39c67c0c86de0db51f75149ae415b71251c63ac42c763588d36e8f091000e064

Analysis

max time kernel
145s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/02/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae2b7b9558ccb84393dc9805186a90ce.exe
Size

656KB
MD5

ae2b7b9558ccb84393dc9805186a90ce
SHA1

cfcf022cee54d70c28a44ec82fdb2b151bf29a46
SHA256

39c67c0c86de0db51f75149ae415b71251c63ac42c763588d36e8f091000e064
SHA512

5acd90e04741dcc9c7324106d916fab298480329a7215526a79e9e08d2344b2ec61120eb8cbe4520d659a1e952428f988caf473c0f2594b590e1129b44a15919
SSDEEP

12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltHI:xEtl9mRda1MIHI

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	ae2b7b9558ccb84393dc9805186a90ce.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	ae2b7b9558ccb84393dc9805186a90ce.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	ae2b7b9558ccb84393dc9805186a90ce.exe
1976	ae2b7b9558ccb84393dc9805186a90ce.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\N:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\E:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\R:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\W:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\Z:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\B:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\L:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\H:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\Q:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\T:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\G:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\O:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\V:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\M:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\U:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\J:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\P:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\S:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\X:	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\I:	ae2b7b9558ccb84393dc9805186a90ce.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened for modification	C:\AUTORUN.INF	ae2b7b9558ccb84393dc9805186a90ce.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	ae2b7b9558ccb84393dc9805186a90ce.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1908	1976	ae2b7b9558ccb84393dc9805186a90ce.exe	28
PID 1976 wrote to memory of 1908	1976	ae2b7b9558ccb84393dc9805186a90ce.exe	28
PID 1976 wrote to memory of 1908	1976	ae2b7b9558ccb84393dc9805186a90ce.exe	28
PID 1976 wrote to memory of 1908	1976	ae2b7b9558ccb84393dc9805186a90ce.exe	28

C:\Users\Admin\AppData\Local\Temp\ae2b7b9558ccb84393dc9805186a90ce.exe
"C:\Users\Admin\AppData\Local\Temp\ae2b7b9558ccb84393dc9805186a90ce.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

Filesize
657KB

MD5
c7af7c8a2b3a3530283817d490b64746

SHA1
385155893f936c6dd6e0bef4e7584436cf1ed061

SHA256
2c565c2bbf8f9435dba1241dac4c1b79758f5914058e8b47dd58ad895ff3083b

SHA512
c847a6c7dc2160698f89e6a0edddc33758490264c165214ad14e63275fec849a993a115b3f4c54176d616cdeded61936b467c34b08f0dbc7eb020aa487e4508d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
00a49e55993147317640d337edc01989

SHA1
b66d52de48d840ee9b74d566555394da80eaac54

SHA256
1711ea81bfc8a52532c720998c78a5e0717af21a0cd23fa6edd559fa319ca59f

SHA512
73ef83971c8ce8b7f365460beee698a4df8bc49f3d6e0c81597cf3f46ff69f8f6bd53912bbb7e15ff4bf1e6d06e281168ea53047bab6de8eafb31aea8248ca6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
950B

MD5
7d8fc96bfd9bff5dbf54f7619cbc5e85

SHA1
46d94e837f6e18a5411ba08d073fbe84f40a29f0

SHA256
764d12837cbbc8ebb97128bbb0b6cd4c9083474b1360735d682f0e7d4d723237

SHA512
7562457f120929b3a4b47a0f9d60ee6b1d424289bcac353520b7767bf3218a28f32c32dc71d6ac8bde09cac382d3e5c01d74d20b10f26cf61b168734c2aab514

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
656KB

MD5
ae2b7b9558ccb84393dc9805186a90ce

SHA1
cfcf022cee54d70c28a44ec82fdb2b151bf29a46

SHA256
39c67c0c86de0db51f75149ae415b71251c63ac42c763588d36e8f091000e064

SHA512
5acd90e04741dcc9c7324106d916fab298480329a7215526a79e9e08d2344b2ec61120eb8cbe4520d659a1e952428f988caf473c0f2594b590e1129b44a15919

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
654KB

MD5
f176141eb3323a810d85eacfe5a16af0

SHA1
237bdecda2e88ffb67ea3cba75ed888e1364377c

SHA256
fa5d6049474d71f0e97dbbc6d2600055b5e5f5a3daf2a90896ffd7cfe500851a

SHA512
2fd155c8f39438beff4085d50a9abbc82762bb3f836d2d09eea077b5fe9568093bd45dece348ff80456ae8d68e30fa7e7044f80558ed71bd7a2ebc7fde79e737

Download Submit
memory/1908-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1976-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1976-236-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads