Overview

overview

10

Static

static

3

bddbba7949...c6.exe

windows7-x64

10

bddbba7949...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 06:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bddbba7949dfac3270ae1c85d0be15c6.exe

  • Size

    2.7MB

  • MD5

    bddbba7949dfac3270ae1c85d0be15c6

  • SHA1

    97b91c0858fa69e1fb64a0522bad3424fc600bae

  • SHA256

    585d58ca3bce2905bcd30b6c5fa389cb30c5d157c071b9abf92d581d4ae33df0

  • SHA512

    72ef4498960f84f880c26630fe6dd102ebe91c927d86298b5ef5fdef9b0e71acdebe9de152c4a77edbbf74c4aedf90d7d4cffdd8e64a05261e99daed2ca6183e

  • SSDEEP

    12288:Tp4pNfz3ymJnJ8QCFkxCaQTOlOb47MMpXOW:tEtl9mRda1rMMpXOW

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bddbba7949dfac3270ae1c85d0be15c6.exe
    "C:\Users\Admin\AppData\Local\Temp\bddbba7949dfac3270ae1c85d0be15c6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.exe
    Filesize

    2.7MB

    MD5

    2e0276d5a13dd2c36f6feed9f081cfc1

    SHA1

    fd265de11bbf5732b88b23d54b327345ec5b5899

    SHA256

    22ea8ca2c9e243a071c5467a6ddaca334df0443795c9bbf44742f538ba1b9c33

    SHA512

    28a005c8b96c0e73a46c813534a4402e399554e4f72ac3f51af53a2459d1da7f7f3ea451143e3dff69d617c96d127e4e607f060e17569fcfd1b74a3e6b61efc5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    c1e5deb177d6ff34245dcee12e48ecd8

    SHA1

    92e208107333a56b30991b369fa0af58ac94531d

    SHA256

    68ac6cd9b4790e89dd12bd9dee268d429da43a2bb1b6d89dff6cb6e96057c6c8

    SHA512

    d441cd7475c1197cff1463894c12f3b1bc5301aa8abd29ac064bdf162b144f9b8646d987b054016cb60d819260ed7af6a15a7abfa426b31441aae4b4a1e9a5f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    3209709813ecde35a022226b36085f4c

    SHA1

    8690ae022d80e0b81d6b2001d7e91e141bc1351b

    SHA256

    ca6c4af89c53b629a424e09f7952bca904f9a0b6f4de08905b94c07d822a950c

    SHA512

    6b14957371b43a0f023f1ec598d0a4bff0ef7ab236047f3a124f60d54c4d99caeb4d52c5191a9b81c44c6f6691c040cc2ec57952d952d748abfea791f181acf2

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    2.7MB

    MD5

    bddbba7949dfac3270ae1c85d0be15c6

    SHA1

    97b91c0858fa69e1fb64a0522bad3424fc600bae

    SHA256

    585d58ca3bce2905bcd30b6c5fa389cb30c5d157c071b9abf92d581d4ae33df0

    SHA512

    72ef4498960f84f880c26630fe6dd102ebe91c927d86298b5ef5fdef9b0e71acdebe9de152c4a77edbbf74c4aedf90d7d4cffdd8e64a05261e99daed2ca6183e

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    2.6MB

    MD5

    2eb9dc18e38873108445dec3f118f2c1

    SHA1

    8a22eabcdf213bf60b1cb01dfd4d4869cdc8e6b1

    SHA256

    fb410e41222bb2112364caa421a94cc835765c2c28bfb55d7437745f0974a8ba

    SHA512

    180fba59cba032366882f5c9c8980db7f286f4cfd6aec13471b80a30f5e02c5f816e1a90adac497619de86a199daec8b5a34a7bb65f926e6e495c8dcefe402c3

    Download Submit

  • memory/2204-1-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2224-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download