470db6d8c9e3d77f8843c865971ea29430c4c035688c1a1a303e92d106813eb7

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 17:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.280a6f9dada57244d7c294e65b0214b0.exe
Size

93KB
MD5

280a6f9dada57244d7c294e65b0214b0
SHA1

2e29b7c582772a36169dfb13a49aca9d61d71153
SHA256

470db6d8c9e3d77f8843c865971ea29430c4c035688c1a1a303e92d106813eb7
SHA512

7e33541e8694cd731ecb39833e16dac3dac6823a32b6eb00ac057adae887db3b9c90bb0cb556f86a32a2d688758aa1dcb218021f0c1ce1a3ccf495fe7f4ec931
SSDEEP

1536:/Ao0+j2d6rnJqlIUSJnJBSX1nV1b1N1Il1k1YFI1x1J1MuEqx517Q/1T1Jzct01n:/AoVl4lXinJBSX1nV1b1N1Il1k1YFI16

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	NEAS.280a6f9dada57244d7c294e65b0214b0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	NEAS.280a6f9dada57244d7c294e65b0214b0.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 1264	3828	NEAS.280a6f9dada57244d7c294e65b0214b0.exe	39
PID 3828 wrote to memory of 1264	3828	NEAS.280a6f9dada57244d7c294e65b0214b0.exe	39
PID 3828 wrote to memory of 1264	3828	NEAS.280a6f9dada57244d7c294e65b0214b0.exe	39

C:\Users\Admin\AppData\Local\Temp\NEAS.280a6f9dada57244d7c294e65b0214b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.280a6f9dada57244d7c294e65b0214b0.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
93KB

MD5
aa21306be5ca6e8b13c2116d02c0a4ed

SHA1
0e9164eb04c59b80c9f608a23e29b67d10dddfa4

SHA256
2a92a4ed079331166c5486fc53f14065126343a2564b95d967a35522796017be

SHA512
49b607ce30dfc6a87ed7711a882aa339d53c815f30bed43dd2f9ef79ec51d9dfbc9fce4517ea22cdcec36ff1d1838b83087487075e17c8bcce2c21bf35ad3178

Download Submit
C:\Windows\microsofthelp.exe

Filesize
93KB

MD5
aa21306be5ca6e8b13c2116d02c0a4ed

SHA1
0e9164eb04c59b80c9f608a23e29b67d10dddfa4

SHA256
2a92a4ed079331166c5486fc53f14065126343a2564b95d967a35522796017be

SHA512
49b607ce30dfc6a87ed7711a882aa339d53c815f30bed43dd2f9ef79ec51d9dfbc9fce4517ea22cdcec36ff1d1838b83087487075e17c8bcce2c21bf35ad3178

Download Submit
memory/1264-6-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3828-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3828-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads