16eb0beec9d5c8edf3bf8b7ac436b45ea02d77751676177d403922113adcfd9d

Analysis

max time kernel
148s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/02/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa41a7e306181cc69cd2af015229a883.exe
Size

8.2MB
MD5

aa41a7e306181cc69cd2af015229a883
SHA1

9ec71cb5e799f502f7ef17b9a64caebfde34684d
SHA256

16eb0beec9d5c8edf3bf8b7ac436b45ea02d77751676177d403922113adcfd9d
SHA512

bd44e708aeb4be0dc72cce1fc82c03f0aa476a1d73f0bbf1eca1344a5cb05b6b6d173d85f1379fbca2801e0e0a487ccd63c5c8725a01009157dfa449d90fa680
SSDEEP

49152:iEs1JSJR9x8B8NIMI8Sfpwotkzaxc1OGz88B8NIMI8Sfpwotkzaxc1OGz8G:iE2WJIMzKpXOMGQFIMzKpXOMGQG

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	aa41a7e306181cc69cd2af015229a883.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	aa41a7e306181cc69cd2af015229a883.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	aa41a7e306181cc69cd2af015229a883.exe

Executes dropped EXE 1 IoCs

pid	Process
1688	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1156	aa41a7e306181cc69cd2af015229a883.exe
1156	aa41a7e306181cc69cd2af015229a883.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\P:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\G:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\B:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Z:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\Q:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\A:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\H:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\W:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\X:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\E:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\R:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\S:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\T:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\U:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\Y:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\K:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\V:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\J:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\M:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\O:	aa41a7e306181cc69cd2af015229a883.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\L:	aa41a7e306181cc69cd2af015229a883.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	aa41a7e306181cc69cd2af015229a883.exe
File opened for modification	C:\AUTORUN.INF	aa41a7e306181cc69cd2af015229a883.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	aa41a7e306181cc69cd2af015229a883.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1688	1156	aa41a7e306181cc69cd2af015229a883.exe	28
PID 1156 wrote to memory of 1688	1156	aa41a7e306181cc69cd2af015229a883.exe	28
PID 1156 wrote to memory of 1688	1156	aa41a7e306181cc69cd2af015229a883.exe	28
PID 1156 wrote to memory of 1688	1156	aa41a7e306181cc69cd2af015229a883.exe	28

C:\Users\Admin\AppData\Local\Temp\aa41a7e306181cc69cd2af015229a883.exe
"C:\Users\Admin\AppData\Local\Temp\aa41a7e306181cc69cd2af015229a883.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1cc62d2c0be6f43f78e456272bcf3f98

SHA1
cd637e98bfc034cc2cfd086e0100168f96bdeea6

SHA256
285e13a2cc89836f7e5bf0a18ba375591012965cf2fa4717c3ee5df1127118c6

SHA512
888e01f986a19903009aafa573fda98395402d66bda7eac3a9debf1ce536845066e4cfe6a04fffa5b5b4bfc547bf6a2c9d36868e3a488751110d923a7b6480bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
65ece74f3b9ee4218a98aed2533f6b9d

SHA1
7f7d96af37188ce2cb10dc4b68b8dbdd3d01ce48

SHA256
3ad32440bfa7ba0a191eb41aa66ca3a198bec190202fa2ecfed0d9de626dcb08

SHA512
e1acc339ac4b0713a1a717708635550d3dd89603adb9a243bc0a02133c8398045afe8c6d95398df20f549cc77e9656ceb3b490f2fd2c296feb8333164422b874

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
5.5MB

MD5
39203944810535ab936c9401fc47c95c

SHA1
4e458725324b4694a5fb919d504be845859d4e94

SHA256
7dad649fdc372c664011bbe473d804c717136785cc073da5a2a1293e77e96c8b

SHA512
ca79713f223b4430ae700d66f23a77f0c011e4b7c04f05a9fe910bd41f52e95c085654496ff1577f69905594b97430f9cb21fa560a64a96ee330768200963e19

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
5.1MB

MD5
6ccbde7c788d36784f9b76f18d4e30e3

SHA1
1f025fda3feabb0cd202b8b2e0aba3af6a3df765

SHA256
3ade89a78ca5abc1cf2b3d8f9422a5bf2ec58abbf8742b6264a852b30e3784ec

SHA512
a619dc325bb4f189ba87adfb53c93c616f4022aed4307823b7c6182d5fd389501cf9ac1803f5871a54ab778245130f60e8d5de7fc9c99c4af8abb54f55dd2050

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
8.2MB

MD5
29a1469e7763aaf30f17b95f7ac8f9c6

SHA1
8f15241382844d99f32fac425e5781e67626eb05

SHA256
5e9f8db10a1a1d5105f40e66f0caaddf140b2d3a209edae4cb33e916670fe393

SHA512
c450e6d2faf833714243b3fb591b9938b894f4a92ce9540170a4c84b5285d1ee9641490d723780293ddeb40e76d252a4c3474cac6d8ea8e43a151f1ee611006a

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
1.7MB

MD5
a4bf826d27be0c0042b6eb41905b33b5

SHA1
4d6d2c2e885c34a59c713493d3aed3c2f49dc655

SHA256
e37b3654e346e817fc1a0c459c53de1018234f4acdbe63bb2ce612cd329ea063

SHA512
fdb38ffcb8b0f1b0c6e5feb1e695dc2000805cb042974cfa796d009927f31c9306a72581119362daa45357f63a00d0187775f3f3d16ecd1e7c12554fbe2101c3

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
7.2MB

MD5
b14d8b33aaa168930c16dc36ea4c8ddf

SHA1
c1efb4e08dc75ae845773bdf8ff7bce4003b54c6

SHA256
60d8806f671f8d3a8541fc840c0e79ad89cbea1c7dded3a84628f3eaf01fe133

SHA512
5ba74f7a2b4180376f87e7cb3b6bd5c55270fca6117575ad7881767e8c65838d04d8bfbebb98860bb88575074461854f4158da7c874d684c7efc1dbe1163c632

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
6.2MB

MD5
df7c6554c3fb6c11db3078f76c2bda92

SHA1
6354e85bcacb573a3b9895e9427f737c02ca2944

SHA256
13801ff45e8072371641809cff2264265d6c325779e026c309f3317741f5e9cd

SHA512
ebd5dff0df5f9cba734b62a32a65122ae92365b93f8bcdac59a64efeb51f6cde9855e46284a9c04b913b8ed1c313ce42eb4c02495ac4c1126a961250faf5f035

Download Submit
memory/1156-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1156-228-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1688-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads