583e52a7e9d7d2f9b89eb79ac81838216c01fdf761ea45e665923d5701350c4db9f89f8a95ab0b3067e60fe03d3cf6094a58b44b

Download Submit
memory/2020-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2752-9-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads