6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe
Size

77KB
MD5

1d7b2d0a6e67edebf25e9d85e1eca9e3
SHA1

ba2c711e403fd9c18855dd9b6da3cd839247ca17
SHA256

6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8
SHA512

1570cd1735aa2de2dba2be7136e0945ecf6819e10923f24d3390c767d23a706a2c2cdfde0518ccb77db6fac1690e06a446aec9cdced66f4a589f9d8a3e74d04f
SSDEEP

1536:vAowfbJFgjQ284U+w2EwRzSIUqhwDKopH0jnjnjnjjjnjjnjnjnjnjnjj:vAowVFgjQiUkEwtSXqhwDKopH0jnjnjL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
916	microsofthelp.exe

Deletes itself 1 IoCs

pid	Process
916	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 916	1632	6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe	27
PID 1632 wrote to memory of 916	1632	6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe	27
PID 1632 wrote to memory of 916	1632	6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe	27
PID 1632 wrote to memory of 916	1632	6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe	27

C:\Users\Admin\AppData\Local\Temp\6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe
"C:\Users\Admin\AppData\Local\Temp\6aebb6e3ad15b8774e1b8d54b6de723babc76e22ba13102f664e6bf0ee243ab8.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Windows directory
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
77KB

MD5
cc4c83d145bddb2aeac9c35ff98ea58a

SHA1
fdd2b13a0e0a46f6e7fe885a31d7f6871e3b0e12

SHA256
002f7019b1a025ee7a73b2093797bd3a30be38b5b5c7d1f695e2cbcc6a867b51

SHA512
6d8f97a36f06f42c76a89ebb38f1091e9c3c4101f7412395da156b9b8713e21ac427952629e9f7c880fe15dba2c607218b0aee927ffe6286160a27c847f8c83a

Download Submit
C:\Windows\microsofthelp.exe

Filesize
77KB

MD5
cc4c83d145bddb2aeac9c35ff98ea58a

SHA1
fdd2b13a0e0a46f6e7fe885a31d7f6871e3b0e12

SHA256
002f7019b1a025ee7a73b2093797bd3a30be38b5b5c7d1f695e2cbcc6a867b51

SHA512
6d8f97a36f06f42c76a89ebb38f1091e9c3c4101f7412395da156b9b8713e21ac427952629e9f7c880fe15dba2c607218b0aee927ffe6286160a27c847f8c83a

Download Submit
memory/916-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/916-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/916-60-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1632-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download