Overview

overview

10

Static

static

3

e6cdef1da9...b4.exe

windows7-x64

10

e6cdef1da9...b4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 06:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e6cdef1da97ea607ea91155ef24a806e6e204b1b82e62768490541b335b53eb4.exe

  • Size

    632KB

  • MD5

    dce1689a2961ab5bfd7877861add364d

  • SHA1

    77b88b99120b9a7cb9aa62db0cb4e787f16697cd

  • SHA256

    e6cdef1da97ea607ea91155ef24a806e6e204b1b82e62768490541b335b53eb4

  • SHA512

    c54a8fc4568cb313d312b7f2899d8a9f60b5a3aea1fef223bea40772574eb916f5357225c9f8e87d11aad6632d35bc704ec563eb3ff1d9faea414fd731a72683

  • SSDEEP

    6144:382p4pFHfzMepymgWPnviP6Koa0nArn20l96tCF2eKNBDRlC8HQQDhy5OwbYBwNu:Tp4pNfz3ymJnJ8QCFkxCaQTOlOb4b1YI

Score
10/10
discoverypersistenceransomware

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Renames multiple (91) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6cdef1da97ea607ea91155ef24a806e6e204b1b82e62768490541b335b53eb4.exe
    "C:\Users\Admin\AppData\Local\Temp\e6cdef1da97ea607ea91155ef24a806e6e204b1b82e62768490541b335b53eb4.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1385883288-3042840365-2734249351-1000\desktop.ini.exe
    Filesize

    633KB

    MD5

    f3b5302b17ce9a21e0ed0dcc7c85dc8d

    SHA1

    afac5b76c070e2ba24cf68691f4e98446e400897

    SHA256

    b883c56f97728154e9e03231f7c0033a4dd422a6b2a632e13b54b4b979460e3f

    SHA512

    25820184b7d13eb078d6792887490b28009ff56fe53e531e873444bc0fd241a5fa1aecbe738563c13c6a9e9d652b048ed6fdf3e4bb1becccc75aeb3550038ec8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    1KB

    MD5

    15d4ffb24b760df770cf9f48f7abb13c

    SHA1

    b22bbf93343d09c1e8bf8ce3df4fbe7c19cce031

    SHA256

    5930d84598e5e853ee1a38dde5e9149d28fbcd14b6cb3c2166edc5f55e2c1ad9

    SHA512

    3ab3e7bc9da0b712392094e2598882b8b7516076c7504484f3a32b7bcd64aafee9ba957d1bd52383159617aef68b499a6addc04780f718ed8dcdac2d6d19233f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk
    Filesize

    954B

    MD5

    b4a9776addba5fa47a15fd08764134c3

    SHA1

    387bb45c5887cb525f1de2c306d8f6663b77cff7

    SHA256

    358fa63e6ca87f61312e34b046e398bb11c6fca38a1e5387563c67b51402648a

    SHA512

    557ae726b513c4bd8c0eb3bf04d7203af748c861950f4ac4c40a45cc78e0aa7b7290309f15c87e01c0224d3b696a7f91946a589fad0e226de424dd4248c2fbc8

    Download Submit

  • F:\AUTORUN.INF
    Filesize

    145B

    MD5

    ca13857b2fd3895a39f09d9dde3cca97

    SHA1

    8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

    SHA256

    cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

    SHA512

    55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

    Download Submit

  • F:\AutoRun.exe
    Filesize

    632KB

    MD5

    dce1689a2961ab5bfd7877861add364d

    SHA1

    77b88b99120b9a7cb9aa62db0cb4e787f16697cd

    SHA256

    e6cdef1da97ea607ea91155ef24a806e6e204b1b82e62768490541b335b53eb4

    SHA512

    c54a8fc4568cb313d312b7f2899d8a9f60b5a3aea1fef223bea40772574eb916f5357225c9f8e87d11aad6632d35bc704ec563eb3ff1d9faea414fd731a72683

    Download Submit

  • \Windows\SysWOW64\HelpMe.exe
    Filesize

    629KB

    MD5

    9684127af91aecf2c6e74ea0ce74f1e6

    SHA1

    aaf4d91ee6da80dd7661fb8a5b785d50ca1af750

    SHA256

    30b834e03361c871121f8fab656b0e8949921cb2bc962c91ae0d162849628363

    SHA512

    2c7cde327acaa347601b89780173a0e954947fc2f589d79ae4d800395ed350761d7f04a81c26ecd1a0e0c94492551bfe23169fa6c2ae502b37c2a9cec5b7f59e

    Download Submit

  • memory/1676-10-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2552-1-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download