Overview

overview

10

Static

static

3

96dfcbc0a3...3d.exe

windows7-x64

10

96dfcbc0a3...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 09:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96dfcbc0a357630ce67db6083cf5bf3d.exe

  • Size

    6.3MB

  • MD5

    96dfcbc0a357630ce67db6083cf5bf3d

  • SHA1

    e5c9b296e5d09e340f394a7ad751b7a71368823d

  • SHA256

    345efb6e2d178dc9c57c9959d005a1f709340cc1e00a80960483ffbca6c4954d

  • SHA512

    ac3a99dd49796883eccae155bda30c28dbdc0b4c637b6cbf0a99c23cd68d9112a687b65b494305e3327038f852bc9e4de4a9025974f183e9522b12d007d7b016

  • SSDEEP

    49152:NEs1qB8NIMI8Sfpwotkzaxc1OGz8iB8NIMI8Sfpwotkzaxc1OGz8j:NE2HIMzKpXOMGQvIMzKpXOMGQj

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (2953) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\96dfcbc0a357630ce67db6083cf5bf3d.exe
    "C:\Users\Admin\AppData\Local\Temp\96dfcbc0a357630ce67db6083cf5bf3d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:3344

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    175.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    175.178.17.96.in-addr.arpa
    IN PTR
    Response
    175.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-175deploystaticakamaitechnologiescom
  • flag-us
    DNS
    148.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    148.177.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    175.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    175.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    148.177.190.20.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    148.177.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini.exe
    Filesize

    6.3MB

    MD5

    2ab7dadcb62ae1c3587c28117bb4cba0

    SHA1

    a995ad1d6c1bf6d354ee714788ddacf9f56570d6

    SHA256

    6e1c67fe00a8af3bfc9844befe792f3712288c48b511ff41c2329cacf370bf8f

    SHA512

    892f34ff7e764b90359c10850f139d2ad99761163a2efbef9b9a0953d897d6f321261b93dcb1d46a2be81bb8b539aed02a2ac8f0bc0ab308b2c2250023a40497

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    b2540a2b75c16a4bbfab08c0a1960cbc

    SHA1

    d44126681b91047916f91ee2706618d3dbbfbcd0

    SHA256

    98a5fdda523888e7be3df2ab0cf67fe65a9d3f263c00e79c9e6cd0e2335c1c53

    SHA512

    9869cc29232e15f7572a2c7e0c2596eb06d05498518cfe73c502ef4a20b8d2919098d60424791304b7ecc87845c9d6a0089cffeb63155c0c3bee6884ed9b1366

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    5a64e94d15cd44ac5e26eca0c0573ca8

    SHA1

    688860d9395dff650d48f72432093d7c6ec444b5

    SHA256

    f5763da823881e26a7f13bb331767aea6c94801008cfe1c97d42ba2c197328ce

    SHA512

    34d7339d49d52dbcdd36ec597d9174b401d37376bacf3d512d5aabc418b4ab59ad0a02a2efd612bc0e07f32d6bbe40aa8776962cafd73aa66da1e588f81b585e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    0b114b7794d337db86ef0c9a109b9e8c

    SHA1

    b7ab81a6b6371188fea3a271a31e7eba3c7ed497

    SHA256

    94aec7d63db1e74c5bf3e50d94ea876777f6cb10e90ba0c38b917f67ec48aa5a

    SHA512

    d4dae5bdd4ceddaf0b9100e82ae99dd4152d668df8f93b817266e001360d635a86d3a3b0c646394ef46cd973c00bde3da90942270d9765f87e257d8f9467b375

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    c1f478d170563f2b76d1856f171d1ef7

    SHA1

    5b5d6670ccb8bfca9eac4c9cd08b71167f7b8639

    SHA256

    5f11ac55a1aa534981bd44c0b8c273457967eb99d25764ad117f446dc6a40022

    SHA512

    290f2646c7c8aaec3d173f2ae95c5d7dda5f634cae69f7c73d422e97beba966932b08e2ca5845d5459752fcf8e53b85f6aede779f2a7e1075d0161ec4c933466

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    e1fc3d97bfd65aa4985490e41cbd3f6f

    SHA1

    c1f7fd12da204083436b8d9103b38bceaba4bf90

    SHA256

    c68f91102f8d1623c8b4d049ccb4dd4701ab842730d3653d2a2ac4a8098ac681

    SHA512

    d67e1dbd49dbd1725bab8a311a11f05e67aaaee67ea0781dc362cab88500a194600a0f5ac1ae04251db24945ee46b0ec0ab37bfb222221fa7e93eeb3e501f42d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    a0e44081411a71be9ee34566209cd692

    SHA1

    880fc8e855a964e05c7beb7081c0f9ef70876cd1

    SHA256

    034fd9faeedbd8efcb99467bf739d4cc2f92368541d43f51975c0ca37ca9afd1

    SHA512

    38c22e2dc17b67b8ee3489af2c986864e3e493b99dc63c4a4898a287625ee5d5a95506cfcf7543a348af33f3fab6935fd37cb6bd578c5ea4690a43d2f8a50ef7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    429f31e938f3c7721872114ed0989bca

    SHA1

    3002b2ecbce2d0298bc0d5ee5d0d547da9c3995d

    SHA256

    816efa82badf5bb67b0d9a287502b374ac85a6d1307d4acb85869235b7ef86a7

    SHA512

    d0989c4902d4ab57575f318c9266c7ceef0f7698d315379464fcc529a1e28f0f6830b4e0a7fc9f9a9bfb183175e4c22a2f7e4753ac01cb91f97a166219a6cd36

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    d1c5606a2f0d24657b72a98a728f9839

    SHA1

    8bbc50385b085455d279fea545be62bc084cb504

    SHA256

    7d2edd6f8bb4d84ad34ded0e78bc9105994e70e77f15b9a234e0dd4fef06d6c9

    SHA512

    51165246693e040292b128e732749c8ae1a6936ceac1b72abde5bcdcc38212f80db1d592151f054e729a66b0b6da66aed9f778bac5e164ccab18efe63f3c3529

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    31eca553b07470f17ed113683518f3c9

    SHA1

    8b82e214894dcdefa6713b0ea80ec388f4ec8338

    SHA256

    341124a4920ad9d49eade7ccf80539c52e6ad36a8d6f62703a19b57f365e706a

    SHA512

    1d16cf85c74f6f30b9d80d783560876111aeb238d77f25565d622440bbbc0b4606bcaf49066571101d18dc63e88531ba38c034b9246f2fc77fa7d1758842d346

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    901c48a78a5e89b01a85f56efa12af9f

    SHA1

    27a58c6415a00b7a483b8ee43e1ed4c2b6c7cef0

    SHA256

    569da5c5a456b8c7ffb34b322e699da4ab14f1e895ca51eb756262ba16018ae5

    SHA512

    1380e536b677987a512f251affe2c2dfad89ed435c19822f33b49ffcd0f0d58a22c570d59b121a58b07927f70b9be11596d13fbc0b1c6bc44ae6c6fb99c67022

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    cd5d8f3950fbe207f9302223bacc92d4

    SHA1

    ede4d6c9a0c2f6021df5c1b98c122c83b4d5e40b

    SHA256

    97899b9a5e417f536b2d9cdcc803e55376aa465ac6e9f69a746b26bd15bfcc92

    SHA512

    ba958f7843650adba579d9b60e73e37f79f0056aae023f74f6c62347608eb92db760a53c3ff083ef13247c12d05471b7fd1683abf0fcbfe612a5b2f534e57e5d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    b70d7c34d1fe05c782d26a2446aad61c

    SHA1

    7acb4a97d21e750d8f5ef6eac07c0499d830f524

    SHA256

    ba9e836b358a47f7850f8e5497289b297262b0ada0e5def902a2f943cadb0ba1

    SHA512

    5c1351faf5cf571a582ef1e61575f198f8cbd14b20202c18efa1bac44baff048b5d8006d8021ca88870d56ca783952fa710780ecfd7c015a2bd47361689d242f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    c0a25bb50db9e8c6ea50913c652902da

    SHA1

    e42e0c18c82c8e7331857750a3c790018ec58e17

    SHA256

    1b98f53e4518b50b8b05c879d9f3e4b1e8abe67a8a8b0678d438ef68b8f9723b

    SHA512

    d65ef6eb3da4f0872589bc5c5a1babdb34fcaaa500d4879b8f0744c4208c085ecb9fbc453303fa6c22f470ebbfe9ebda92387955060cd4b8113964c77b1e8477

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    0f0b3073f4fb094d85278100f968d412

    SHA1

    357cbef23791a9623cfe5cbece3464e2ad59bc5b

    SHA256

    a906e078845362cf73221c28b5ff5d51e932a49bf8d58ae31097fd66eaaab6eb

    SHA512

    853b72f5a3d12ba4c423ff6e0d25fe00ef2881b1e91560a6befaf8891a5ddbba4b6ae6fe65c22be4a46aec32f75fa5c577e4d4e7b5434efc0e3d2905bbc8b04c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1023B

    MD5

    7846a866ee4e47c1a3d10d834e048044

    SHA1

    07b3e50627c474910b11aa2a85a8ab9aba15c50d

    SHA256

    6affa761a715c8d68f88ed0eb395d85f855845446e81c6b2e49ee52f2b075039

    SHA512

    ef25f6461b4791d442407a6d7c4f01169783788b17d95c1479cd720cd32623c0fb64dda447d8b570ff84bdc34dbe9ff31939503fcc07adf052a503e2aa5e4b9b

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    1.9MB

    MD5

    52af0ac6d97115d22994c8085ab683a2

    SHA1

    83915de1d5fe15840975dfe2b1e4ac527a555415

    SHA256

    a9073dbe61dba4c0948c1599feada74cc75ca5e78d5c670d119be34cb6672c02

    SHA512

    b76c4a121dbfc7a3238ee3a1ffb18b07dc7cf46cbe687203bcca7d2e82a163b52bff8888abb284a71f67323ec71ee32a2f7aa86bdf2a0ac4de21c92acdc7315e

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    1.3MB

    MD5

    11d4cabfcc81ffdedce4f262e488aea0

    SHA1

    d456fe01aebf13b4e13a8b5549113556c37b48df

    SHA256

    8a7db868c219f3b227b588fbc2a33ed86de0d7c41aea50d885a219f8df4db628

    SHA512

    4790cdf7e8963897b910df5c91650bcc5cd6ca46c424a28a50397ba2b134ac3f45ecdef4db171970fce9ca73adf43146bc1bf0c529eb3ef77348453e58e44189

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini.exe
    Filesize

    6.0MB

    MD5

    72f70efab82456a85eb677b02352cbe5

    SHA1

    6da6b7173a4f8c9ec917d28dd40fa3440d65d570

    SHA256

    c2de7ecf90fb38f015a479ca7ade5c1daf9ea20d2d8f7c2b00a1ec88af058bf9

    SHA512

    751389eb36e666b15df5b756e1bef2bbf9d0a0990eab074f310c881d8bcf2a9d5e1e76683b9b9ce6d86191597babe30cc3c52e0aa7934be0780929d72cedfedd

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    6.3MB

    MD5

    96dfcbc0a357630ce67db6083cf5bf3d

    SHA1

    e5c9b296e5d09e340f394a7ad751b7a71368823d

    SHA256

    345efb6e2d178dc9c57c9959d005a1f709340cc1e00a80960483ffbca6c4954d

    SHA512

    ac3a99dd49796883eccae155bda30c28dbdc0b4c637b6cbf0a99c23cd68d9112a687b65b494305e3327038f852bc9e4de4a9025974f183e9522b12d007d7b016

    Download Submit

  • memory/3344-3043-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/3344-7-0x00000000020D0000-0x00000000020D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-5-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4880-2023-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4880-0-0x0000000000400000-0x000000000047C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4880-1-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4880-2563-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.