b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe
Size

73KB
MD5

911045a70f8e4971bf1a43dd152c62e9
SHA1

22c7415fcabda4b28d5e74c056fd560075e07c7f
SHA256

b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d
SHA512

e7a086bb2239739fe8474024ef60292fa026b1b99f7a26d709ba8b24832c1bfd7b10c34cfc6bcf3da8fcaabeb803bb742635c6c1d0074af55fefe4a9b903cf31
SSDEEP

1536:vAowfbJFgjQ284U+w2EwRz/IUqX51n2n222n2n2222:vAowVFgjQiUkEwt/XqX51n2n222n2n2q

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1156	microsofthelp.exe

Deletes itself 1 IoCs

pid	Process
1156	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1156	1604	b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe	27
PID 1604 wrote to memory of 1156	1604	b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe	27
PID 1604 wrote to memory of 1156	1604	b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe	27
PID 1604 wrote to memory of 1156	1604	b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe	27

C:\Users\Admin\AppData\Local\Temp\b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe
"C:\Users\Admin\AppData\Local\Temp\b9c736a134d2262c7a3a28b1f8e622048fb8c74aad6825639ea4a4e2370ff54d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Windows directory
  PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
74KB

MD5
f864424efea231446721eeecf59cb284

SHA1
a0e1c905711d1dc30ee06fabcfe399457e773c26

SHA256
03eaf3eda61670f71bd193985cf7a933e969a417429769722ea0a2a5ea996287

SHA512
90a26443e0ad07377a0fd07cf38caff70057b96c33052f100c1b1c5f0c8fe60b74eb773431621958e2789c7650b5a5fd6004f3c01700425f563f099eb6c3d07d

Download Submit
C:\Windows\microsofthelp.exe

Filesize
74KB

MD5
f864424efea231446721eeecf59cb284

SHA1
a0e1c905711d1dc30ee06fabcfe399457e773c26

SHA256
03eaf3eda61670f71bd193985cf7a933e969a417429769722ea0a2a5ea996287

SHA512
90a26443e0ad07377a0fd07cf38caff70057b96c33052f100c1b1c5f0c8fe60b74eb773431621958e2789c7650b5a5fd6004f3c01700425f563f099eb6c3d07d

Download Submit
memory/1156-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1156-59-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1156-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1604-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download