8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
Size

3.1MB
MD5

76b466c9387684239681d8774bb5956b
SHA1

ed773e756932dc3af27e235b4bf7993781665a92
SHA256

0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286
SHA512

d6b83126b27532e56c39b7253668a4540baf29916105955937132c01fc11096b297f7abe545094823cac2c0e65fcf2282997e1bdb594d6fe99a342812d9bf42c
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCe:eEtl9mRda12sX7hKB8NIyXbacAfF

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
2296	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\N:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\O:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\V:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\W:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\E:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\U:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\Z:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\G:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\J:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\K:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\Y:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\H:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\X:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\A:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\I:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\P:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\Q:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\B:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\L:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\S:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\T:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\M:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\R:	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened for modification	C:\AUTORUN.INF	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2396	2296	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe	30
PID 2296 wrote to memory of 2396	2296	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe	30
PID 2296 wrote to memory of 2396	2296	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe	30
PID 2296 wrote to memory of 2396	2296	0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe	30

C:\Users\Admin\AppData\Local\Temp\0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe
"C:\Users\Admin\AppData\Local\Temp\0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.exe

Filesize
3.1MB

MD5
4b35dce9d4360796a0a5fc18cda1bdc5

SHA1
7d51d2b00cd138e028bbda99e4bb5c160475e3f7

SHA256
cfbd9345858a9fb05d933a22cde95cbaf963643e11f1d4978032ac5a89c0fcb3

SHA512
6b8ec8fe9cda9a67bd9a81e0ff59943c0f8faec68bb5d535198b5424b4603a73cfb4d109c8c3c957bf9731b12cc17d5416368b09dfcf0ade45f067fe92346d33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
1e7c3e1397dd279237eb6b1f03e1cf2a

SHA1
31b14da2e1530a1080e0e0105166147e3c690113

SHA256
737c4db9856e291a15f19889bb84c558075131094d4ed9af9f5df869a2f106d1

SHA512
aa90a10716d528f0e08cf15cab0d1c1cdfc0583a61c325160cb75c6fe5c34572e3875f8069bb8a84fcc21a51e58425148860e277237ecded95e080097f453e37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
1ca94d03d18f136ae45f0581a0f9b157

SHA1
14a7b87d3075f20a6799cdfe1480589c40bd99d1

SHA256
4ff4f857b8ed6f252b5a0132ecc75d396546a80e8ecc39a48c234121c4a3edca

SHA512
d8b57f8ec7993f0c996f9b58db99d8a59213fa423db5ee4ba54c312b63003662f41a9db70003823309c4f1106cb31d7eb791925e00f5db65fbf1fe3bdd881564

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
3.1MB

MD5
76b466c9387684239681d8774bb5956b

SHA1
ed773e756932dc3af27e235b4bf7993781665a92

SHA256
0c7da4e446a97f08bbf6c0abe987810047163150d70f0a282c2f7cea674d7286

SHA512
d6b83126b27532e56c39b7253668a4540baf29916105955937132c01fc11096b297f7abe545094823cac2c0e65fcf2282997e1bdb594d6fe99a342812d9bf42c

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
3.1MB

MD5
1ca3547597375e94e2c17039e0d693db

SHA1
8b191ecac7de53622974d5f941b007adcd42a2b1

SHA256
b8e8aa09788704de7a59f6a13f227b5731dcda91c4f8cd39ed4297745cbc3ea4

SHA512
30f25783b1e0904fdce6e862832ba6f64fb3cf17bb183b2aaae04e5950482a7c278e8e32618a43c2264006d6f8b222cb44019cff3879c4828f2d76057f43ab7d

Download Submit
memory/2296-11-0x0000000001EC0000-0x0000000001F3B000-memory.dmp

Filesize
492KB

Download
memory/2296-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2296-10-0x0000000001EC0000-0x0000000001F3B000-memory.dmp

Filesize
492KB

Download
memory/2296-231-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2296-2-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2296-236-0x0000000001EC0000-0x0000000001F3B000-memory.dmp

Filesize
492KB

Download
memory/2396-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2396-237-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2396-242-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads