Malware Analysis Report

2025-08-10 19:52

Sample ID 250703-gl7s9afl8z
Target 317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547
SHA256 317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547

Threat Level: Known bad

The file 317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547 was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:54

Reported

2025-07-03 05:57

Platform

win10v2004-20250610-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547.exe

"C:\Users\Admin\AppData\Local\Temp\317d3f0b913fa35653a50b15e31250bedfbaab700497b33c58d3030bae088547.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/5308-0-0x0000000002310000-0x0000000002311000-memory.dmp

memory/5308-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 f00c97ff6b429e518b3b1eaa5c072d4c
SHA1 951dfbb4f8b4ce25ccef61bbabf450c4a11bdc36
SHA256 3bc026023f0d9b85e3f3c1c6304e24ab83076136d5ccdcdf857f3f7d901b60d8
SHA512 676b2b57d517f22f7f982696b8324f27583c8dc13a3028819c230827021b54f64e2cc7ac24793f12b78c1c0a8bc210bdb11a7c8b570844a1f70903e9a04c45ee

memory/5248-6-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 31cb5fb8948c3ff25125610f1326f45c
SHA1 5ffd58a8e180b6c2a57ba2db3daa7b84ed5e4d0d
SHA256 ee6b0ba23dd1ab0a8747ef707c2e3351cc26da67c38938ef88b496735f719d64
SHA512 d678a6a3e9f4ac80769673b16342c423f3c9c1fc9990429a872e4fc04339b9aceabf1908d61972f07808c516ee8b4879aa514e21f1b52783d00bf9dd5b71d29e

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-815616237-4012932787-4224613991-1000\desktop.ini.exe

MD5 443c912d7ec2ad749df738fd21c35b77
SHA1 c60e28d32a77cd3a0eeea14f1506bc01add9dc1b
SHA256 29299789d6b29c69dc7bf0e1ea51d7b5c768c67c231924d01b1bc267bd083067
SHA512 bd7a1ec8341bc3f05467567d12b33228f9189435be8f536cc279e7de40cbed27bcc5364c85f7b229528cf9b90127869ba9418866f8e0b1eb12fd718cad7a4a2a

memory/5248-56-0x0000000000400000-0x000000000047C000-memory.dmp