Analysis
-
max time kernel
145s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 15:50
Static task
static1
Behavioral task
behavioral1
Sample
9788290f11e6a311a12d80f8a91536c9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9788290f11e6a311a12d80f8a91536c9.exe
Resource
win10v2004-20231222-en
General
-
Target
9788290f11e6a311a12d80f8a91536c9.exe
-
Size
1.9MB
-
MD5
9788290f11e6a311a12d80f8a91536c9
-
SHA1
9e14969230aa84c2589d113868b8734b1e54b8e6
-
SHA256
35fe3ac590271e135d23d485ebb19fbcfeb53b91521676dcb92bdfb393b64cd6
-
SHA512
287fb50f75c5b181f26b2d6f2998b474bef2b36b48ecf20f6baa29e7ec4c4806b85a3a3a0b9ce07a926ee63e96cfc44f198f36a572f3141e457216305a248803
-
SSDEEP
49152:PEs1c0XpiMYIlMMHMMMvMMZMMMlmMMMiMMMYJMMHMMM6MMZMMMqNMMzMMMUMMVMl:PE2cYpi/kMMHMMMvMMZMMMlmMMMiMMMJ
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" 9788290f11e6a311a12d80f8a91536c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 9788290f11e6a311a12d80f8a91536c9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk 9788290f11e6a311a12d80f8a91536c9.exe -
Executes dropped EXE 1 IoCs
pid Process 1960 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 1540 9788290f11e6a311a12d80f8a91536c9.exe 1540 9788290f11e6a311a12d80f8a91536c9.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\X: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\Y: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\Z: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\E: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\O: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\K: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\L: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\W: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\G: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\M: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\N: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\P: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\A: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\B: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\J: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\Q: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\I: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\R: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\S: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\U: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\V: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\H: 9788290f11e6a311a12d80f8a91536c9.exe File opened (read-only) \??\V: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF 9788290f11e6a311a12d80f8a91536c9.exe File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF 9788290f11e6a311a12d80f8a91536c9.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 9788290f11e6a311a12d80f8a91536c9.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1540 wrote to memory of 1960 1540 9788290f11e6a311a12d80f8a91536c9.exe 17 PID 1540 wrote to memory of 1960 1540 9788290f11e6a311a12d80f8a91536c9.exe 17 PID 1540 wrote to memory of 1960 1540 9788290f11e6a311a12d80f8a91536c9.exe 17 PID 1540 wrote to memory of 1960 1540 9788290f11e6a311a12d80f8a91536c9.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\9788290f11e6a311a12d80f8a91536c9.exe"C:\Users\Admin\AppData\Local\Temp\9788290f11e6a311a12d80f8a91536c9.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1960
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5e6a65a717ce7be3a11a36b3a94936ab0
SHA10b2d5bdf5231f37851f2a71d8f544e01cfbe3765
SHA256400b0895ab4942da08bb5878c5ef2b6084fb2634824aad016c6e4fd84c7827c5
SHA51226832e87888198ba0e96508132a43e1bc78adbfe35166ee4e2c88b7f050ef7f1f3ac8ab5d9b76c54273c2f326d522b69fef6acc9f9db7a2ee27f0594cca894bc
-
Filesize
1KB
MD5802ddb203b12fec044e3ab0fffca2da7
SHA1c8715e24db0112caa2bffc73828363981ba0402e
SHA2565aaeda8f8de1c7d2f0dabf9492ff1a83dd448750231fa5ad7c4052020ea4ed59
SHA512c0ee0084652b3a4693cae0304204b87507d6f7f1c45d5a4f0d9370ba27a26930ba0b8964bd14040123779b98b992bdd9089a1b353aca88649a2647f6d696604a
-
Filesize
954B
MD5ba309d3f129eb44719ac1ba257f1b9ac
SHA1662871418a750c8c259c723c7aa2414bad4301a9
SHA25695637f8dba5212cd590fc2fb3859fb15d1d669d8ef4e97b5f501d142c43b489a
SHA512736424d30573b005cf6b2ea5e53b38687168e35a0c58e2318db52622305c040d49f0da399fdbf63d90b5636987911af95b97d30adffc49c502440ba6612448ce
-
Filesize
197KB
MD584b19c4c463c8f40d2e148fbfa3efeb2
SHA1192ef7b49b6d1fd9ea8c005c719caae3c16c12fa
SHA256142f0e83da6c0bf1d22ad41a208ce88d33913166e1e2d09763bc25f8bb72c6f2
SHA512f98a1b39e6de96347147ef7fa1af13dcb1dcf40ea539ca5475a032a3fc8725b5a1dccbe123c6191943b6f65d671c67d915acdc9d995e68cd328e0375a31110e2
-
Filesize
281KB
MD5fa32481c3e69d095c816ad5a1ae4b5a5
SHA1e2a260758beaf58e8353f2fbea7abfc8df967569
SHA2567aea3af347834895be07de9f0398cf9330a58f4bf53b333c74388963e223d3c1
SHA512d6348263b96afcd115054610876fe230e6b271b14ba2a1e67d9ceaa3f70c96a0d4815aeb639ff3e065c796b5b6f405d532c04c25a1ab7a622fecd82464ffe232
-
Filesize
339KB
MD5fef62adc322696e1748217d51035de7b
SHA11018af66be5c56b83fa1851ba960b01b78ab7b93
SHA256cb8cc2469b30f6119a0dd76a564ff537cd0671689b1375150c6159330a16d2ba
SHA512c05e2fe26ca3352784615c672f2493023c9cbc16ada609d51ef55441ffa3485fc71ff7a76c1a4e2fa1ccd508e88d9e7a86f82bf83352a7804e09f9223c78bb21
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
1.9MB
MD59788290f11e6a311a12d80f8a91536c9
SHA19e14969230aa84c2589d113868b8734b1e54b8e6
SHA25635fe3ac590271e135d23d485ebb19fbcfeb53b91521676dcb92bdfb393b64cd6
SHA512287fb50f75c5b181f26b2d6f2998b474bef2b36b48ecf20f6baa29e7ec4c4806b85a3a3a0b9ce07a926ee63e96cfc44f198f36a572f3141e457216305a248803
-
Filesize
226KB
MD585acb66904f0de89d51edda2a2a05b29
SHA1aef33bfd13163cd89103e0413a576095465186b8
SHA25604ffc63aeb1a1f4c235217ae23618615e89f8150ad365d6f6cd61ff1b191c02a
SHA512c9e16539c12ed7ecb4399464ddbdc62ac9895f0007da56770227e6e245f3cd679fa98618329ff1e6dc7746e87edf3253cb05fce66ce34fb406f1fecbbfbc060a
-
Filesize
369KB
MD5c9979cf6169208c0addcb508583b3416
SHA15e4df77911de819fd3509639536f357613b68acf
SHA2560c2b6f7d0d1a1c6cba40026c8ba3a05580ceeaba1b4b372a8da1d4f8f5d1d208
SHA51266faac363929f6fcdf221446a77eab5dc8cd03964570284f307801a285cdd007579ec131a6fbad4f0bb09aa45a886a719933a399d03328d0f4dbb64a0e216003