Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 09:23
Static task
static1
Behavioral task
behavioral1
Sample
ae2b7b9558ccb84393dc9805186a90ce.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ae2b7b9558ccb84393dc9805186a90ce.exe
Resource
win10v2004-20240226-en
General
-
Target
ae2b7b9558ccb84393dc9805186a90ce.exe
-
Size
656KB
-
MD5
ae2b7b9558ccb84393dc9805186a90ce
-
SHA1
cfcf022cee54d70c28a44ec82fdb2b151bf29a46
-
SHA256
39c67c0c86de0db51f75149ae415b71251c63ac42c763588d36e8f091000e064
-
SHA512
5acd90e04741dcc9c7324106d916fab298480329a7215526a79e9e08d2344b2ec61120eb8cbe4520d659a1e952428f988caf473c0f2594b590e1129b44a15919
-
SSDEEP
12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltHI:xEtl9mRda1MIHI
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" ae2b7b9558ccb84393dc9805186a90ce.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk ae2b7b9558ccb84393dc9805186a90ce.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk ae2b7b9558ccb84393dc9805186a90ce.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 1 IoCs
pid Process 1908 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 1976 ae2b7b9558ccb84393dc9805186a90ce.exe 1976 ae2b7b9558ccb84393dc9805186a90ce.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\N: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\E: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\A: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\R: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\W: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\Z: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\B: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\L: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\K: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\H: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\Q: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\T: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\G: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\O: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\V: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\M: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\U: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\J: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\P: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\S: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\X: ae2b7b9558ccb84393dc9805186a90ce.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\I: ae2b7b9558ccb84393dc9805186a90ce.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF ae2b7b9558ccb84393dc9805186a90ce.exe File opened for modification C:\AUTORUN.INF ae2b7b9558ccb84393dc9805186a90ce.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe ae2b7b9558ccb84393dc9805186a90ce.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1908 1976 ae2b7b9558ccb84393dc9805186a90ce.exe 28 PID 1976 wrote to memory of 1908 1976 ae2b7b9558ccb84393dc9805186a90ce.exe 28 PID 1976 wrote to memory of 1908 1976 ae2b7b9558ccb84393dc9805186a90ce.exe 28 PID 1976 wrote to memory of 1908 1976 ae2b7b9558ccb84393dc9805186a90ce.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae2b7b9558ccb84393dc9805186a90ce.exe"C:\Users\Admin\AppData\Local\Temp\ae2b7b9558ccb84393dc9805186a90ce.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1908
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
657KB
MD5c7af7c8a2b3a3530283817d490b64746
SHA1385155893f936c6dd6e0bef4e7584436cf1ed061
SHA2562c565c2bbf8f9435dba1241dac4c1b79758f5914058e8b47dd58ad895ff3083b
SHA512c847a6c7dc2160698f89e6a0edddc33758490264c165214ad14e63275fec849a993a115b3f4c54176d616cdeded61936b467c34b08f0dbc7eb020aa487e4508d
-
Filesize
1KB
MD500a49e55993147317640d337edc01989
SHA1b66d52de48d840ee9b74d566555394da80eaac54
SHA2561711ea81bfc8a52532c720998c78a5e0717af21a0cd23fa6edd559fa319ca59f
SHA51273ef83971c8ce8b7f365460beee698a4df8bc49f3d6e0c81597cf3f46ff69f8f6bd53912bbb7e15ff4bf1e6d06e281168ea53047bab6de8eafb31aea8248ca6f
-
Filesize
950B
MD57d8fc96bfd9bff5dbf54f7619cbc5e85
SHA146d94e837f6e18a5411ba08d073fbe84f40a29f0
SHA256764d12837cbbc8ebb97128bbb0b6cd4c9083474b1360735d682f0e7d4d723237
SHA5127562457f120929b3a4b47a0f9d60ee6b1d424289bcac353520b7767bf3218a28f32c32dc71d6ac8bde09cac382d3e5c01d74d20b10f26cf61b168734c2aab514
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
656KB
MD5ae2b7b9558ccb84393dc9805186a90ce
SHA1cfcf022cee54d70c28a44ec82fdb2b151bf29a46
SHA25639c67c0c86de0db51f75149ae415b71251c63ac42c763588d36e8f091000e064
SHA5125acd90e04741dcc9c7324106d916fab298480329a7215526a79e9e08d2344b2ec61120eb8cbe4520d659a1e952428f988caf473c0f2594b590e1129b44a15919
-
Filesize
654KB
MD5f176141eb3323a810d85eacfe5a16af0
SHA1237bdecda2e88ffb67ea3cba75ed888e1364377c
SHA256fa5d6049474d71f0e97dbbc6d2600055b5e5f5a3daf2a90896ffd7cfe500851a
SHA5122fd155c8f39438beff4085d50a9abbc82762bb3f836d2d09eea077b5fe9568093bd45dece348ff80456ae8d68e30fa7e7044f80558ed71bd7a2ebc7fde79e737