Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 05:16
Behavioral task
behavioral1
Sample
b3e12127b76ce34e00b09e1afc4360c2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b3e12127b76ce34e00b09e1afc4360c2.exe
Resource
win10v2004-20240226-en
General
-
Target
b3e12127b76ce34e00b09e1afc4360c2.exe
-
Size
516KB
-
MD5
b3e12127b76ce34e00b09e1afc4360c2
-
SHA1
9c90473a5cf95c8bc30390f593ffaa95a617301c
-
SHA256
41e253056520087685c68a854acd8a18f0a4fe13182a0c7e2030470545adc927
-
SHA512
cd62026164ddd579e09a8a38b374c4e233b1f38ca8a1d4bd111bb5aa26487a5e40d77e8dbe1d0113a478772cfe305d2d7a5e77beaaa227c564a93f3d92e0cb03
-
SSDEEP
6144:LiMmXRH6pXfSb0ceR/VFAHh1kgcs0HW1kyApHhP+gDzvR2hQy+jvujZFaV:5MMpXKb0hNGh1kG0HWnALbd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" b3e12127b76ce34e00b09e1afc4360c2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000900000001222c-2.dat aspack_v212_v242 behavioral1/files/0x000700000001560a-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-55.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b3e12127b76ce34e00b09e1afc4360c2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b3e12127b76ce34e00b09e1afc4360c2.exe -
Executes dropped EXE 1 IoCs
pid Process 2024 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2072 b3e12127b76ce34e00b09e1afc4360c2.exe 2072 b3e12127b76ce34e00b09e1afc4360c2.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\U: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\V: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\B: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\K: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\L: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\N: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\E: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\W: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\X: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\Y: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\M: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\R: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\Z: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\P: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\G: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\H: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\O: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\Q: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\I: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\J: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\S: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\T: b3e12127b76ce34e00b09e1afc4360c2.exe File opened (read-only) \??\S: HelpMe.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF b3e12127b76ce34e00b09e1afc4360c2.exe File opened for modification C:\AUTORUN.INF b3e12127b76ce34e00b09e1afc4360c2.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe b3e12127b76ce34e00b09e1afc4360c2.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2024 2072 b3e12127b76ce34e00b09e1afc4360c2.exe 28 PID 2072 wrote to memory of 2024 2072 b3e12127b76ce34e00b09e1afc4360c2.exe 28 PID 2072 wrote to memory of 2024 2072 b3e12127b76ce34e00b09e1afc4360c2.exe 28 PID 2072 wrote to memory of 2024 2072 b3e12127b76ce34e00b09e1afc4360c2.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3e12127b76ce34e00b09e1afc4360c2.exe"C:\Users\Admin\AppData\Local\Temp\b3e12127b76ce34e00b09e1afc4360c2.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
517KB
MD550f01016c2063e14d12fd4827109ce2c
SHA1779bb70ec3d028f4dc14c5a820774c4055496d72
SHA256b8dd33fe46fd5799929182a5782fd196de237ae480ec518ffc9b72bd76a5475a
SHA512443f7af96fa30e409f101a52732ed5adc862bbe0f5288c83d6a0855acd00d1e4641b30f3d03353477934f484493659d8bfe8d54888601e943b21b9acc0956b0b
-
Filesize
950B
MD56a1e3ca8bcf242ebcbdba9f1f22d57a8
SHA179bfc567f9a91202d32f307f17f7fc283c7c21c3
SHA256f5f73b1e4dde8952dcbcf72524e4ecf66e113e1b24ee8b678e8c1cc0698266cd
SHA512b556ace6f6af3fddcf2370d0da0db64be99f2925f90e1e44308d9a18464b5cbb657fc31b6d779b70022d9a07c1820c0733271bf1a0ef23928b73dc12234356ab
-
Filesize
1KB
MD5794ac7aa1f221149c21262dc9dae5009
SHA139426073556bbc56d2e9dab663f4a66e249562c6
SHA25641638c0cacd761a8bd4fc53a2da6dad132d3a8b5a6a08c5dc40dae46bcd94e29
SHA51289279297a3f2db44ed7a5aa5d118b3b649c90a869333dbf201fbd7023ec9ea82b512a14e1d8c3948f5413c2084c8441a77270432ecdb0849666efd13822f3a62
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
516KB
MD5b3e12127b76ce34e00b09e1afc4360c2
SHA19c90473a5cf95c8bc30390f593ffaa95a617301c
SHA25641e253056520087685c68a854acd8a18f0a4fe13182a0c7e2030470545adc927
SHA512cd62026164ddd579e09a8a38b374c4e233b1f38ca8a1d4bd111bb5aa26487a5e40d77e8dbe1d0113a478772cfe305d2d7a5e77beaaa227c564a93f3d92e0cb03
-
Filesize
516KB
MD5fe4a5b4dc878b26bc53841ea105ab102
SHA1a4f55846d83290e45c8d05007d96d16ff1df02cd
SHA2567dc17b8cdb35e0d5b18b07fb3530b0fceadf5cf245de5343169d1cd6689af283
SHA512ce6e264b5f87f55a9f22113ed97fc880ae6e20f82949da21a81bf79f1914a2eda601440040b16659177c9d49f9cfa846e9319b8c7c0cffc7312edcf21b2f7d14