Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05/03/2024, 06:33
Behavioral task
behavioral1
Sample
b40701c5063a64941f1349a81569bb17.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b40701c5063a64941f1349a81569bb17.exe
Resource
win10v2004-20240226-en
General
-
Target
b40701c5063a64941f1349a81569bb17.exe
-
Size
845KB
-
MD5
b40701c5063a64941f1349a81569bb17
-
SHA1
7dc15f4095254976c893cb259d6335e26bbbb38e
-
SHA256
c95a2621b681fd189ae9c5eb45ca5dd4ecd148f15541d053963ae79e387a1e64
-
SHA512
e6f56a7eb214690b4b747de69e94721bd372a46960807848e54d94db015b1f0f3c1fab8fc697ff33b709cb262429bd4a0d23dfd75b05c760dda92436f7780cf1
-
SSDEEP
12288:ZMMpXKb0hNGh1kG0HWnAOERhC1sltHlYahyxd7iixf18Hm1JH:ZMMpXS0hN0V0H6ER2IHyeE7iixWHm1JH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" b40701c5063a64941f1349a81569bb17.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
resource yara_rule behavioral1/files/0x000900000001224e-2.dat aspack_v212_v242 behavioral1/files/0x0010000000015e29-38.dat aspack_v212_v242 behavioral1/files/0x0001000000000026-55.dat aspack_v212_v242 -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b40701c5063a64941f1349a81569bb17.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk b40701c5063a64941f1349a81569bb17.exe -
Executes dropped EXE 1 IoCs
pid Process 2968 HelpMe.exe -
Loads dropped DLL 2 IoCs
pid Process 2332 b40701c5063a64941f1349a81569bb17.exe 2332 b40701c5063a64941f1349a81569bb17.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\X: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\B: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\R: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\Z: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\Q: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\S: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\M: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\W: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\L: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\H: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\K: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\N: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\T: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\A: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\G: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\I: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\J: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\O: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\V: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\Y: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\E: b40701c5063a64941f1349a81569bb17.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe File opened (read-only) \??\U: b40701c5063a64941f1349a81569bb17.exe -
Drops autorun.inf file 1 TTPs 3 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF b40701c5063a64941f1349a81569bb17.exe File opened for modification C:\AUTORUN.INF b40701c5063a64941f1349a81569bb17.exe File opened for modification F:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe b40701c5063a64941f1349a81569bb17.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2968 2332 b40701c5063a64941f1349a81569bb17.exe 28 PID 2332 wrote to memory of 2968 2332 b40701c5063a64941f1349a81569bb17.exe 28 PID 2332 wrote to memory of 2968 2332 b40701c5063a64941f1349a81569bb17.exe 28 PID 2332 wrote to memory of 2968 2332 b40701c5063a64941f1349a81569bb17.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe"C:\Users\Admin\AppData\Local\Temp\b40701c5063a64941f1349a81569bb17.exe"1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2968
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
846KB
MD5ae11a24c74b3892433036c24d5e87f2a
SHA1528ec57937cc5c4455286c74f5d7aca7a59f6fdb
SHA256145ea7913d8b029d60b8bac0a67522fb8937ceb5123ab2b323f7da71a10d05df
SHA512fc6da00d249d88f5d886e539a39e20b89ef0fcbb580b69813533065c5752f94b68474acd30c134dd14354d35fcc186d2871355bbc7bec8595dc50327162b452e
-
Filesize
950B
MD548703c9a2813db4e69f2ecad9dbb126e
SHA17722354cf99a68dee2f477c4a46dfdae012b7188
SHA256c8b1019108d27d84e7df896d8280c0b9ceb955d36377aad476cfc0a0c4d85b28
SHA512e51ad3bb41f85fd2d965484f696182fe8ad840fca2eab9ccb22f329f9566cb5fc1fc0b987243175a0d5bc843ae70e5c26515a114eda5ae2914dfee0b6b3bbf06
-
Filesize
1KB
MD5c3a58e1c70d72a048e3dc89492ea597e
SHA1e111f7d489e58627c873ccff055019c283260dc2
SHA2567c1046f357331f90d604918a54eea8bb88c2ae4045aed36757c95b8ab3d7f2ae
SHA5124eb7297f8d2a9a7487c5c320ad141ce435add53b34d2160a5763142ebdb9507e7e2518ad45cf7c61ab4f2c36a73e179347b7bf13ff19760f55be23aab7f537e8
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47
-
Filesize
845KB
MD5b40701c5063a64941f1349a81569bb17
SHA17dc15f4095254976c893cb259d6335e26bbbb38e
SHA256c95a2621b681fd189ae9c5eb45ca5dd4ecd148f15541d053963ae79e387a1e64
SHA512e6f56a7eb214690b4b747de69e94721bd372a46960807848e54d94db015b1f0f3c1fab8fc697ff33b709cb262429bd4a0d23dfd75b05c760dda92436f7780cf1
-
Filesize
603KB
MD503f9d2d8776db4795a9b4dba18236af0
SHA145e1c5e793d0eba7e98f0c6c82d61a20d6a3bfb8
SHA256f1a08ae7bcca488a543da40e985fa9e9c2507c4f9f4253627fc4cc9742635d40
SHA512e41ac99a68ac216f6c497e5bd6585cdbc5d82116e4d4f5696bb49c4deb3cfda393e8e3e06ed944db6fc93193b973fcaa6e4d1b4d5e28c233c01429ba57d83c83