8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
Size

3.7MB
MD5

fcd18971f21cfd63598d5b3dec2b7a53
SHA1

8ad7f39746f236c606ebeaf1e085cadcaa7b35e5
SHA256

001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead
SHA512

d344fb8164907c772e40721ae9d7485a68deb34366c3161fe7f08bf552286a1b3f5cdb46092e7d8646d7eff3556f3196bcacc0f0716c3a6d062fd212a9351cf4
SSDEEP

24576:eEtl9mRda12sX7B9NRdpkhtIShJVVTyJNPtz:9Es1R3DCjVyB

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe

Executes dropped EXE 1 IoCs

pid	Process
1788	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
388	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
388	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\I:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\M:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\O:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\S:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\A:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\P:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\G:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\H:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\W:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\J:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\N:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\T:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\Y:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\B:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\Q:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\U:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\V:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\X:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\Z:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\K:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\L:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\R:	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AUTORUN.INF	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe
File opened for modification	F:\AUTORUN.INF	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 1788	388	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe	31
PID 388 wrote to memory of 1788	388	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe	31
PID 388 wrote to memory of 1788	388	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe	31
PID 388 wrote to memory of 1788	388	001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe	31

C:\Users\Admin\AppData\Local\Temp\001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe
"C:\Users\Admin\AppData\Local\Temp\001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.exe

Filesize
3.7MB

MD5
90e5aadce0db40f31931641615f221a2

SHA1
6a5155e01a8f454f31d639d146c812d07c6debf6

SHA256
14a43dcdc7458cde75bb7816af851f93aeab484092e6f4ef5b986bb3c441003e

SHA512
beb14e3b9150b80a15f367c6a963138b0e4dfc39df2f0e728f3a63422e8a70c6593c9272ef57e99085f29eade1d10990e186d8dcd5bd6af36b238d93cfca762c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
29bfcf63b660081f458baf7afd087afe

SHA1
65e3b2dd3e38aff620ec4304ba059edb2cff08e2

SHA256
97f82b50781a7d46293d86df708dc9fc94c47d993face581da66fce9e7eb6394

SHA512
a434071bb9bb65d9fba3ee8b88eae2827f4c30a2303eec65b2bf6639edfc3797d18af8ee967b4295aa0e92cead31ba7bf0cfdb667419d4fb9e156f91d87ec134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
4a53107e3437d0fa14df0ab3495f57e6

SHA1
bd268b2c4034106e1e7cd6a0bdf983da32faffcf

SHA256
e534cec82df9346b6abf4cc82e0f693e0cecf796b439293260584f965d2f649c

SHA512
cb11a72bca796ab3007f49020671340474fcfc4cc87e21f71ffe352ecc393b7ea805fd5b5fe477ca01769ed8fc1f8a97fe5d96ca8aecf7f81d6577b958d550ca

Download Submit
C:\Windows\SysWOW64\HelpMe.exe

Filesize
3.7MB

MD5
d9b5d25a0e3339f906683069cfb9eec4

SHA1
4b6c4f324e9e3a7f0dcc97021f7d3bde7e761d84

SHA256
a8296a2a6ed82d19ac3d9f4de10632836eea449bdfd4d70dca243c0c6c80663d

SHA512
95b4cda812e9f0a59d5d06fb02b38e26a1e7cbcca1359c11bc3c3916f11c9f0a175ebb199a5d0b525adf6ce6f92e8c2523835d310d220e66a452699ddaf73b3a

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
3.7MB

MD5
fcd18971f21cfd63598d5b3dec2b7a53

SHA1
8ad7f39746f236c606ebeaf1e085cadcaa7b35e5

SHA256
001a09a29deab5195eda46bad91e51b234655325b641e211ed8234e934956ead

SHA512
d344fb8164907c772e40721ae9d7485a68deb34366c3161fe7f08bf552286a1b3f5cdb46092e7d8646d7eff3556f3196bcacc0f0716c3a6d062fd212a9351cf4

Download Submit
memory/388-12-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/388-10-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/388-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/388-232-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/388-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/388-237-0x0000000000340000-0x00000000003BB000-memory.dmp

Filesize
492KB

Download
memory/1788-11-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1788-14-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1788-238-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads