Overview

overview

10

Static

static

3

ddf487d4b6...5a.exe

windows7-x64

10

ddf487d4b6...5a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddf487d4b60315d25797c4c3574ae35a.exe

  • Size

    585KB

  • MD5

    ddf487d4b60315d25797c4c3574ae35a

  • SHA1

    73f4bf705592ad1821849cebaecfcbace324d02f

  • SHA256

    421c49f4b1e116f828bef3be408bc50d89ea4117bcd8f36f98d523c9ee9c9a5c

  • SHA512

    e0fbbdb74e0e7408df9c7509f1e948c742c1a981aff0a345feb09b30e2b9e017e343c1efe2c93c58b476354381c9752984f33ecccd72a1911cc8c8f04aacaa48

  • SSDEEP

    6144:282p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBilZ:gp4pNfz3ymJnJ8QCFkxCaQTOl2GVqmA

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddf487d4b60315d25797c4c3574ae35a.exe
    "C:\Users\Admin\AppData\Local\Temp\ddf487d4b60315d25797c4c3574ae35a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      PID:1200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini.exe
    Filesize

    586KB

    MD5

    11776b83ff220fc38a4c3a66acd925b2

    SHA1

    b2cf51ea68df3c8f9f06fe9ea6db458823cb83f0

    SHA256

    50223f33212049cf0ec83f73e42e39c9e3f2abc6e981326d10f263b211fff8ab

    SHA512

    273d1de427b8b1bf20364dedc0d8e691e06285cd133b6659b6cd6b8ece2d24f37a7da9f70cd572f6cfb02ff909be640255ee48e0341a1322c2184c6929899fd6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    ad36432fa6bdf1d3f7c41fb65d56fcb1

    SHA1

    e2f36f357257e830bb8f0fcceede4b5ebb4f2e0d

    SHA256

    af92ddd3fc6524f05a7b769301c258a5b70ee8464cf2c27c509d775f3d8d8050

    SHA512

    22c272063823bea96914548a9a3df5afae9e58a2bf5d47e7bb4c3f80eb5bcaf61fda5a055a127c074756040843513d88b6f99cb0b8f6367f0fc313662b0742e8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    7c9add111918a8e1d96ac78eba54668d

    SHA1

    99d7f589c2f438e91cfea32e71d2e93d2d925a14

    SHA256

    a13aaa93b9ec5462439eb1d5472e4288a2a130041509203c1920845cefc40f55

    SHA512

    7b325285531dd2d584e4ddbe6145ba4d020ca8ac2290ed0bb11a03c564ef4a1c970f6c53c8e11cbb70429b0fc6bec061f263e0ef51001ae4d940439dfed2291e

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    585KB

    MD5

    ddf487d4b60315d25797c4c3574ae35a

    SHA1

    73f4bf705592ad1821849cebaecfcbace324d02f

    SHA256

    421c49f4b1e116f828bef3be408bc50d89ea4117bcd8f36f98d523c9ee9c9a5c

    SHA512

    e0fbbdb74e0e7408df9c7509f1e948c742c1a981aff0a345feb09b30e2b9e017e343c1efe2c93c58b476354381c9752984f33ecccd72a1911cc8c8f04aacaa48

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    583KB

    MD5

    1ea62db8a5fa93c040e6f6fd93143943

    SHA1

    e30386b84592b10c0e0656663bde3253c085a744

    SHA256

    2c9cf0a30cbf561fa2117d13f6fd64aaf17a1f71f6ae973b3b50f2d1e19df42f

    SHA512

    899dc900bc474691e7c1fd1dfe53c72b5fabe1c9e2150871460cc122c76b741c4b29eca738653c7a30be50cf83c5ff40bcfd3601e1b0381bab3d21e9247a29d6

    Download Submit

  • memory/1200-13-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1200-11-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

    Download

  • memory/1200-241-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

    Download

  • memory/2192-0-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

    Download

  • memory/2192-4-0x0000000002F10000-0x0000000002F89000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2192-227-0x0000000000400000-0x000000000047894E-memory.dmp

    Filesize

    482KB

    Download

  • memory/2192-240-0x0000000002F10000-0x0000000002F89000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2192-2-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download