8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
Size

3.2MB
MD5

debf24ccdc00420e4a88454338f1c726
SHA1

1674f180860cbe61b1cfc30c48582461ead73347
SHA256

0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a
SHA512

7cc073387610f5a993ec53857563946b7779111a62c80aad338b0ebce8fe437bcaaf71767815aa439ad0f848b288b6d2f36b4543c42e25f048a9a3cd4689ac48
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCw:eEtl9mRda12sX7hKB8NIyXbacAfR

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

Processes:

HelpMe.exe0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

2300 HelpMe.exe

pid	process
2300	HelpMe.exe

Loads dropped DLL 2 IoCs

Processes:

0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe

pid	process
1840	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
1840	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\U:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\A:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\I:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\L:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\M:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\H:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\X:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\B:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\O:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\P:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\T:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\V:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\Y:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\E:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\G:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\K:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\R:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Q:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\S:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\Z:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\N:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\W:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\J:	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened for modification	C:\AUTORUN.INF	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe

description	pid	process	target process
PID 1840 wrote to memory of 2300	1840	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe	HelpMe.exe
PID 1840 wrote to memory of 2300	1840	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe	HelpMe.exe
PID 1840 wrote to memory of 2300	1840	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe	HelpMe.exe
PID 1840 wrote to memory of 2300	1840	0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe
"C:\Users\Admin\AppData\Local\Temp\0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:2300

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini.exe
Filesize
3.2MB

MD5
519835df1b213ce84f22ef8d852f040d

SHA1
1cfc9b62710033c7a0761501cce05465807f6d79

SHA256
96d8f1588e9ce7bac54788ea668dd01731b34e16e1372201d941c1f4aba3e9af

SHA512
847f7c0dcdbb7e67db3b15788c0b9f362d9ac497d416b94529dfdc6eba8ec13dd2020f146904fa16d5c4fb1de78b0d191006aa89b22a3431094f655482ebff11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
ea39e2b3b6b4cb15f0ed1ef7f4ac8c3a

SHA1
e1aed81a1b4b5f35b2eeee54e006677e64bb0db9

SHA256
db1ec6fd60e7c15803a3ca93c474b411f0d52a85114186dd695276c966206064

SHA512
5446464627c174fda79fc85b898f81ec95652ba016f60d6e3db6a61c341ae06c64519adfeb36e2b115902945df9cb5b96690ac9ca0bc1145877ae2a603b2b604

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
a82949e86408e082637b7bcb76beef8f

SHA1
49c8f83911289ccceb6bedebb7ba0b0a54206801

SHA256
d070f22e6a0982ed44f6b4a50cd7c0883d6fd258c051f21f18ff5300adc671c9

SHA512
4bfa93ae66bc0dbf290c3b9ec7b26b8e55818992dfce148f89ddecbadc7f94e63aee1069b8a6eb4ecdc7f85c165cdb6c3c912fe55b2695e1790c8e0a1a1dbc0b

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe
Filesize
3.2MB

MD5
debf24ccdc00420e4a88454338f1c726

SHA1
1674f180860cbe61b1cfc30c48582461ead73347

SHA256
0cad47e2dfd2538735f7affa42f9aad5d7bf453d88dbeb901e9b06fcae871e6a

SHA512
7cc073387610f5a993ec53857563946b7779111a62c80aad338b0ebce8fe437bcaaf71767815aa439ad0f848b288b6d2f36b4543c42e25f048a9a3cd4689ac48

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
2.9MB

MD5
1cb5e39354dd8eeac138f3cdbfe2a10b

SHA1
7b26c1677c85fc78c2a46894a73f4f8a99169466

SHA256
b997599749fe6eb114ec65cce2cc6ada341d111d36f59f8a23bfa54475c6e3cb

SHA512
cb36c798af08e585f75be9d183b6cde9dfff9c4d9d8629d50cdc9a5fdb6e8acc2151c860dfe436b96dbdf272fcc4f2d61fe94be904ecbb32d86fb5898778cbd3

Download Submit
memory/1840-10-0x0000000001EA0000-0x0000000001F1B000-memory.dmp

Filesize
492KB

Download
memory/1840-9-0x0000000001EA0000-0x0000000001F1B000-memory.dmp

Filesize
492KB

Download
memory/1840-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1840-78-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-183-0x0000000001EA0000-0x0000000001F1B000-memory.dmp

Filesize
492KB

Download
memory/1840-1-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2300-13-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2300-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2300-196-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2300-197-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads