Malware Analysis Report

2025-08-10 19:53

Sample ID 250703-gmhwhsfl91
Target 4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae
SHA256 4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae
Tags
discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae

Threat Level: Known bad

The file 4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae was found to be: Known bad.

Malicious Activity Summary

discovery persistence

Modifies WinLogon for persistence

Executes dropped EXE

Drops startup file

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:55

Reported

2025-07-03 05:57

Platform

win10v2004-20250610-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe HelpMe.exe" C:\Windows\SysWOW64\HelpMe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Soft.lnk C:\Windows\SysWOW64\HelpMe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\HelpMe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\HelpMe.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\HelpMe.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\AUTORUN.INF C:\Windows\SysWOW64\HelpMe.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae.exe N/A
File created C:\Windows\SysWOW64\HelpMe.exe C:\Windows\SysWOW64\HelpMe.exe N/A
File opened for modification C:\Windows\SysWOW64\HelpMe.exe C:\Users\Admin\AppData\Local\Temp\4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae.exe N/A
File created C:\Windows\SysWOW64\notepad.exe.exe C:\Users\Admin\AppData\Local\Temp\4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe C:\Users\Admin\AppData\Local\Temp\4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\HelpMe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae.exe

"C:\Users\Admin\AppData\Local\Temp\4f0fe53b09465d94dcf4dd5616d8158fd43698de9ce4537364517903bf5e8eae.exe"

C:\Windows\SysWOW64\HelpMe.exe

C:\Windows\system32\HelpMe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/5160-0-0x0000000002210000-0x0000000002211000-memory.dmp

memory/5160-1-0x0000000000460000-0x0000000000461000-memory.dmp

C:\Windows\SysWOW64\HelpMe.exe

MD5 f00c97ff6b429e518b3b1eaa5c072d4c
SHA1 951dfbb4f8b4ce25ccef61bbabf450c4a11bdc36
SHA256 3bc026023f0d9b85e3f3c1c6304e24ab83076136d5ccdcdf857f3f7d901b60d8
SHA512 676b2b57d517f22f7f982696b8324f27583c8dc13a3028819c230827021b54f64e2cc7ac24793f12b78c1c0a8bc210bdb11a7c8b570844a1f70903e9a04c45ee

memory/3428-6-0x0000000000400000-0x000000000047C000-memory.dmp

C:\Program Files (x86)\Internet Explorer\iexplore.exe.exe

MD5 eecd0155de834257f3542978e7f7c386
SHA1 14d2d9c99da1522b2bb1763be528f421761db7c9
SHA256 bdb71b99d39b24e6d39ceb307070d15464c441c2188fa4373793e878a31390aa
SHA512 31093b09c6c63fe70a80139b6bd9828a041b252282fc51f2070d1e9a7134fb9b6ff0f0520002a74ff9faebf733360648c7b337d3f1b7cad224e39dc237bc286b

F:\AUTORUN.INF

MD5 ca13857b2fd3895a39f09d9dde3cca97
SHA1 8b78c5b2ec97c372ebdcef92d14b0998f8dd6dd0
SHA256 cfe448b4506a95b33b529efa88f1ac704d8bdf98a941c065650ead27609318ae
SHA512 55e5b5325968d1e5314527fb2d26012f5aae4a1c38e305417be273400cb1c6d0c22b85bddb501d7a5720a3f53bb5caf6ada8a7894232344c4f6c6ef85d226b47

C:\$Recycle.Bin\S-1-5-21-155457276-1657131288-1088518942-1000\desktop.ini.exe

MD5 5501abd7c6c0a773e668004cad4b0618
SHA1 6ddf7edc8346c9bcbb30daf91ff872a035649b46
SHA256 6b2f47a4033f541f5354eb5ff174978fec71dcec0da52d6a9b0bd642dce65cd0
SHA512 a90a0ed252b7ded9777eaac8f5fcfb7ee248156c1c5c7a1ce37ea373cd43cfe0b8497179caa120294a3c39f53f1633c25bee12338cb1afe6dcc0606b1a936c8f

memory/3428-56-0x0000000000400000-0x000000000047C000-memory.dmp