8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
Size

2.8MB
MD5

dc2906e5bcdea645e2339b9f74027a20
SHA1

26f846b2ea394b0005f2254fb6d56d5534f467d8
SHA256

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268
SHA512

6e28b4e954eaa3f246ef334cd4adfd9e9af49e7fc782cf254b5934c93423b93b113195d8f98bad46587a5dca0e876f5888559bcd486c9599ae7e4fc13c47d100
SSDEEP

12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCo:eEtl9mRda12sX7hKB8NIyXbacAfT

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exeHelpMe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe"	HelpMe.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

Processes:

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exeHelpMe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	HelpMe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe

Executes dropped EXE 1 IoCs

Processes:

HelpMe.exe

pid process

1176 HelpMe.exe

pid	process
1176	HelpMe.exe

Loads dropped DLL 2 IoCs

Processes:

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe

pid	process
2472	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
2472	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exeHelpMe.exe

description	ioc	process
File opened (read-only)	\??\E:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\H:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\T:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\Y:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\E:	HelpMe.exe
File opened (read-only)	\??\G:	HelpMe.exe
File opened (read-only)	\??\M:	HelpMe.exe
File opened (read-only)	\??\R:	HelpMe.exe
File opened (read-only)	\??\S:	HelpMe.exe
File opened (read-only)	\??\U:	HelpMe.exe
File opened (read-only)	\??\J:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\P:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\U:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\X:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\H:	HelpMe.exe
File opened (read-only)	\??\O:	HelpMe.exe
File opened (read-only)	\??\I:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\L:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\N:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\R:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\W:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\B:	HelpMe.exe
File opened (read-only)	\??\N:	HelpMe.exe
File opened (read-only)	\??\Q:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\I:	HelpMe.exe
File opened (read-only)	\??\P:	HelpMe.exe
File opened (read-only)	\??\G:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\K:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\K:	HelpMe.exe
File opened (read-only)	\??\V:	HelpMe.exe
File opened (read-only)	\??\B:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\M:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\S:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\A:	HelpMe.exe
File opened (read-only)	\??\T:	HelpMe.exe
File opened (read-only)	\??\X:	HelpMe.exe
File opened (read-only)	\??\Y:	HelpMe.exe
File opened (read-only)	\??\Z:	HelpMe.exe
File opened (read-only)	\??\A:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\O:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\Q:	HelpMe.exe
File opened (read-only)	\??\W:	HelpMe.exe
File opened (read-only)	\??\V:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\Z:	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened (read-only)	\??\J:	HelpMe.exe
File opened (read-only)	\??\L:	HelpMe.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exeHelpMe.exe

description	ioc	process
File opened for modification	F:\AUTORUN.INF	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened for modification	C:\AUTORUN.INF	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File opened for modification	F:\AUTORUN.INF	HelpMe.exe

Drops file in System32 directory 2 IoCs

Processes:

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exeHelpMe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\HelpMe.exe	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
File created	C:\Windows\SysWOW64\HelpMe.exe	HelpMe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe

description	pid	process	target process
PID 2472 wrote to memory of 1176	2472	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe	HelpMe.exe
PID 2472 wrote to memory of 1176	2472	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe	HelpMe.exe
PID 2472 wrote to memory of 1176	2472	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe	HelpMe.exe
PID 2472 wrote to memory of 1176	2472	0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe	HelpMe.exe

C:\Users\Admin\AppData\Local\Temp\0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe
"C:\Users\Admin\AppData\Local\Temp\0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\HelpMe.exe
C:\Windows\system32\HelpMe.exe
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
PID:1176

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini.exe
Filesize
2.8MB

MD5
f5364b1ad642edd2583a5029c4d90cd7

SHA1
0963913d6999f0b3285724208cb27b48e71cbd11

SHA256
7de1ae4b05b1c44155cfd4a210689413053098d2486e0108118a32a4917cbb43

SHA512
8e986bfc7f9a50ff6baec0fb327fe7d8cf52ae7da01788cc49769d14439b6fbe09d301d563c5da9d9e5104da56254af11cf3aedd9d5b7aa727080ec1c059373a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
1KB

MD5
27c1c17e4b5001205e1681d9dadb29fb

SHA1
fc2bdff2cab20370bc8c75ffcda257647e6cbd91

SHA256
3b3590cd47521ef3d953ab122288065df3fc4d3d26088fc6215430357d0294db

SHA512
c5b4181171df1ddeef29be66524e8819bb615917a9399125dc6b24739398fd745592c1867841b66bf172724ebbe88ad0dd414a4ed4d835859099cf56bd8b7163

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
Filesize
954B

MD5
8cd3659c28547103a5a3e127858e2886

SHA1
9e8947d49771fb1dbb42b4820dd42980a2c4f971

SHA256
ce1a7bef7fd4c3de0ddf29ba3e3760593e11e8dd81021488fb8b2a7abc317bf3

SHA512
332e8fb5a801c7a4279ef58653bcc2576085a5a447aff3a60a7015084eef6654c7e112213a7d57ca0769278393e4d0baad19539b955aee8ece3153bbce57b599

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
F:\AUTORUN.INF
Filesize
145B

MD5
ca13857b2fd3895a39f09d9dde3cca97

SHA1
8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

SHA256
cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

SHA512
55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

Download Submit
F:\AutoRun.exe
Filesize
2.8MB

MD5
dc2906e5bcdea645e2339b9f74027a20

SHA1
26f846b2ea394b0005f2254fb6d56d5534f467d8

SHA256
0ec44257a6b4c2827476bae68cd30ecd9ccfb9395dac3671df6a1b65f20fb268

SHA512
6e28b4e954eaa3f246ef334cd4adfd9e9af49e7fc782cf254b5934c93423b93b113195d8f98bad46587a5dca0e876f5888559bcd486c9599ae7e4fc13c47d100

Download Submit
\Windows\SysWOW64\HelpMe.exe
Filesize
2.8MB

MD5
a718f62d99376ea4673829bad179f3bb

SHA1
052a98aa66c1257b3093af116870ee38def63e66

SHA256
b421b4d3e540d8a2fcedaa5cc651734de34d87a007e5e870e73623125b909f6d

SHA512
6d9d8b20c9632e023e25b167017b58dea373986acba0c198eef3014b15171fa9c7c61a8910f553ac9a2fb7d0a5507e13e21aad42f5b6ef5af033e2d8882d0f69

Download Submit
memory/1176-11-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1176-13-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1176-240-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2472-4-0x0000000000480000-0x00000000004FB000-memory.dmp

Filesize
492KB

Download
memory/2472-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2472-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2472-231-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads