5efb103d520a1107fbaa200b8cbeafced0a36ad2355c4dd765f7638e5621313e

Analysis

max time kernel
148s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cdcf8cbfe19eb634aad49ddea05b721.exe
Size

881KB
MD5

8cdcf8cbfe19eb634aad49ddea05b721
SHA1

71d1d5378bcdbb3c176194dd648a9571789f4d5d
SHA256

5efb103d520a1107fbaa200b8cbeafced0a36ad2355c4dd765f7638e5621313e
SHA512

6524a0910a70b33b006bdf8525d32cbcedf5e8677e881943ce737fc68b70f8ba00a688e0d53175d1b4f670b2ec0dc69cb78b24e980d01edd474702ec58310f56
SSDEEP

24576:aEtl9mRda1VITSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Num:xEs12Gr4kfxuN

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	8cdcf8cbfe19eb634aad49ddea05b721.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	8cdcf8cbfe19eb634aad49ddea05b721.exe

Executes dropped EXE 1 IoCs

pid	Process
608	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	8cdcf8cbfe19eb634aad49ddea05b721.exe
2236	8cdcf8cbfe19eb634aad49ddea05b721.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\S:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\U:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\A:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\H:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\L:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\K:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\P:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\T:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\W:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\E:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\I:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\O:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\Q:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\M:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\V:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\J:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\R:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\Y:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\X:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\Z:	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened (read-only)	\??\B:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened for modification	C:\AUTORUN.INF	8cdcf8cbfe19eb634aad49ddea05b721.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	8cdcf8cbfe19eb634aad49ddea05b721.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 608	2236	8cdcf8cbfe19eb634aad49ddea05b721.exe	28
PID 2236 wrote to memory of 608	2236	8cdcf8cbfe19eb634aad49ddea05b721.exe	28
PID 2236 wrote to memory of 608	2236	8cdcf8cbfe19eb634aad49ddea05b721.exe	28
PID 2236 wrote to memory of 608	2236	8cdcf8cbfe19eb634aad49ddea05b721.exe	28

C:\Users\Admin\AppData\Local\Temp\8cdcf8cbfe19eb634aad49ddea05b721.exe
"C:\Users\Admin\AppData\Local\Temp\8cdcf8cbfe19eb634aad49ddea05b721.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini.exe

Filesize
881KB

MD5
3d96794d5b1ad8b224ab8f155a0a9afd

SHA1
a755abe77e95c22bdb1b6fee0b08b2c8a22395d8

SHA256
4fbdfe908ddae02ae49a31f62ad05e04dfb749047878b3f4bc24ec042db661a8

SHA512
b5054b89a9360ad2bdf81fa9ae4d5afbbf0ad6d09cf56fc025d8278093a00dc575976d0587b677f14d19f80028db24a4267a4ed4ed4c9f0d2d8233ec18625cf5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
a6f19ce52ec33397fc1f4aaf50cc1e32

SHA1
1a5059417277b5b41f6ef75276002fd7109a0f4d

SHA256
bc77af5f49cd3be56bfcbd52952946fe3a0b8cf841d6485bdb1a79aa0380c141

SHA512
4e4884a3e508340f7c237491de1017b4fc4b08ccda5ded399319acca1a382737c02cec44a89e7c1e7894463170f77fea84813b101cb2accdf027d9ccf19c2f87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
6cb4877c99742bef0f620cf29ae2c1c9

SHA1
e2a4cfa1d25cd495700e5d9950c811734ec27d45

SHA256
d5be63fc20f7ba21d37a735a5e6e43073890f601bed41b56bf3dee99b7d2feed

SHA512
550e5faa686687d1a96f43222bea78294b5f17602d2558ad21bb77cd2aad9cf5024a98238ffb79d66636c9cb9d09a49d84229c4d06a271bced5596b0575086fd

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
881KB

MD5
8cdcf8cbfe19eb634aad49ddea05b721

SHA1
71d1d5378bcdbb3c176194dd648a9571789f4d5d

SHA256
5efb103d520a1107fbaa200b8cbeafced0a36ad2355c4dd765f7638e5621313e

SHA512
6524a0910a70b33b006bdf8525d32cbcedf5e8677e881943ce737fc68b70f8ba00a688e0d53175d1b4f670b2ec0dc69cb78b24e980d01edd474702ec58310f56

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
880KB

MD5
d174c7dd21726a41ab5d085624ace76e

SHA1
5fd7193db058fdf4f84ac35a03d49f83d597efae

SHA256
894fce776e04dea6a884cea5a16cf84dfff049eb1f6e6357d7e70384b0f62ea0

SHA512
4028f40bb5ead06c3ae07c4c043f29916960340398a278bcad28732465a59b6404f13e8021712a83617f8943cb50d93b10aaeadcf5805d7bf9bf99613eefbc81

Download Submit
memory/608-11-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/608-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x0000000000400000-0x000000000047894E-memory.dmp

Filesize
482KB

Download
memory/2236-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x0000000001E00000-0x0000000001E79000-memory.dmp

Filesize
484KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads