Overview

overview

10

Static

static

3

802fb676e9...e1.exe

windows7-x64

10

802fb676e9...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/01/2024, 15:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    802fb676e94d338ab31044d4d91df6e1.exe

  • Size

    812KB

  • MD5

    802fb676e94d338ab31044d4d91df6e1

  • SHA1

    84f330f304c5e61f03799c774d485c694edfb131

  • SHA256

    06c374df71b088607533cae2db8dd7e2b8ad267bf617575fa2da287d006f1d69

  • SHA512

    73dc1c2e199cfc5a0f7e9b8a17bf27a72d10326936bacd86eff35ab9c5af0daba94a111b6b61c788e0824ed22094392fbdb9ae6f8201aefaf1a43f1ccb961fe8

  • SSDEEP

    12288:Tp4pNfz3ymJnJ8QCFkxCaQTOlOb4bcvpxH/d9:tEtl9mRda1oRxH/b

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\802fb676e94d338ab31044d4d91df6e1.exe
    "C:\Users\Admin\AppData\Local\Temp\802fb676e94d338ab31044d4d91df6e1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2888

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini.exe
          Filesize

          812KB

          MD5

          e855f5d5f1fa2ea8e6cd2c7ea6022b3f

          SHA1

          eb83a88d41bf9d564a8cccbec336d769540917b7

          SHA256

          19497bc10d7f4df43c9633006f073425f5902590e8482e0e1aa77757a575e216

          SHA512

          8f555b8423ce7dbdf82063c7c9eee8145e2d45b5701c9b4b04b15e2b6eb98d02ccc1b7e1d2eace72e545be24630a55f6d1357d2493b8309943f2ec0907ffd34b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          954B

          MD5

          b00de8662e478c50215a0365a0992117

          SHA1

          cb946d7924c4c9949e7a743891feccccf52f58c2

          SHA256

          cf7f687670ddef762cd73f73970eacdb1c9230c83b2f524a3f8de66e008490c6

          SHA512

          49061dfafe6d6e25f3a574909b117ce063992fc1a0f61192e46315626b2ecae2850ef5a19b1f4cbb32a36e2d59f5ba1e09f44847f71770d81a545801ae0e67e0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
          Filesize

          1KB

          MD5

          b66aef0dae3322941f185cdc4fdb057e

          SHA1

          596c2ea8c22fb2fcb183710d68504161a5778148

          SHA256

          54ffd0489540a12433e13b595737fb9d2a1d86808ba4e111df8aab38d9f9e221

          SHA512

          20fcbb6455fd3625590f77f7798dfadc90d88a70df538c66c3b4cb78a0bd1bff1b73f5e59b2c6ea008abd1582a5d8e75c151b777fde01fe848b72c6c84a72472

          Download Submit

        • F:\AUTORUN.INF
          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

          Download Submit

        • F:\AutoRun.exe
          Filesize

          812KB

          MD5

          802fb676e94d338ab31044d4d91df6e1

          SHA1

          84f330f304c5e61f03799c774d485c694edfb131

          SHA256

          06c374df71b088607533cae2db8dd7e2b8ad267bf617575fa2da287d006f1d69

          SHA512

          73dc1c2e199cfc5a0f7e9b8a17bf27a72d10326936bacd86eff35ab9c5af0daba94a111b6b61c788e0824ed22094392fbdb9ae6f8201aefaf1a43f1ccb961fe8

          Download Submit

        • \Windows\SysWOW64\HelpMe.exe
          Filesize

          735KB

          MD5

          dd3acf96e378a143e1336cfcacc895e7

          SHA1

          e334e05ebce4538cfb3aed942acac8e7f59c4b26

          SHA256

          7c5c757f4a44a5b537f6a1fb406c2c65071facd8b0d40428d9b943d7a76efc9a

          SHA512

          fc616082e5afc63f61353158674746cf7b23fc0cedde01dbdf672c420d9f01bb5284e013335779a278a3206c26fda1176f649adcd8fcb7ce5981a7bb12ed67df

          Download Submit

        • memory/1032-0-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1032-234-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2888-9-0x0000000000240000-0x0000000000241000-memory.dmp

          Filesize

          4KB

          Download