Resubmissions
05-03-2023 10:32
230305-mk95wagc54 1026-02-2023 16:19
230226-tstleshc4z 1026-02-2023 16:16
230226-tq2t1shc4s 1026-02-2023 16:07
230226-tk2bashd66 1026-02-2023 15:50
230226-taa2cshb61 1026-02-2023 15:19
230226-sqhwgahc64 10Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2023 10:32
Behavioral task
behavioral1
Sample
ChatgptHelper.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ChatgptHelper.exe
Resource
win10-20230220-en
Behavioral task
behavioral3
Sample
ChatgptHelper.exe
Resource
win10v2004-20230220-en
General
-
Target
ChatgptHelper.exe
-
Size
36KB
-
MD5
b50645ca6885b8f2dfd3571eae7afd1e
-
SHA1
2bc22b2fe4b75825deff008634390661b7802de5
-
SHA256
2a03b714a7d8a52e79746c1bb5fd0a08615f526d6390272d5678fa452846840a
-
SHA512
cd7eb7f8bbd4d3b30d7fd3d51f57f2202dbd3949463ec225df6b5c4c64f3cad9bb0f4e173c996cfde570877edf23600937ca5eaba8180083d92d9c83019338c0
-
SSDEEP
384:of+Nb7LsikZ9zNf/1uyU71evdjsOaP0rAF+rMRTyN/0L+EcoinblneHQM3epzX4F:lNf4l1lU71e9FacrM+rMRa8Nu2Pt
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
ChatgptHelper.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\330867499299d35c5dff831d5c393122.exe ChatgptHelper.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\330867499299d35c5dff831d5c393122.exe ChatgptHelper.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
ChatgptHelper.exedescription pid process Token: SeDebugPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe Token: 33 748 ChatgptHelper.exe Token: SeIncBasePriorityPrivilege 748 ChatgptHelper.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ChatgptHelper.exedescription pid process target process PID 748 wrote to memory of 872 748 ChatgptHelper.exe netsh.exe PID 748 wrote to memory of 872 748 ChatgptHelper.exe netsh.exe PID 748 wrote to memory of 872 748 ChatgptHelper.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChatgptHelper.exe"C:\Users\Admin\AppData\Local\Temp\ChatgptHelper.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ChatgptHelper.exe" "ChatgptHelper.exe" ENABLE2⤵
- Modifies Windows Firewall