Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 22:07
Behavioral task
behavioral1
Sample
b337b7825c832c6a31a5207d22d5f987.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b337b7825c832c6a31a5207d22d5f987.exe
Resource
win10v2004-20240226-en
General
-
Target
b337b7825c832c6a31a5207d22d5f987.exe
-
Size
970KB
-
MD5
b337b7825c832c6a31a5207d22d5f987
-
SHA1
a73f1613c58aeb342afa205a0a7c3fe6dc93de62
-
SHA256
5827dc336f6100d98832279ffa07c57f93ed8f233644977f519b2ac2d687936e
-
SHA512
98002aee61204d22bb526d3e34b11c7852f163e0671a40dda28706196296432741867a9e743e1cea45a8e6d43d597dee2e3259d16d394a89d60114b808a4deaf
-
SSDEEP
12288:5MMpXKb0hNGh1kG0HWnAL7MMpXKb0hNGh1kG0HWnALa:5MMpXS0hN0V0H7MMpXS0hN0V0Ha
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" b337b7825c832c6a31a5207d22d5f987.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000b000000012256-2.dat aspack_v212_v242 behavioral1/files/0x000a000000013a7c-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-65.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b337b7825c832c6a31a5207d22d5f987.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b337b7825c832c6a31a5207d22d5f987.exe -
Executes dropped EXE 1 IoCs
pid Process 1240 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2164 b337b7825c832c6a31a5207d22d5f987.exe 2164 b337b7825c832c6a31a5207d22d5f987.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\I: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\X: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\P: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\H: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\K: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\M: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\E: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\J: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\B: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\G: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\Z: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\A: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\R: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\Y: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\W: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\L: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\O: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\U: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\Q: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\T: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\V: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\N: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\S: b337b7825c832c6a31a5207d22d5f987.exe File opened (read-only) \??\G: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF b337b7825c832c6a31a5207d22d5f987.exe File opened for modification C:\AUTORUN.INF b337b7825c832c6a31a5207d22d5f987.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe b337b7825c832c6a31a5207d22d5f987.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2164 wrote to memory of 1240 2164 b337b7825c832c6a31a5207d22d5f987.exe 28 PID 2164 wrote to memory of 1240 2164 b337b7825c832c6a31a5207d22d5f987.exe 28 PID 2164 wrote to memory of 1240 2164 b337b7825c832c6a31a5207d22d5f987.exe 28 PID 2164 wrote to memory of 1240 2164 b337b7825c832c6a31a5207d22d5f987.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe"C:\Users\Admin\AppData\Local\Temp\b337b7825c832c6a31a5207d22d5f987.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
971KB
MD5ad08ce27e5e85d84dda0d508031ca060
SHA15b561353d8365e404ca068a284f46be9442955e3
SHA25663e87d4a0b445cf2e407290a31ecf5d226bb1a45e6880bafaf4fc68d1cfa7e96
SHA512bc6ecc5d0eccb31a2ae088323a5ebfbf5509d0b313626f70a48436ada15265827f96b13dd87d94676d8a85c9dac5fff5d42b9a7dee57e57c8c22267fb6a49116
-
Filesize
1KB
MD5ddadcf81a9fc83b0b626c30e78880a9e
SHA19224fa092550dc910891b20b6c5b15bdbd2c65bb
SHA2562c91d8d0758afff7b10a226b3ea0bcc60af1b11b2b349e03cf97708bed038ac5
SHA512d1ecc410067ddf6a7f34de0d321ca05d77bc632e64bfc2309bc1c3bfdd9d0b8efdd04329a16fc902f03473c78bf828cd04fdc96ae0884fee44ed804373d28559
-
Filesize
954B
MD56e1b55823cd42884621c5032600b2bd0
SHA1ead036d292af110d57e996403a2719e388290f95
SHA256a00e3208e4dba6080062f4953fc109ce17104c9208eec904efc692424aaabb3a
SHA512a45887dd6d102d098f46fe19618da388da20ce04df8bfee0895bb09958de9084d608ae5a9bffc9e04752f9188cbf0814b8e9755ede6a220bca7e2adb5c8a422e
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
652KB
MD51f5e185c57a7268df04cb6b2b76a92d1
SHA1d5eaf064d4877eeea3a52b4c0d693ed6b7883024
SHA25611d1774e282834a8028bb9b99ac77e6a8b11e8d4be9c170f4748817c603435ac
SHA512021716ba8d6804b6fb8c6c967abbf27d713dc0d264c0bd51b509b0b69fb74aecd252d5056da10b9241530a758a147a9dabf972c42f90b5a6e45bf1b58d6fdda3
-
Filesize
969KB
MD506a18d8092bd6c922d07922d3292f2e2
SHA176689f623991f89f5be7df73cd7058994c773a20
SHA256a6d1e72ed010811b4694ab1f262d4ed4eb16f710eb9d14ac4d05f4796da90133
SHA5125605c3e3a7ccad8c893bb39e1f34887b814011abe48681a1c3a32b3b31fc39137818ed83a950f535d80be16df59aff28f58f9a7f5477f776146f6949d96623f5