87b31ec2c015d829fddfa8fce46cc46f18c0adb1fc72b3b6262a4a7d2a0d81e1

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7cfc504bd7e5547b93c156ab184bc250_JC.exe
Size

81KB
MD5

7cfc504bd7e5547b93c156ab184bc250
SHA1

cc17ec1559b2743a5251a0422500a5603812bc77
SHA256

87b31ec2c015d829fddfa8fce46cc46f18c0adb1fc72b3b6262a4a7d2a0d81e1
SHA512

cb4e2ef26dc3cf63d4600d0a0bc178ff800b756dd8d2b3015174c501969fd9976e6f3110fb37b7d508ed9579100b5c6baa03b1ee0ef65ad53c33cbeaf9dbcac3
SSDEEP

1536:/Ao0+j2d6rnJqlIUSJnJBSX1nV1b1N1Il1k1YFI1x1J1MuEqx517Q/1T1Jzct01h:/AoVl4lXinJBSX1nV1b1N1Il1k1YFI1U

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	NEAS.7cfc504bd7e5547b93c156ab184bc250_JC.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	NEAS.7cfc504bd7e5547b93c156ab184bc250_JC.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2824	2004	NEAS.7cfc504bd7e5547b93c156ab184bc250_JC.exe	85
PID 2004 wrote to memory of 2824	2004	NEAS.7cfc504bd7e5547b93c156ab184bc250_JC.exe	85
PID 2004 wrote to memory of 2824	2004	NEAS.7cfc504bd7e5547b93c156ab184bc250_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.7cfc504bd7e5547b93c156ab184bc250_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7cfc504bd7e5547b93c156ab184bc250_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
82KB

MD5
868ef3351d9ab2aef4d0d4b394f38e67

SHA1
70dbf6dbf7a9c1bab7f04e84e97bb70287f12573

SHA256
ea62efc180677fb8cd942b9692bb5ed775042feeaa44d13c4a932254a20263a9

SHA512
76f6dfe0d764f15847c3442e856bfacb628a44326539a56d17ee45ac843d57535edda9974722cba008eab6d9eb2f4d6f8e3be4498091de2c4b1b6da960abf621

Download Submit
C:\Windows\microsofthelp.exe

Filesize
82KB

MD5
868ef3351d9ab2aef4d0d4b394f38e67

SHA1
70dbf6dbf7a9c1bab7f04e84e97bb70287f12573

SHA256
ea62efc180677fb8cd942b9692bb5ed775042feeaa44d13c4a932254a20263a9

SHA512
76f6dfe0d764f15847c3442e856bfacb628a44326539a56d17ee45ac843d57535edda9974722cba008eab6d9eb2f4d6f8e3be4498091de2c4b1b6da960abf621

Download Submit
memory/2004-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2004-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2824-6-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2824-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads