Analysis
-
max time kernel
145s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:24
Static task
static1
Behavioral task
behavioral1
Sample
7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe
Resource
win10v2004-20250619-en
General
-
Target
7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe
-
Size
1.2MB
-
MD5
b69cfd3a70cab7ff198de7278fa73215
-
SHA1
5442b778c74b6b5543706d632231e0768701e350
-
SHA256
7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d
-
SHA512
10a1fc215aa40f087293a8456c4293ebcaa32a9b9606b77c1c118c7cef3bfb684e82040108de77c74a29664bfa973b94ae1dcb5fca88dfa90b3e2a571944a29a
-
SSDEEP
12288:Ip4pNfz3ymJnJ8QCFkxCaQTOlOM64v0ljB6ZK1sndrQ1cDfbjUNF96pifZa4WIYO:iEtl9mRda1lywZK1V1qfUWv4WINuI3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" HelpMe.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk HelpMe.exe -
Executes dropped EXE 1 IoCs
pid Process 4252 HelpMe.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: HelpMe.exe File opened (read-only) \??\K: HelpMe.exe File opened (read-only) \??\M: HelpMe.exe File opened (read-only) \??\N: HelpMe.exe File opened (read-only) \??\U: HelpMe.exe File opened (read-only) \??\Y: HelpMe.exe File opened (read-only) \??\G: HelpMe.exe File opened (read-only) \??\I: HelpMe.exe File opened (read-only) \??\L: HelpMe.exe File opened (read-only) \??\W: HelpMe.exe File opened (read-only) \??\E: HelpMe.exe File opened (read-only) \??\H: HelpMe.exe File opened (read-only) \??\P: HelpMe.exe File opened (read-only) \??\Q: HelpMe.exe File opened (read-only) \??\S: HelpMe.exe File opened (read-only) \??\T: HelpMe.exe File opened (read-only) \??\X: HelpMe.exe File opened (read-only) \??\A: HelpMe.exe File opened (read-only) \??\J: HelpMe.exe File opened (read-only) \??\O: HelpMe.exe File opened (read-only) \??\R: HelpMe.exe File opened (read-only) \??\V: HelpMe.exe File opened (read-only) \??\Z: HelpMe.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AUTORUN.INF HelpMe.exe File opened for modification C:\AUTORUN.INF HelpMe.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\HelpMe.exe 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe File created C:\Windows\SysWOW64\HelpMe.exe HelpMe.exe File opened for modification C:\Windows\SysWOW64\HelpMe.exe 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe File created C:\Windows\SysWOW64\notepad.exe.exe 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HelpMe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1620 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe 1620 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4252 1620 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe 85 PID 1620 wrote to memory of 4252 1620 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe 85 PID 1620 wrote to memory of 4252 1620 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe"C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\HelpMe.exeC:\Windows\system32\HelpMe.exe2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4252
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
542KB
MD59e9226f6c0f4e764ef38070118c0c873
SHA19fad272d8773c7588b0e830f40a3182f6ee64b17
SHA256e41d7237c4599b6287f6bb8d314e43216240e10f18d5ae1c22d718aa51d1684c
SHA5128e69b66b2f771b8509e4629fd40ae19c52c4dd34bcbe8370c5e4873d291c40a357b97ce605e0e7f6f09eed79ebc85d07ef1bb73f6dd677d4d5d7b21e7129f4a3
-
Filesize
2.0MB
MD54db0b7f2f17377b8204d84c36f59c3dd
SHA18816ec891c5148b0632502be4d60061d77ee607b
SHA256156889a74a3f4b7f44f77dd2b94b5d3a5df2563ba6d46db31723274ee64489da
SHA512f25b94be3c0ef9855d8e2d38895236166205bde5e5b2e5634c2e69cedf6300efff7fcc1c03c43d9f32c6a9b9fa252bad5e34d3df6bfc26ef222f721045dbddf5
-
Filesize
541KB
MD5d2a480c6b868400f6820f95246df35d3
SHA1fe4df3542d779584c17e5ab5cc74e239059a6976
SHA256ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03
SHA512c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf
-
Filesize
145B
MD5ca13857b2fd3895a39f09d9dde3cca97
SHA18b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA51255e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47