Analysis

  • max time kernel
    145s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:24

General

  • Target

    7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe

  • Size

    1.2MB

  • MD5

    b69cfd3a70cab7ff198de7278fa73215

  • SHA1

    5442b778c74b6b5543706d632231e0768701e350

  • SHA256

    7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d

  • SHA512

    10a1fc215aa40f087293a8456c4293ebcaa32a9b9606b77c1c118c7cef3bfb684e82040108de77c74a29664bfa973b94ae1dcb5fca88dfa90b3e2a571944a29a

  • SSDEEP

    12288:Ip4pNfz3ymJnJ8QCFkxCaQTOlOM64v0ljB6ZK1sndrQ1cDfbjUNF96pifZa4WIYO:iEtl9mRda1lywZK1V1qfUWv4WINuI3

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe
    "C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\SysWOW64\HelpMe.exe
      C:\Windows\system32\HelpMe.exe
      2⤵
      • Modifies WinLogon for persistence
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:4252

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-4144907350-1836498122-2806216936-1000\desktop.ini.exe

          Filesize

          542KB

          MD5

          9e9226f6c0f4e764ef38070118c0c873

          SHA1

          9fad272d8773c7588b0e830f40a3182f6ee64b17

          SHA256

          e41d7237c4599b6287f6bb8d314e43216240e10f18d5ae1c22d718aa51d1684c

          SHA512

          8e69b66b2f771b8509e4629fd40ae19c52c4dd34bcbe8370c5e4873d291c40a357b97ce605e0e7f6f09eed79ebc85d07ef1bb73f6dd677d4d5d7b21e7129f4a3

        • C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

          Filesize

          2.0MB

          MD5

          4db0b7f2f17377b8204d84c36f59c3dd

          SHA1

          8816ec891c5148b0632502be4d60061d77ee607b

          SHA256

          156889a74a3f4b7f44f77dd2b94b5d3a5df2563ba6d46db31723274ee64489da

          SHA512

          f25b94be3c0ef9855d8e2d38895236166205bde5e5b2e5634c2e69cedf6300efff7fcc1c03c43d9f32c6a9b9fa252bad5e34d3df6bfc26ef222f721045dbddf5

        • C:\Windows\SysWOW64\HelpMe.exe

          Filesize

          541KB

          MD5

          d2a480c6b868400f6820f95246df35d3

          SHA1

          fe4df3542d779584c17e5ab5cc74e239059a6976

          SHA256

          ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03

          SHA512

          c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

        • F:\AUTORUN.INF

          Filesize

          145B

          MD5

          ca13857b2fd3895a39f09d9dde3cca97

          SHA1

          8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0

          SHA256

          cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae

          SHA512

          55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

        • memory/1620-0-0x0000000002200000-0x0000000002201000-memory.dmp

          Filesize

          4KB

        • memory/1620-1-0x0000000000460000-0x0000000000461000-memory.dmp

          Filesize

          4KB

        • memory/4252-6-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB

        • memory/4252-55-0x0000000000400000-0x000000000047C000-memory.dmp

          Filesize

          496KB