Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 02:27
Behavioral task
behavioral1
Sample
ad742104f5da2b146e926f1eab741103.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad742104f5da2b146e926f1eab741103.exe
Resource
win10v2004-20240226-en
General
-
Target
ad742104f5da2b146e926f1eab741103.exe
-
Size
2.9MB
-
MD5
ad742104f5da2b146e926f1eab741103
-
SHA1
0f8ddc0bf413c54159752ec412546ac8794a6819
-
SHA256
7de456532b87725cb5be6a3b13d4859c1b3d0fcd220b1935741373b567c8803d
-
SHA512
ca4ce3da260debbc9a87b7ff9e03f81bec5641e6eed36b27f24d9c900a749214b81f49686a72c8ae66b66f0d9a47ad1084cf235b6f2a9cf76744ec9802fd7dd9
-
SSDEEP
24576:ZMMpXS0hN0V0HZSGB2uJ2s4otqFCJrW9FqvSbqsHasgXhFHDAGtlRXZ+CP63n0Ns:Kwi0L0qk3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" ad742104f5da2b146e926f1eab741103.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x0009000000012261-2.dat aspack_v212_v242 behavioral1/files/0x0009000000012261-4.dat aspack_v212_v242 behavioral1/files/0x0009000000012261-7.dat aspack_v212_v242 behavioral1/files/0x0009000000012261-8.dat aspack_v212_v242 behavioral1/files/0x000f000000015d85-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-65.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk ad742104f5da2b146e926f1eab741103.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk ad742104f5da2b146e926f1eab741103.exe -
Executes dropped EXE 1 IoCs
pid Process 280 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2940 ad742104f5da2b146e926f1eab741103.exe 2940 ad742104f5da2b146e926f1eab741103.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\B: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\K: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\N: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\S: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\I: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\L: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\Q: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\Z: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\E: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\M: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\H: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\U: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\Y: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\G: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\J: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\R: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\V: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\A: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\P: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\T: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\W: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\X: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\O: ad742104f5da2b146e926f1eab741103.exe File opened (read-only) \??\T: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF ad742104f5da2b146e926f1eab741103.exe File opened for modification C:\AUTORUN.INF ad742104f5da2b146e926f1eab741103.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe ad742104f5da2b146e926f1eab741103.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2940 wrote to memory of 280 2940 ad742104f5da2b146e926f1eab741103.exe 28 PID 2940 wrote to memory of 280 2940 ad742104f5da2b146e926f1eab741103.exe 28 PID 2940 wrote to memory of 280 2940 ad742104f5da2b146e926f1eab741103.exe 28 PID 2940 wrote to memory of 280 2940 ad742104f5da2b146e926f1eab741103.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe"C:\Users\Admin\AppData\Local\Temp\ad742104f5da2b146e926f1eab741103.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:280
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD58bb5f37966997b090b3597a413d91cd4
SHA19f4040787d306f302aaf29929bbcc1c5ea912b6a
SHA2560768e092a31c70f89bd03251783a0f28c99e3642624c98b7d5465fea75ebc266
SHA5129d8e9bdab84f9918fc10a02703479a1c38fcbc6d779dc2dca643fafe7978db8110831816a9adc6197695165beca81943934e0bc41f35d05752bfd89c221214f2
-
Filesize
1KB
MD59dc02a3664597e6b8f2c70067a2da226
SHA129910a232eed37ba8b49823e71e1cbbbbf975fbf
SHA2565809238c5cb8f48877ad57ed2c7597192609e354c156f97bf7db6ad99a6f681d
SHA5129295240707c4d1d3c0be616d2f3b9c01d8c74fc920a62bcb0947f33e3366fea632c4ae2d1f5d95f6c9b6bebe053e591c4f52779ec859628d4e58769c6459e2f4
-
Filesize
954B
MD5bc1a4e82d2149ed5aa20fa6aa584a536
SHA1130ce2f53c382591d30dcfb4da08bd5b862e8853
SHA25666d2d23156979927f4a832845cd2d477b081c53ec35905ae584f8a5e8e26412f
SHA51293542c758de71a100acd8e536a55b659699cd1c4223165e1029f458bc4acd50033961ad4169bb3119bb321af036b6dd3c3bb66878939c6266b6f78703d713823
-
Filesize
64KB
MD56df66513d010e726e8bab7ea168a3b2a
SHA1056b838ff2c8dab9929726eaba3f62e310369850
SHA2565ccad7e623d4172d29561f039f31866d5a7e4c1361ee83cf848eff53182ef1ba
SHA512a70258dadb3004dd2dff7ce02d2682374fe714117d6991f66870b595707e03ff938d08c2dbc2d32ea76aa7c54ff7dd9fc29dbd0bcffc2bf53d7a02cadb52eb1a
-
Filesize
1.1MB
MD5cf98708a8528d5558fabd25bc8b0a90d
SHA1f7b1523417093d83a73f055edebd61834353102c
SHA256a90f2bce8eb9442e2c02aa1df363c180b6e44d4514eee0faf36568fa85e9e527
SHA51271238efb548608692722136491d71bd094ddbbd4672e468eab321cce18d7c3f6302360bfe319eca65e827c65716975aa6123f794acc3befc2ef255150f970c10
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
2.9MB
MD5ad742104f5da2b146e926f1eab741103
SHA10f8ddc0bf413c54159752ec412546ac8794a6819
SHA2567de456532b87725cb5be6a3b13d4859c1b3d0fcd220b1935741373b567c8803d
SHA512ca4ce3da260debbc9a87b7ff9e03f81bec5641e6eed36b27f24d9c900a749214b81f49686a72c8ae66b66f0d9a47ad1084cf235b6f2a9cf76744ec9802fd7dd9
-
Filesize
2.9MB
MD5384ab83d8ed3c45c36d60d29741464eb
SHA12597285c83a7c9d358c939fc5a8ef06e5cc57583
SHA256eb53033b855dab1f328d6d188fda583a6e6c1e06527eb8cf755a253df2f4cf32
SHA5123bce8af44e0bdc91c275494750ed691ca5608c099057d7d79058c0d6f3cf391933f6dcdd00e726af91889d9a4ec94b10e8f9dda31fb6ee0a81289acd680c9015
-
Filesize
1.4MB
MD59ddb0a95e58947e15e12fc6763b192f5
SHA1e0f7aa244a07c98504134a19c4ff7873d5ab6c42
SHA256d0c87acb23c9b4b754636f5e425a9596250318680b6731ead6d873d0e82e269f
SHA5127fc0b19d777deb83b3e058d09f01e84dd28efc0e7748b111384b346cfc15724cdc85f7fab42fb43516fe44663a6eea561c43c9186992b6621824f0244f53ef44