Malware Analysis Report

2025-08-10 19:53

Sample ID 250703-gm6ycafm21
Target b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf
SHA256 b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf

Threat Level: Known bad

The file b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:56

Reported

2025-07-03 05:58

Platform

win10v2004-20250610-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf.exe

"C:\Users\Admin\AppData\Local\Temp\b65fc816a150cf67400f3b736c5bd3a16c9402af72f7cb0bf7e40eed7b1fcddf.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/4536-0-0x00000000021E0000-0x00000000021E1000-memory.dmp

memory/4536-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 f00c97ff6b429e518b3b1eaa5c072d4c
SHA1 951dfbb4f8b4ce25ccef61bbabf450c4a11bdc36
SHA256 3bc026023f0d9b85e3f3c1c6304e24ab83076136d5ccdcdf857f3f7d901b60d8
SHA512 676b2b57d517f22f7f982696b8324f27583c8dc13a3028819c230827021b54f64e2cc7ac24793f12b78c1c0a8bc210bdb11a7c8b570844a1f70903e9a04c45ee

memory/1188-6-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 8caee687a6a759e3739ca5a55cfee189
SHA1 f7b37f65a4f2620ed5d2f96dac03cb07b0a9523e
SHA256 5deb1dc157c379adaaf874d9badb2859923dfbbb19a3a9e4ca6aac1ab4816f38
SHA512 7ac9803e9f372dffcd4e604a21e92b236515b44539e01be5d8511586360c4c9b4d628e65ee8c2a67445142ebdd6fa5ea0f5f4d9a59b289cc1bee70c6998e74d0

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-2866795425-63786011-2927312124-1000\desktop.ini.exe

MD5 9b99e6842f3d2e2c0c36ffcc2613d8f6
SHA1 428f538e10c4e4652ae17b883d01fcff84366849
SHA256 b892fb8eff26ee543844425795c8b0e8ca199d4b245588a234852412828d21ce
SHA512 2271b5953f6b17a02011da5493b0eeb8de6a16c85f96d67abb3bf1b2c0fd210ce33b85d0859db1a02d5e724b87e5b0b16db8134e1b288b55545c636a323fce36

memory/1188-56-0x0000000000400000-0x000000000047C000-memory.dmp