Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/03/2024, 21:49
Behavioral task
behavioral1
Sample
b32f8e38b6835b37ce52f3aca570ef8a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b32f8e38b6835b37ce52f3aca570ef8a.exe
Resource
win10v2004-20240226-en
General
-
Target
b32f8e38b6835b37ce52f3aca570ef8a.exe
-
Size
1.1MB
-
MD5
b32f8e38b6835b37ce52f3aca570ef8a
-
SHA1
bb15c07e0bf974d09e45954556de0592c4b57d08
-
SHA256
dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814
-
SHA512
dd2833c1efe50cb5f220bf28bf1ef57394db8aad34b34499352c68306ed6b753efc0afb7038daef388380cb4a34eecf0ea85a099e4ce5eb3efe024c311e18b73
-
SSDEEP
12288:5MMpXKb0hNGh1kG0HWnALbLw+VsLkjrVlQB9FbDTF53nlNFRpO50w9XCfyGjN1PS:5MMpXS0hN0V0HvwkSGr
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" b32f8e38b6835b37ce52f3aca570ef8a.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000b00000001224f-2.dat aspack_v212_v242 behavioral1/files/0x0032000000014983-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-55.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b32f8e38b6835b37ce52f3aca570ef8a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b32f8e38b6835b37ce52f3aca570ef8a.exe -
Executes dropped EXE 1 IoCs
pid Process 1296 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2928 b32f8e38b6835b37ce52f3aca570ef8a.exe 2928 b32f8e38b6835b37ce52f3aca570ef8a.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\K: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\M: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\I: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\O: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\A: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\E: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\X: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\Q: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\R: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\P: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\T: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\Z: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\S: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\V: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\U: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\Y: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\J: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\N: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\H: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\L: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\B: b32f8e38b6835b37ce52f3aca570ef8a.exe File opened (read-only) \??\G: b32f8e38b6835b37ce52f3aca570ef8a.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AUTORUN.INF b32f8e38b6835b37ce52f3aca570ef8a.exe File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification F:\AUTORUN.INF b32f8e38b6835b37ce52f3aca570ef8a.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe b32f8e38b6835b37ce52f3aca570ef8a.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2928 wrote to memory of 1296 2928 b32f8e38b6835b37ce52f3aca570ef8a.exe 28 PID 2928 wrote to memory of 1296 2928 b32f8e38b6835b37ce52f3aca570ef8a.exe 28 PID 2928 wrote to memory of 1296 2928 b32f8e38b6835b37ce52f3aca570ef8a.exe 28 PID 2928 wrote to memory of 1296 2928 b32f8e38b6835b37ce52f3aca570ef8a.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe"C:\Users\Admin\AppData\Local\Temp\b32f8e38b6835b37ce52f3aca570ef8a.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5569baf132f3455efb7b16f1947786d37
SHA113165399307e115e80ceca5c76f94ea941388b6c
SHA25608dea23eb844f8ecd2f373595064133dfc44f1efcd9cfd4b35d317b8b42be049
SHA5128e6564ca3496fddd9aa01cc9cc728cf263f8ad11dda076b0d1a6eacd4fd5a98de6bb7f75267e2062b1e6743883e9a5d810bd7347d6609bf131f40bfe5bff1ad3
-
Filesize
1KB
MD5b3f42a5c7c1350c6d2c820d5b7bb2e4e
SHA176552523bc2bf373d292787542ce0ea6f55e3156
SHA2562de99e344bcc1fbe74b5a2e462ff61d37cadc40cf0f1069163c46e98da157acb
SHA51201be09df99df9632ce6ffb0532246b25f92fa5053446564fa82515f6fb18ae4260d42f01098ebc4de6ced5ede1812acf55d4e5e542ac292d4acf5f31142b89e5
-
Filesize
954B
MD5546e41c33c20c2f562621ae1dbbad3af
SHA1ccf3942c94bf0bbdc92fb4bf749614ae915a4df8
SHA25659b72688edee94c7a394d2fbde8c4c92ebe9afa641ff12672a2e47d325ed19d2
SHA512141d7d9111b0bd3f1ef868319c599559b075f757ca9a9d728bb4a77ca247326340a6306bf57d954d9e5d74f2be52d45ec9d2a657977034155982b3b6f3d9a385
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
1.1MB
MD5b32f8e38b6835b37ce52f3aca570ef8a
SHA1bb15c07e0bf974d09e45954556de0592c4b57d08
SHA256dd776f08b03b1ef85c1eaf1b3d6b945f003a04d8ca1570de6276ca73de37e814
SHA512dd2833c1efe50cb5f220bf28bf1ef57394db8aad34b34499352c68306ed6b753efc0afb7038daef388380cb4a34eecf0ea85a099e4ce5eb3efe024c311e18b73
-
Filesize
1.1MB
MD56ec7fc7dfb5c78eec8a56ba45493f029
SHA118cd2ab17678a0f4c3153b00363c549586343c79
SHA2562d21f38e5de7d7a8b7a40b5fc7b463e9b7ca9077ebe899018e9242b51864d17d
SHA5129d621ea7fbd2ebc3ea529eb28130f7426fb0ca3cbcd473e04d9c17a57748700650b66e5e8e23e54b361faafc7aec44aca9296d3f86fc36a8497947ae62f7a3db