3d0c7b6dac64f9556777ce69cecf748fc962bee297194a2e58291ad10725d9cf

Analysis

max time kernel
146s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 12:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb6d3d33e4019bda4c89599f9eaeff42.exe
Size

958KB
MD5

cb6d3d33e4019bda4c89599f9eaeff42
SHA1

5df35c25236224ae136d212dbc5e9a6d21fa6ef3
SHA256

3d0c7b6dac64f9556777ce69cecf748fc962bee297194a2e58291ad10725d9cf
SHA512

4fca6c823f62353625a2a5de63e3c2f2dad1e4441c128ed62d7d46c55ae8c7460866d617c976e71184656dbf9f95289dff2d1bb8728fd795f365eddc17adc0de
SSDEEP

12288:Pp4pNfz3ymJnJ8QCFkxCaQTOl2KCsltHP:xEtl9mRda1MIHP

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	cb6d3d33e4019bda4c89599f9eaeff42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	cb6d3d33e4019bda4c89599f9eaeff42.exe

Executes dropped EXE 1 IoCs

pid	Process
3068	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	cb6d3d33e4019bda4c89599f9eaeff42.exe
2296	cb6d3d33e4019bda4c89599f9eaeff42.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\J:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\R:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\T:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\Z:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\G:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\L:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\O:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\Q:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\S:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\E:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\U:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\B:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\M:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\I:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\N:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\P:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\Y:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\H:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\K:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\V:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\X:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\W:	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened for modification	C:\AUTORUN.INF	cb6d3d33e4019bda4c89599f9eaeff42.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	cb6d3d33e4019bda4c89599f9eaeff42.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3068	2296	cb6d3d33e4019bda4c89599f9eaeff42.exe	28
PID 2296 wrote to memory of 3068	2296	cb6d3d33e4019bda4c89599f9eaeff42.exe	28
PID 2296 wrote to memory of 3068	2296	cb6d3d33e4019bda4c89599f9eaeff42.exe	28
PID 2296 wrote to memory of 3068	2296	cb6d3d33e4019bda4c89599f9eaeff42.exe	28

C:\Users\Admin\AppData\Local\Temp\cb6d3d33e4019bda4c89599f9eaeff42.exe
"C:\Users\Admin\AppData\Local\Temp\cb6d3d33e4019bda4c89599f9eaeff42.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini.exe

Filesize
959KB

MD5
0cb205e8a5bace1c94e635a0a1edb339

SHA1
10d6bf44546ec121ce73518a1d3f01dc2aaccb72

SHA256
264c0ebe0e6116f7bb9a403a622cd0a96c5d5d78a8b08b678504bbf6e733e55d

SHA512
01ebe1ced897111d507d9bbbb517890b0f30c862130c89be00729e2c13698d786e1892a0a7396fba7432c159207c375b17c85eb182a5c789a37c307b82405690

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1619fc1daafa93b65803391c43a70838

SHA1
7eff38e86efda225b17e1ffb23ae84c5f1f9fcd7

SHA256
a35e0d6d89727b40f9e9c2944451ebbfbd5654eb90d73b42fdce21d7d3f6080c

SHA512
61f58bc9c1c3acbff2f84e9fc43cb8fb05501d1c21cb8dd5fe2761d94a279e3dbff8f93580c81cbc8ce03f176fb5835d2b89e2189f94648fbc446cfb863979ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
8924145229d46cfceefdaaa0bfdfea8d

SHA1
7bbdcaa6b7187a5ba882fc81142baf54d39ef4fb

SHA256
93f1518265dfe1bf3671fc0e876b5bc88fddba7f1f095255b4b9ad8884fcc52e

SHA512
fdce75b39c9d0965adb282f424455262b94a58353aae809086960b36df3143403faf50e25bc8190c6a0052e142163d76eb03c78a0d5c120a93712130a553907e

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
958KB

MD5
cb6d3d33e4019bda4c89599f9eaeff42

SHA1
5df35c25236224ae136d212dbc5e9a6d21fa6ef3

SHA256
3d0c7b6dac64f9556777ce69cecf748fc962bee297194a2e58291ad10725d9cf

SHA512
4fca6c823f62353625a2a5de63e3c2f2dad1e4441c128ed62d7d46c55ae8c7460866d617c976e71184656dbf9f95289dff2d1bb8728fd795f365eddc17adc0de

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
953KB

MD5
dd15a872279dfe328a4228d5dd110192

SHA1
a61178f16ed1484558fc1b15c62abd7162ea8d36

SHA256
22d8df9d2e93842fa3ccea12fdec16701ef4e1978e90ba95cdac164d55db660b

SHA512
85ca80a3903cc7c50035964170d3035f3291fef19574a70f90e0d230bce70be2d0e44e3678883981d966567c5b2c99bf3c8f6b47f4730a4017a4a5de919b3562

Download Submit
memory/2296-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2296-74-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3068-9-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads