8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
Size

2.4MB
MD5

a949330481ec49db59a0406c4deebee4
SHA1

f2c8921b8acf3779f05679f51c279c120fb48919
SHA256

0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2
SHA512

13763fa20ad8fb76fc86168fe5c2fed13b76eb4831a251cb1c43431d03e43f6f14b89372d24137883717e15f3d14b8e7e7c651ae99364a35d6966a01a50bfb14
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCL:eEtl9mRda12sX7hKB8NIyXbacAfU

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe

Executes dropped EXE 1 IoCs

pid	Process
1280	HelpMe.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
2388	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\I:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\K:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\T:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\N:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\P:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\Q:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\U:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\J:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\O:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\Z:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\G:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\Y:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\W:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\X:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\A:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\B:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\E:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\M:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\V:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe
File opened (read-only)	\??\L:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\R:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\S:	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened (read-only)	\??\A:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\AUTORUN.INF	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened for modification	C:\AUTORUN.INF	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HelpMe.exe	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 1280	2388	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe	30
PID 2388 wrote to memory of 1280	2388	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe	30
PID 2388 wrote to memory of 1280	2388	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe	30
PID 2388 wrote to memory of 1280	2388	0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe	30

C:\Users\Admin\AppData\Local\Temp\0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe
"C:\Users\Admin\AppData\Local\Temp\0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\SysWOW64\HelpMe.exe
  C:\Windows\system32\HelpMe.exe
  2⤵
  - Modifies WinLogon for persistence
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3434294380-2554721341-1919518612-1000\desktop.ini.exe

Filesize
2.4MB

MD5
0b61a3e1c2f303c5e939f1830354b677

SHA1
623b0796400c5726e4c58c381e7c9d1163bf12cb

SHA256
6311e348f87fb9a6c64d36995ad4a884915b735510578ad7e71a8ffb5e7b6bc0

SHA512
c5affc74452f6d0beb39ade2393c68b050c8763ad74d8df7478c74d21589b2a72910fec7a0918410e5b305aff804417994aa65f0a728bf154f54471e9f2adfea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
1KB

MD5
df7304a1f684cefbac726b938d358dc6

SHA1
0759978c8f7eb5a2b42bfe707c6520c15e825a64

SHA256
d0f0541a6120ca1da03be189efb650ea44dcec9b3bf8dd04a4fd5eeffce23876

SHA512
9004e8c2bbd91680bb6b556dd7bf0e98d446de6c3575079e473123566accf55f18c546a7550909a997cf195cae40173cf7df81e9faf6ce8706fa68d5631f2625

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk

Filesize
954B

MD5
cb560f744addd5b75e82d0fdd9f13d5d

SHA1
000998288089f6f46956ee66173e04eb566dd15c

SHA256
a0a53b0fc5f1e0a844ecc32c41722419eed6bc6825fe4fcf012d2242dd1dfcd9

SHA512
7ed4801945c617236a0e19ad5a36982ab9b9c65d404b252271d7322901a47b3b54ac515675cd58da5a6a4cd356d51a2851c9cdde4453db69a0ed815bf101df2b

Download Submit
F:\AUTORUN.INF

Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe

Filesize
2.4MB

MD5
a949330481ec49db59a0406c4deebee4

SHA1
f2c8921b8acf3779f05679f51c279c120fb48919

SHA256
0cb554caafe5c2d40c1f882ca04710752194ebf300e0050bd7b7511312ae61b2

SHA512
13763fa20ad8fb76fc86168fe5c2fed13b76eb4831a251cb1c43431d03e43f6f14b89372d24137883717e15f3d14b8e7e7c651ae99364a35d6966a01a50bfb14

Download Submit
\Windows\SysWOW64\HelpMe.exe

Filesize
2.4MB

MD5
66dcb9b3c37209f6e6a91a7f1c09db6f

SHA1
ed4e6522bac0f539a31ca31767ea5a304ae05c11

SHA256
45a3ceeef1652cb94b4bbd60ed09d6ccacef264708f5d11c305e9cf0a2556d68

SHA512
9f0358e2c9861ba95f9dddc698b179732f7b7fb90aa9b28938c69f4831571b2a302f0d48d62f685378f11f4da816a07243538cd748bd6d40bc92e58a1ae88bd7

Download Submit
memory/1280-12-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1280-14-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1280-242-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2388-11-0x0000000001E60000-0x0000000001EDB000-memory.dmp

Filesize
492KB

Download
memory/2388-2-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2388-10-0x0000000001E60000-0x0000000001EDB000-memory.dmp

Filesize
492KB

Download
memory/2388-236-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2388-1-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2388-241-0x0000000001E60000-0x0000000001EDB000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads