3cff68c67e8220843c6e7613ec22edf3547cc7c6b0c842fe40a6c38164b4b78c

Analysis

max time kernel
170s
max time network
140s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4e6ac1d8031585e3674c102640573980.exe
Size

87KB
MD5

4e6ac1d8031585e3674c102640573980
SHA1

18922fd527699091cf91e9fbb46349b7e3b17227
SHA256

3cff68c67e8220843c6e7613ec22edf3547cc7c6b0c842fe40a6c38164b4b78c
SHA512

233dddd801f3f91c65692b72b4f678dc5bf81a791eac867918a3d591e647828e9ccaaa8304cfd6dba4be3d22ee123eb8d956818f47853aec087043d0eb30f634
SSDEEP

1536:vAowfbJFgjQ284U+w2EwRzSIUqhwDKopH0njnIInjjnjjjjjjjnjjnjnjnP01EB9:vAowVFgjQiUkEwtSXqhwDKopH0njnIIV

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1704	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1704	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	NEAS.4e6ac1d8031585e3674c102640573980.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	NEAS.4e6ac1d8031585e3674c102640573980.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1704	2776	NEAS.4e6ac1d8031585e3674c102640573980.exe	29
PID 2776 wrote to memory of 1704	2776	NEAS.4e6ac1d8031585e3674c102640573980.exe	29
PID 2776 wrote to memory of 1704	2776	NEAS.4e6ac1d8031585e3674c102640573980.exe	29
PID 2776 wrote to memory of 1704	2776	NEAS.4e6ac1d8031585e3674c102640573980.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.4e6ac1d8031585e3674c102640573980.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4e6ac1d8031585e3674c102640573980.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
87KB

MD5
a247ecbe298d2d60803c5b40e1fa67ea

SHA1
9e133a761e261c21b97071f49f58671fdabdc00d

SHA256
89570b30ed3d8605da7b64cc638a62079c28d9e3839c448e92fdf7ab0de192b6

SHA512
b52d6d0f38360720fb069d82baec764871ecf99d242160cb54675b54b42fba275b50d7a415ae2510f35292ee86162dbb795ffca8a9c13cfcac26499ef17c4801

Download Submit
C:\Windows\microsofthelp.exe

Filesize
87KB

MD5
a247ecbe298d2d60803c5b40e1fa67ea

SHA1
9e133a761e261c21b97071f49f58671fdabdc00d

SHA256
89570b30ed3d8605da7b64cc638a62079c28d9e3839c448e92fdf7ab0de192b6

SHA512
b52d6d0f38360720fb069d82baec764871ecf99d242160cb54675b54b42fba275b50d7a415ae2510f35292ee86162dbb795ffca8a9c13cfcac26499ef17c4801

Download Submit
C:\Windows\microsofthelp.exe

Filesize
87KB

MD5
a247ecbe298d2d60803c5b40e1fa67ea

SHA1
9e133a761e261c21b97071f49f58671fdabdc00d

SHA256
89570b30ed3d8605da7b64cc638a62079c28d9e3839c448e92fdf7ab0de192b6

SHA512
b52d6d0f38360720fb069d82baec764871ecf99d242160cb54675b54b42fba275b50d7a415ae2510f35292ee86162dbb795ffca8a9c13cfcac26499ef17c4801

Download Submit
memory/1704-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1704-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2776-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2776-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads