7a9e066c0531757c59af6eb5068f9a9038993897c0fe1c31bee23ece8542f7f6

Analysis

max time kernel
172s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.338ffd29f41a9a69bca827a445b13f4c.exe
Size

71KB
MD5

338ffd29f41a9a69bca827a445b13f4c
SHA1

6a7e3152b23cba5d73dcc45edd9e0d1f619e11ba
SHA256

7a9e066c0531757c59af6eb5068f9a9038993897c0fe1c31bee23ece8542f7f6
SHA512

53ca5302bf573272f751ac4a63ac434838d910135a9da5ca7b287ae9e5e406af2ff9a5f08608350fb3146a2c95568dc78d61f5eec367f0d9992fb832410e36c9
SSDEEP

1536:/Ao0+j2d6rnJqlIUSJn3m2GnNCyuaMeFg8kVQ+SvMupWsZZZNF01Lryhv1g1s1Ep:/AoVl4lXin3m2GnNCyuaMeFg8kVQ+Sv6

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1352	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1352	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	NEAS.338ffd29f41a9a69bca827a445b13f4c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	NEAS.338ffd29f41a9a69bca827a445b13f4c.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 1352	1576	NEAS.338ffd29f41a9a69bca827a445b13f4c.exe	89
PID 1576 wrote to memory of 1352	1576	NEAS.338ffd29f41a9a69bca827a445b13f4c.exe	89
PID 1576 wrote to memory of 1352	1576	NEAS.338ffd29f41a9a69bca827a445b13f4c.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.338ffd29f41a9a69bca827a445b13f4c.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.338ffd29f41a9a69bca827a445b13f4c.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
71KB

MD5
67e52bc03abc896ffd9930d80b7397b4

SHA1
651d8b2b2eb32042b36f8c57b9fb4b1b339bcb8e

SHA256
fe42d4430f5f10a35f4dcfe9b7d815dfba794bbff9a82af022ed9298c3dc9286

SHA512
41b6d8e767d45278b1f029ab7e65b235e1722f9551aa7b5a041fd59232c317efe2288d1067c3be49bedd47a4c441568ea3c90742dc6321de520be0ff3af950b1

Download Submit
C:\Windows\microsofthelp.exe

Filesize
71KB

MD5
67e52bc03abc896ffd9930d80b7397b4

SHA1
651d8b2b2eb32042b36f8c57b9fb4b1b339bcb8e

SHA256
fe42d4430f5f10a35f4dcfe9b7d815dfba794bbff9a82af022ed9298c3dc9286

SHA512
41b6d8e767d45278b1f029ab7e65b235e1722f9551aa7b5a041fd59232c317efe2288d1067c3be49bedd47a4c441568ea3c90742dc6321de520be0ff3af950b1

Download Submit
memory/1352-6-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1576-0-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1576-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads