Overview

overview

10

Static

static

3

c9ff8c75fc...55.exe

windows7-x64

10

c9ff8c75fc...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-03-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9ff8c75fcb257fc874d6f99e0b76255.exe

  • Size

    851KB

  • MD5

    c9ff8c75fcb257fc874d6f99e0b76255

  • SHA1

    0693569792ca8798936dc41a017fa1478303f4cf

  • SHA256

    526eaa757a7decc4fc63c22a2e32a8300ffaba39fd9c892076bdde8d9478501d

  • SHA512

    6161fb87ee09eaf180a7fdb3b9df9707421749214b343f880d9f8b2b6ed2ab7be3543c5acd28f82e8bcd68ec64286621e24783d7c3f7682e3aa640ae7b071c25

  • SSDEEP

    12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KY4vbAfxu/F96sO0:xEtl9mRda1C4kfxuX6sO0

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9ff8c75fcb257fc874d6f99e0b76255.exe
    "C:\Users\Admin\AppData\Local\Temp\c9ff8c75fcb257fc874d6f99e0b76255.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini.exe
    Filesize

    852KB

    MD5

    693a17037ab23904ecc7309c36e12eed

    SHA1

    6140cdcb5d2fe3fbc56392d473e9946be95fa168

    SHA256

    0db1b24dd90d6078cb3680d5e857b354a716ac5142f91790434d93f461bb61a4

    SHA512

    ab6e980a973fd912a7137046c88ee298102b7e8433fbce85eb9bb726de65b8248a4fea306464e81f29837430b2b50e1c669e6c20bee0110ded559bcf591b35ea

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    2a0c59647904ad28c312f6da2d1a2235

    SHA1

    1014b66b303338699e25c84327c81088e5c7fc57

    SHA256

    b30cb49c7ca901b83f43bf73687e4587d25a70f2391ee71c05863ac2fcb0a6dc

    SHA512

    6593847c0432cb3b2e3ece462b28567a0cf582633790340df3f9978e3f1df927434051298c36a12c4b0f7b18da1438fe70e00ff0470ce30851bac4232e5b6372

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    f4abef237cb99699191d5153febfc0be

    SHA1

    b9b3957b6685cd2b8444fe2fb684829c20dbe992

    SHA256

    c0a460d9fd5b7b1b68b41c695a84aff49e7acffbba46bd7877f81f1c051e78d8

    SHA512

    c63279c0ce76acab41b4dd06eb8ba4d8087bba6044d109a38550e349c75b5b6c902e90a3bd822570a99bf113a4cae9943f5774cb147e6ba626ab777126cdc790

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    851KB

    MD5

    c9ff8c75fcb257fc874d6f99e0b76255

    SHA1

    0693569792ca8798936dc41a017fa1478303f4cf

    SHA256

    526eaa757a7decc4fc63c22a2e32a8300ffaba39fd9c892076bdde8d9478501d

    SHA512

    6161fb87ee09eaf180a7fdb3b9df9707421749214b343f880d9f8b2b6ed2ab7be3543c5acd28f82e8bcd68ec64286621e24783d7c3f7682e3aa640ae7b071c25

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    851KB

    MD5

    af495d66478ced061ddb07fc05d6ed89

    SHA1

    d9f4e80cb8713fbe508d16fd309cf02321aa4d7e

    SHA256

    42d64779d58df3d6c444f6b3330a7308e9f035ba93cd21bd6c6acf2da3e80428

    SHA512

    d666d0f3dc1b8ac44ae3da4204c1a6b794d4ecf1aae033b77d56f66570c69962e82505df58bc1345e3ce012a5d14cd4cf4cbc344b279baeb8ff6bb117396d457

    Download Submit

  • memory/2404-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2404-236-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-9-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2960-237-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download