85a34bd3ce9c605ee250254c813dc02128db524d2bb580a93877616e6c2c808c

Analysis

max time kernel
29s
max time network
18s
platform
windows7_x64
resource
win7-20231020-es
resource tags

arch:x64arch:x86image:win7-20231020-eslocale:es-esos:windows7-x64systemwindows
submitted
20/11/2023, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Helper.exe
Size

71.3MB
MD5

37f193256a418ea18205838b6e7a98b8
SHA1

73a8f2f0f867a0f48e6d2dc6f0f301e79a3c30a4
SHA256

85a34bd3ce9c605ee250254c813dc02128db524d2bb580a93877616e6c2c808c
SHA512

29179f2690452c29e20ce8f646e36e77d19a0e2adebe3fa33897bc9a89c93af0ad1b2f8101ba0d799a7d42c7de2d0a6d769329e397f79e3a78b7de632c18ffc3
SSDEEP

1572864:S/zHWSnAW8Iw8ZIG45r97DTJVj8/B62U9tTvov3UvhDb3AK:e2oAW8IwYUH7T2U9tTvovgxbwK

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1620	netsh.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	Helper.exe
2384	Helper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1620	2384	Helper.exe	28
PID 2384 wrote to memory of 1620	2384	Helper.exe	28
PID 2384 wrote to memory of 1620	2384	Helper.exe	28
PID 2384 wrote to memory of 1620	2384	Helper.exe	28
PID 2384 wrote to memory of 2828	2384	Helper.exe	30
PID 2384 wrote to memory of 2828	2384	Helper.exe	30
PID 2384 wrote to memory of 2828	2384	Helper.exe	30
PID 2384 wrote to memory of 2828	2384	Helper.exe	30

C:\Users\Admin\AppData\Local\Temp\Helper.exe
"C:\Users\Admin\AppData\Local\Temp\Helper.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\netsh.exe
  netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
  2⤵
  - Modifies Windows Firewall
  PID:1620
- C:\Windows\SysWOW64\route.exe
  route.exe delete 95.141.193.133
  2⤵
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nst81CE.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Users\Admin\AppData\Local\Temp\nst81CE.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
\Users\Admin\AppData\Local\Temp\nst81CE.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads