Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29/02/2024, 09:23

General

  • Target

    ae2b7b9558ccb84393dc9805186a90ce.exe

  • Size

    656KB

  • MD5

    ae2b7b9558ccb84393dc9805186a90ce

  • SHA1

    cfcf022cee54d70c28a44ec82fdb2b151bf29a46

  • SHA256

    39c67c0c86de0db51f75149ae415b71251c63ac42c763588d36e8f091000e064

  • SHA512

    5acd90e04741dcc9c7324106d916fab298480329a7215526a79e9e08d2344b2ec61120eb8cbe4520d659a1e952428f988caf473c0f2594b590e1129b44a15919

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltHI:xEtl9mRda1MIHI

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae2b7b9558ccb84393dc9805186a90ce.exe
    "C:\Users\Admin\AppData\Local\Temp\ae2b7b9558ccb84393dc9805186a90ce.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe

    Filesize

    657KB

    MD5

    c7af7c8a2b3a3530283817d490b64746

    SHA1

    385155893f936c6dd6e0bef4e7584436cf1ed061

    SHA256

    2c565c2bbf8f9435dba1241dac4c1b79758f5914058e8b47dd58ad895ff3083b

    SHA512

    c847a6c7dc2160698f89e6a0edddc33758490264c165214ad14e63275fec849a993a115b3f4c54176d616cdeded61936b467c34b08f0dbc7eb020aa487e4508d

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    1KB

    MD5

    00a49e55993147317640d337edc01989

    SHA1

    b66d52de48d840ee9b74d566555394da80eaac54

    SHA256

    1711ea81bfc8a52532c720998c78a5e0717af21a0cd23fa6edd559fa319ca59f

    SHA512

    73ef83971c8ce8b7f365460beee698a4df8bc49f3d6e0c81597cf3f46ff69f8f6bd53912bbb7e15ff4bf1e6d06e281168ea53047bab6de8eafb31aea8248ca6f

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

    Filesize

    950B

    MD5

    7d8fc96bfd9bff5dbf54f7619cbc5e85

    SHA1

    46d94e837f6e18a5411ba08d073fbe84f40a29f0

    SHA256

    764d12837cbbc8ebb97128bbb0b6cd4c9083474b1360735d682f0e7d4d723237

    SHA512

    7562457f120929b3a4b47a0f9d60ee6b1d424289bcac353520b7767bf3218a28f32c32dc71d6ac8bde09cac382d3e5c01d74d20b10f26cf61b168734c2aab514

  • F:\AUTORUN.INF

    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

  • F:\AutoRun.exe

    Filesize

    656KB

    MD5

    ae2b7b9558ccb84393dc9805186a90ce

    SHA1

    cfcf022cee54d70c28a44ec82fdb2b151bf29a46

    SHA256

    39c67c0c86de0db51f75149ae415b71251c63ac42c763588d36e8f091000e064

    SHA512

    5acd90e04741dcc9c7324106d916fab298480329a7215526a79e9e08d2344b2ec61120eb8cbe4520d659a1e952428f988caf473c0f2594b590e1129b44a15919

  • \Windows\SysWOW64\HelpMe.exe

    Filesize

    654KB

    MD5

    f176141eb3323a810d85eacfe5a16af0

    SHA1

    237bdecda2e88ffb67ea3cba75ed888e1364377c

    SHA256

    fa5d6049474d71f0e97dbbc6d2600055b5e5f5a3daf2a90896ffd7cfe500851a

    SHA512

    2fd155c8f39438beff4085d50a9abbc82762bb3f836d2d09eea077b5fe9568093bd45dece348ff80456ae8d68e30fa7e7044f80558ed71bd7a2ebc7fde79e737

  • memory/1908-9-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/1976-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB

  • memory/1976-236-0x00000000002A0000-0x00000000002A1000-memory.dmp

    Filesize

    4KB