Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 03:10
Behavioral task
behavioral1
Sample
ad8a053573f17bcef0da88f613a5aa87.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad8a053573f17bcef0da88f613a5aa87.exe
Resource
win10v2004-20240226-en
General
-
Target
ad8a053573f17bcef0da88f613a5aa87.exe
-
Size
477KB
-
MD5
ad8a053573f17bcef0da88f613a5aa87
-
SHA1
9a4ae2a8670bd1a80662f55974491033613a8523
-
SHA256
a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005
-
SHA512
b0a92d633a3520a9a94ea580180293f07673b19fcf0f6b187dda6954c3d9d0dc70c7c38bdd67ca96de966659494762f7457fe2adc59ff93f7f4c67725f7a87d2
-
SSDEEP
6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvRAjZGrWmsu4lnEqR6q:5MMpXKb0hNGh1kG0HWnALbkr
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" ad8a053573f17bcef0da88f613a5aa87.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000b00000001224f-2.dat aspack_v212_v242 behavioral1/files/0x002c000000015f6d-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-55.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk ad8a053573f17bcef0da88f613a5aa87.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk ad8a053573f17bcef0da88f613a5aa87.exe -
Executes dropped EXE 1 IoCs
pid Process 2184 HelpMe.exe -
Loads dropped DLL 31 IoCs
pid Process 1928 ad8a053573f17bcef0da88f613a5aa87.exe 1928 ad8a053573f17bcef0da88f613a5aa87.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe 2184 HelpMe.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\B: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\T: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\X: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\A: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\I: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\W: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\Y: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\O: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\V: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\S: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\H: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\P: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\E: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\J: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\Q: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\R: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\U: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\Z: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\L: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\M: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\K: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\G: ad8a053573f17bcef0da88f613a5aa87.exe File opened (read-only) \??\N: ad8a053573f17bcef0da88f613a5aa87.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF ad8a053573f17bcef0da88f613a5aa87.exe File opened for modification C:\AUTORUN.INF ad8a053573f17bcef0da88f613a5aa87.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe ad8a053573f17bcef0da88f613a5aa87.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2184 1928 ad8a053573f17bcef0da88f613a5aa87.exe 28 PID 1928 wrote to memory of 2184 1928 ad8a053573f17bcef0da88f613a5aa87.exe 28 PID 1928 wrote to memory of 2184 1928 ad8a053573f17bcef0da88f613a5aa87.exe 28 PID 1928 wrote to memory of 2184 1928 ad8a053573f17bcef0da88f613a5aa87.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe"C:\Users\Admin\AppData\Local\Temp\ad8a053573f17bcef0da88f613a5aa87.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
477KB
MD50204d377cb429962fd564f31e02f88ac
SHA183ab4729316a798b8d81d0ac27c328969894abcb
SHA25603b4bfe6b90587a8b794728d452082825432ff23ce45c4d62e81ac66f165d0bb
SHA5126fd80e1c609c3d426f4ccd1f7dbc51e2133e07728e6724b5a9e525cf98f667f690824da8a0a616017500a81ff3ba55233141cd98d59517ff39fee054c9a0b475
-
Filesize
1KB
MD567a6adadcdf506af7c89cb147722a1e1
SHA1a9489f615a9cb8228fb50c04c4d2f76ac6e1a686
SHA256985d7e05cf3083e62835033e7bb62302c035f5c32616e29bf7313f76c1b878f3
SHA512606ba6bbc6f8bb01d4ba24583ce6429df5ebb4643a21d87928a3325dd19d4719102feadf65b1a3139db7c90796c60b9ecdf2a5f8bf5f063e606ecf0f052df6a0
-
Filesize
954B
MD5ddcbdec4911a915b53d0d08b12e94c22
SHA1a1ea8be0baf8730904cc9df340bab78582c43743
SHA25694a432ed70f5334c8b5a4607b1d534a3ce0ca53809b169c0eababa087bba0195
SHA512e040fb98426c8ad53ae6b117b5bed28aa92b61332c3798e36ae48f733d2a23a2e2db0498d4a08e79e9184898fd6e07d3d237f83b6ee676e17fb0f6a722238265
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
477KB
MD5ad8a053573f17bcef0da88f613a5aa87
SHA19a4ae2a8670bd1a80662f55974491033613a8523
SHA256a33402764a864c799f950d109bc8b176c56216d4fdb0cf09bcc281e02724f005
SHA512b0a92d633a3520a9a94ea580180293f07673b19fcf0f6b187dda6954c3d9d0dc70c7c38bdd67ca96de966659494762f7457fe2adc59ff93f7f4c67725f7a87d2
-
Filesize
475KB
MD50ad94d1d5e36331067b4d0b470e21d6a
SHA102b345a4b2bceb1aac5663bae61d13f692514a2d
SHA256d6f25f47371f29fecab67a4f9538aa92612029c6094c8102bbda6832f0a9f023
SHA51249b470761affab9bd04b87b43ffbc71c9ea98063daa18668aebf99383982be66d1e142d5e0f804094d1047225cb0399963767ff9e69da0ff26000c296dccfd46