Overview

overview

10

Static

static

10

01aabfaa41...50.exe

windows7-x64

3

01c647838c...7f.exe

windows7-x64

10

02f5c32fa2...d6.exe

windows7-x64

6

1a05cba687...a3.exe

windows7-x64

10

1a8f35d0f2...b9.exe

windows7-x64

1af797776e...13.exe

windows7-x64

10

1b2b369f31...2e.exe

windows7-x64

3

1b4a0b685c...db.exe

windows7-x64

3

1b4d73a9a7...89.exe

windows7-x64

10

1ba8934b2e...4d.exe

windows7-x64

1

1c2a51daa5...5b.exe

windows7-x64

10

1c8bc3890f...45.exe

windows7-x64

6

1ce9fa5304...ef.exe

windows7-x64

1d51d46e07...cd.exe

windows7-x64

10

1db9ec5678...e0.exe

windows7-x64

10

1dbbed25cf...88.exe

windows7-x64

1de8054e71...a1.exe

windows7-x64

9

1e56efa724...ba.exe

windows7-x64

1

1e754e1c7e...44.exe

windows7-x64

3

1e8e39da21...bc.exe

windows7-x64

10

1e9e575dd3...86.exe

windows7-x64

3

1eb6de09f5...69.exe

windows7-x64

4

1f0daca3fc...d9.exe

windows7-x64

6

1f0efbc182...be.exe

windows7-x64

1fd42d07b4...6e.exe

windows7-x64

10

2a02608130...a1.exe

windows7-x64

1

2a05ac3c43...e4.exe

windows7-x64

10

2a32c84488...95.exe

windows7-x64

10

2a6c920bfb...dc.exe

windows7-x64

3

2aebddfd22...c8.exe

windows7-x64

3

2b245f773b...bb.exe

windows7-x64

10

2b331aa02a...b7.exe

windows7-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b245f773b616b41fc7eb3026a5216e1b792a32ef2e833800e2f3b300b3498bb.exe

  • Size

    2.4MB

  • MD5

    1aaee486a62300dd74c2d236a4945527

  • SHA1

    0a22357d6c3ccf5a3a5dbabf6e7ad874e97c1b46

  • SHA256

    2b245f773b616b41fc7eb3026a5216e1b792a32ef2e833800e2f3b300b3498bb

  • SHA512

    27f681dadcab2646c3e831af145c2faac9b9265a46f3b027f9824519a9ba60912b277b4bfb90aa3d9fe989961667019353af09546bfdd0b850d656323df47643

  • SSDEEP

    12288:sp4pNfz3ymJnJ8QCFkxCaQTOlPes5Z76k/L/KB8NIpYJTCihq82WFpXKEVFA2MCG:eEtl9mRda12sX7hKB8NIyXbacAfh

Score
10/10
persistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b245f773b616b41fc7eb3026a5216e1b792a32ef2e833800e2f3b300b3498bb.exe
    "C:\Users\Admin\AppData\Local\Temp\2b245f773b616b41fc7eb3026a5216e1b792a32ef2e833800e2f3b300b3498bb.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:580
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini.exe
    Filesize

    2.4MB

    MD5

    e5ac00b7dd2aa36ad564ca95714e9bfc

    SHA1

    b581d7648ff378862b1f4c9f4b0bc243797b6414

    SHA256

    880a6e775cf40e227117b4214c92673c8f836de3d8082d9fcb17e7419a931572

    SHA512

    574af75b76167f185fbd038cd0a119ca0cb1705e0b0319099d299cf09885e71f8d0d3e82b874f2447bb43472c422d3b7d620758158a006245c9e93e478fa9396

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    22bd124824dbd4721b97913cc49a6a13

    SHA1

    92f427b5d7378e432a9625d9c7841435fcc84550

    SHA256

    3b524f1fb9bf4407471bee843da199e5debb4c29729ff3eaf8195862b2e9b5fa

    SHA512

    43c4ff4456e89b114d85fec68a19e65380ff65fea87f13f9dfffd501a98b348712a601626b9ae8542e65a0fd337d4713a1cfca6a08b969d241dc58b97b958316

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    950B

    MD5

    4771ecc12553754e8905b7f07b0307a5

    SHA1

    bbc09afb84335f682937bcc705ad4678896446dc

    SHA256

    c138f37f06b1b099accf48efe02ef717fe39038b1a4771c18f20bc6877114060

    SHA512

    f8f0397d9a266149715d35a2201b556bda610e56a807a170af5e747b4f191fdecd82fb2b5922ac1c54126e56b08ccbe2c14d248e5792b4349f2f5ce590097f34

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    2.4MB

    MD5

    1aaee486a62300dd74c2d236a4945527

    SHA1

    0a22357d6c3ccf5a3a5dbabf6e7ad874e97c1b46

    SHA256

    2b245f773b616b41fc7eb3026a5216e1b792a32ef2e833800e2f3b300b3498bb

    SHA512

    27f681dadcab2646c3e831af145c2faac9b9265a46f3b027f9824519a9ba60912b277b4bfb90aa3d9fe989961667019353af09546bfdd0b850d656323df47643

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    2.4MB

    MD5

    4796327bc25b1e0ba0996d9beb1ed3c0

    SHA1

    d188d6c3f3916d3a5206087aedbc40c06818f632

    SHA256

    d2b65de7c7a6c6a907d482ca4bedf20ab7e1d3e0acecc7a9aa37f582f9cd44dc

    SHA512

    90ee68c4999239ddcec4aae38c71cf4df86cd88b6cb1d2d29c4526dad62dd42e92558f2aa8581178b2e455b3734f9cc67c7d2caa661f6decb9e192a7bf348943

    Download Submit

  • memory/332-246-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/332-11-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/332-17-0x0000000000300000-0x0000000000301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/580-10-0x0000000001DD0000-0x0000000001E4B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/580-0-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/580-239-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/580-244-0x0000000001DD0000-0x0000000001E4B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/580-245-0x0000000001DD0000-0x0000000001E4B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/580-1-0x0000000000310000-0x0000000000311000-memory.dmp

    Filesize

    4KB

    Download