Overview

overview

10

Static

static

3

b9bb3e1c84...c4.exe

windows7-x64

10

b9bb3e1c84...c4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2024, 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9bb3e1c8412ce9b1b1d24a4ac13afc4.exe

  • Size

    7.7MB

  • MD5

    b9bb3e1c8412ce9b1b1d24a4ac13afc4

  • SHA1

    a993ba6f5d152ee0b78e74143021c63f2236c6e1

  • SHA256

    8e979ef8a009755243a0020399ee0fc9075f7bc7285cabeebddc18645aecaa4d

  • SHA512

    f2d3a6125cd0b9f6d195340d28a71a5e112ef6562ac7ba51bdd47efd46bade066c60008c9a4c7219d66b149618092e607aa235d5ed0b6e561f6d20ffef3643b3

  • SSDEEP

    24576:xEtl9mRda1lKB8NIyXbacAfUSunEp+XRGEUvkXw6zezNFtcyyRvx+z94sY8W:iEs1IB8NIMI8Sfpwotkzaxc1OGz8W

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9bb3e1c8412ce9b1b1d24a4ac13afc4.exe
    "C:\Users\Admin\AppData\Local\Temp\b9bb3e1c8412ce9b1b1d24a4ac13afc4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1228

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2461186416-2307104501-1787948496-1000\desktop.ini.exe
    Filesize

    7.7MB

    MD5

    49f0a116bf396ca3c99c9fe7e24b4a48

    SHA1

    66c0db24d24bdc4a070b314a6e4fdc6cbb836725

    SHA256

    b49c8ce67c5a3501ef93098f492bb9d108b51f2b1021bf73e2e82430d84c5787

    SHA512

    e05fcadb6ed88953fdd5e5940fb622bb2363b4a936015abaf45832a320f51db59c7c1b23783bd242a7b314ed941cb67709ad1fb367702c2cf9e2e8a9b8cee0ec

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    84ef8e9c85020afc7140209eb12e624e

    SHA1

    a2afb62069eb032e1c55560cde0c23e810ca4cfc

    SHA256

    5771811aa16cd3492c73a698bd8cb8585c15fd48f1d20978732db6488077e2c4

    SHA512

    bf91a1ffb10205c380def5d80db9adead657bdf3a07ed3c9ca1a9838a4398fa1cbcfb91745ddc8e345e14fcc9fc4ce364cae2211c87a2c222449862c775638a5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    04924b062ca6a8bbba33e168eb5995cf

    SHA1

    82138a8754f762cba1db5564c44b8e6bee11b14f

    SHA256

    3e46198573368857ab9b845e65289b98e9b99e6ad0b63d6903fadca8c8fddb99

    SHA512

    e999eb7bf3c94cc4c940b4b76b9866de2e1e56384e59db78e659078390af5b19b5b07ab0cf0662b2410f0a830b5639fed1736e5f2a3370e68e5911a470b26787

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    4.6MB

    MD5

    74b01055fd10aa53d4788bbdba5dbd00

    SHA1

    e870431cca06a7d5d88684db25f57cf01644d7b5

    SHA256

    fb259eea7248154fde44e45da64da9bf10191b127ae1a601435aef8d44b01943

    SHA512

    ebcb6c4cba5139e80b64967275fa1bac513223d7540133986f9dfd4348f695706aa718c0b944035dd146e0e72b61c9bf6b9f0a7005057e54caf7357754a5f242

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    5.6MB

    MD5

    55821df842044ab6631f16b276132cde

    SHA1

    9205d11707ede43dc18acdf82feb491adc6eb4a1

    SHA256

    2d50a56971d04b49abc01ec8ae381adff8656150fd4f47d83d4f187c28ec79b5

    SHA512

    ce1424e9f8d9d2ab3db1b1e4558f2332433c85130d322dfd41af065f8431fab2f8ba59ff32e379071adcc71778e0a38067b1bc3d9e7043c1eee1aafcc8791297

    Download Submit

  • C:\Windows\SysWOW64\HelpMe.exe
    Filesize

    5.2MB

    MD5

    784030ede770a0fa1e122c2e647f3035

    SHA1

    90b76d8b8293c1bc0da3c8b24508fb4566d25bea

    SHA256

    afb32181909f6aedc47b1e207f8364ad2c9650790e676b57b71c7da53b7ba83d

    SHA512

    db56f16c840d2b00181b8bfcaab9b988ccbd1cece5427b535d912c2ac3c09de48f76629aa7c2db1ec9adc8e485a69de2d46d63181430ca97cc1aa51e5ff46f35

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    7.7MB

    MD5

    b9bb3e1c8412ce9b1b1d24a4ac13afc4

    SHA1

    a993ba6f5d152ee0b78e74143021c63f2236c6e1

    SHA256

    8e979ef8a009755243a0020399ee0fc9075f7bc7285cabeebddc18645aecaa4d

    SHA512

    f2d3a6125cd0b9f6d195340d28a71a5e112ef6562ac7ba51bdd47efd46bade066c60008c9a4c7219d66b149618092e607aa235d5ed0b6e561f6d20ffef3643b3

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    7.7MB

    MD5

    cf5795677b9a2a0ef81d6b644954607b

    SHA1

    728e525abd278bdd8a6b47547abe1ebad001def2

    SHA256

    b2ea8e85db09743c9af65ae32302fc5e9bcca127de9789e8af83897ef67791d0

    SHA512

    f13f83c611ecb63e514ecea98e092c36f0f8d5fe0fbddccf10df16e28e5e289533c786e42529d91f4caf4ec6ec5c17c181d127a55228ea72052d59bff3209b90

    Download Submit

  • memory/1228-10-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2952-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download