Malware Analysis Report

2025-08-05 14:40

Sample ID 250703-f3wxmshq31
Target 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d
SHA256 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d

Threat Level: Known bad

The file 7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:24

Reported

2025-07-03 05:26

Platform

win10v2004-20250619-en

Max time kernel

145s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe

"C:\Users\Admin\AppData\Local\Temp\7ac0ee9968818783364d570389d29d62522bd34da37c1062aa45d3bcff08f57d.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/1620-0-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1620-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 d2a480c6b868400f6820f95246df35d3
SHA1 fe4df3542d779584c17e5ab5cc74e239059a6976
SHA256 ef22c37beaa9aedda067bcdc4ea2f9cd8c772736645b6393319ce5036565ff03
SHA512 c025c2784d7e7f41ece0a2296407e964cda65b2c3a7d595cc48d4098846002d66f7373c8d4d955f0c3d88a3fb5837c1079d3ee034550658f0e50c82899f67faf

memory/4252-6-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 4db0b7f2f17377b8204d84c36f59c3dd
SHA1 8816ec891c5148b0632502be4d60061d77ee607b
SHA256 156889a74a3f4b7f44f77dd2b94b5d3a5df2563ba6d46db31723274ee64489da
SHA512 f25b94be3c0ef9855d8e2d38895236166205bde5e5b2e5634c2e69cedf6300efff7fcc1c03c43d9f32c6a9b9fa252bad5e34d3df6bfc26ef222f721045dbddf5

C:\$Recycle.Bin\S-1-5-21-4144907350-1836498122-2806216936-1000\desktop.ini.exe

MD5 9e9226f6c0f4e764ef38070118c0c873
SHA1 9fad272d8773c7588b0e830f40a3182f6ee64b17
SHA256 e41d7237c4599b6287f6bb8d314e43216240e10f18d5ae1c22d718aa51d1684c
SHA512 8e69b66b2f771b8509e4629fd40ae19c52c4dd34bcbe8370c5e4873d291c40a357b97ce605e0e7f6f09eed79ebc85d07ef1bb73f6dd677d4d5d7b21e7129f4a3

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

memory/4252-55-0x0000000000400000-0x000000000047C000-memory.dmp