6f0ff6b48f67082fb42d6a48c5c5ce8d8ff7213560fea2e52b76f9f8efc102f2

Analysis

max time kernel
147s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 18:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99df57dfbea20aabe363880940861e58.exe
Size

7.9MB
MD5

99df57dfbea20aabe363880940861e58
SHA1

43819c3da13e5441025d7b9e433dd58227db6074
SHA256

6f0ff6b48f67082fb42d6a48c5c5ce8d8ff7213560fea2e52b76f9f8efc102f2
SHA512

2f953d6cdbf65e60f900bc656bcf5deda45dc6da6c88e357d87500a2a8c75dcc9fa7a8841cb07764d1a660b1487cd3885b86b502ee3c54dc2a6916defbffaa03
SSDEEP

49152:iEs1CzRB8NIMI8Sfpwotkzaxc1OGz8hB8NIMI8Sfpwotkzaxc1OGz8:iE2tIMzKpXOMGQ+IMzKpXOMGQ

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	99df57dfbea20aabe363880940861e58.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	99df57dfbea20aabe363880940861e58.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	99df57dfbea20aabe363880940861e58.exe

Executes dropped EXE 1 IoCs

pid	Process
2664	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	99df57dfbea20aabe363880940861e58.exe
2236	99df57dfbea20aabe363880940861e58.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\E:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\W:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\Y:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\V:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\N:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\H:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\M:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\Q:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\R:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\U:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\A:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\J:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\L:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\S:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\G:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\O:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\I:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\T:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\X:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\K:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\Z:	99df57dfbea20aabe363880940861e58.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\B:	99df57dfbea20aabe363880940861e58.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	99df57dfbea20aabe363880940861e58.exe
File opened for modification	C:\AUTORUN.INF	99df57dfbea20aabe363880940861e58.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	99df57dfbea20aabe363880940861e58.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2664	2236	99df57dfbea20aabe363880940861e58.exe	28
PID 2236 wrote to memory of 2664	2236	99df57dfbea20aabe363880940861e58.exe	28
PID 2236 wrote to memory of 2664	2236	99df57dfbea20aabe363880940861e58.exe	28
PID 2236 wrote to memory of 2664	2236	99df57dfbea20aabe363880940861e58.exe	28

C:\Users\Admin\AppData\Local\Temp\99df57dfbea20aabe363880940861e58.exe
"C:\Users\Admin\AppData\Local\Temp\99df57dfbea20aabe363880940861e58.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-928733405-3780110381-2966456290-1000\desktop.ini.exe

Filesize
7.9MB

MD5
94358f90f85f490071fb5ed417972cb9

SHA1
b564ad0bf43e3cc842f3b34b4ccf52fa0ac84825

SHA256
2a3d9def80e934879596b899e8bcf178afbe221c432f5d2501e354a0854c03d6

SHA512
8ecf8cfdb45fa066839baf2890945498282af2d6e98fb540650d7810e4c98b00be12e6bd3bee7e4df028454b439e1a10a9498f6bb64af1770084a27ed0f05ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
f68dc97001426589926b00ddc1a95ac1

SHA1
3d80ccdc17d02bcf9670147011fa3939eafb602a

SHA256
46ddf900ff860f536cca1ccf5907fc312273bb21c9dffba7bb54522f0f0e4923

SHA512
c3bed5092eb88522e897e3b10b0f91334e7afbd36110c2e4533f9e2208969a298a8ed4bc760d1647536038bc76d074670c02d72a85d582b593c268feefe319e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
7bfd15b992a4e3ed733e894a83a9baad

SHA1
b41b6a0902ad2f762d9812ceefd7d79f85c743a9

SHA256
7ad0d73a8580370a4923d62aa6ce42bc6b9125190aa04a72b17e3e8925d709f7

SHA512
235fe4b9f846a7230585c8665ee8da8c6aa4bd6cdc82ecad6d9604464ec1c8b1c0df61bcc3d910a144552e0678cc042c407797e2f470eb6c4a8cee2d21dccb65

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
4.1MB

MD5
1c045287f39b25dfbe6b48be53f10c0f

SHA1
232b839244b313cc4d683b1fc65af3f283c91334

SHA256
e169fc9269e3954d8fee4cf2f14da649290000d8e9c711214b04e7189ffbf6f5

SHA512
7c672752621ceb5ed972858b212575247a2c4805ac8eaa78bb99480ba931ee7f530cf94bc4e38d676310924c7afc9a5ab4275031487d732905a2676dd30c2f6c

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
4.1MB

MD5
2c9ebd49a810b7506d35f70227632e1d

SHA1
07e7114e018e95245e428dc4a910ac4295287ddb

SHA256
ee113f3d8559900019eeaa15408c8d43c0f5dad08fedc63f53e499109fe99eaf

SHA512
025281c5a2303f4bbcb083e6de50200f5feaf79ac1dffd7d2182c0e84f0936e4441e0824eb98817126e8a78359b021e2dc84a068a4d6470c6e9354299223e66b

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
5.2MB

MD5
34e6b73d7d38cd81ac8f416234343f30

SHA1
adc06987b41e05358ebe673f38d8045384891539

SHA256
aa256e85dd6141935958589d78907e4fd2c857b8f9cdfcc1498f018e28cfe317

SHA512
d6d0ceb4d941268e7614e4121162b1547f3d23c3040021ea2c9877d3050408741672d095229d38ff7330b5318e8ff4c6eb177c810ccf882cf020ed7698ad38a9

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
7.9MB

MD5
99df57dfbea20aabe363880940861e58

SHA1
43819c3da13e5441025d7b9e433dd58227db6074

SHA256
6f0ff6b48f67082fb42d6a48c5c5ce8d8ff7213560fea2e52b76f9f8efc102f2

SHA512
2f953d6cdbf65e60f900bc656bcf5deda45dc6da6c88e357d87500a2a8c75dcc9fa7a8841cb07764d1a660b1487cd3885b86b502ee3c54dc2a6916defbffaa03

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.9MB

MD5
4280cb7ca5347e32f1b678122bf377a8

SHA1
8f794bd62a2c4656499f84bd8267e15c7cc71100

SHA256
0aac516e187ca61f42e3327b12e9615719b89ee37af202737b741e24e05ca7ec

SHA512
4654362bab0998a5d5b29bcba351b53c526a2e20638143ecb4f770187ce0147a88e492979571dc13249d131bcd781721a79e64d1911fdc4df803c799e396ea6c

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.2MB

MD5
119e709e236b290f4782fd4bf5e42ad5

SHA1
a3e768aacb7dbf874755ff394981eed01b7a586c

SHA256
b6251f7d09d2049d6d0bd545358812fb44c5258aedf723941578a67eefe99109

SHA512
d5db65243260fc8bb7436e1d1dd306b1279449d0c843ea4134eefc2995209a4488573b0c49af5cf565e9c952fe3dd3bada8fa7a06fd81f56562731dc11d3f68a

Download Submit
memory/2236-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2236-236-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2664-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2664-237-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads