Overview

overview

8

Static

static

3

Helper.exe

windows7-x64

8

Helper.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    40s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231025-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20231025-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    20-11-2023 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Helper.exe

  • Size

    71.3MB

  • MD5

    37f193256a418ea18205838b6e7a98b8

  • SHA1

    73a8f2f0f867a0f48e6d2dc6f0f301e79a3c30a4

  • SHA256

    85a34bd3ce9c605ee250254c813dc02128db524d2bb580a93877616e6c2c808c

  • SHA512

    29179f2690452c29e20ce8f646e36e77d19a0e2adebe3fa33897bc9a89c93af0ad1b2f8101ba0d799a7d42c7de2d0a6d769329e397f79e3a78b7de632c18ffc3

  • SSDEEP

    1572864:S/zHWSnAW8Iw8ZIG45r97DTJVj8/B62U9tTvov3UvhDb3AK:e2oAW8IwYUH7T2U9tTvovgxbwK

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Helper.exe
    "C:\Users\Admin\AppData\Local\Temp\Helper.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\SysWOW64\netsh.exe
      netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
      2⤵
      • Modifies Windows Firewall
      PID:2252
    • C:\Windows\SysWOW64\route.exe
      route.exe delete 95.141.193.133
      2⤵
        PID:4880
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2460
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /0
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3592

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsh71C6.tmp\nsExec.dll
        Filesize

        7KB

        MD5

        f27689c513e7d12c7c974d5f8ef710d6

        SHA1

        e305f2a2898d765a64c82c449dfb528665b4a892

        SHA256

        1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

        SHA512

        734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsh71C6.tmp\nsExec.dll
        Filesize

        7KB

        MD5

        f27689c513e7d12c7c974d5f8ef710d6

        SHA1

        e305f2a2898d765a64c82c449dfb528665b4a892

        SHA256

        1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

        SHA512

        734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsh71C6.tmp\nsExec.dll
        Filesize

        7KB

        MD5

        f27689c513e7d12c7c974d5f8ef710d6

        SHA1

        e305f2a2898d765a64c82c449dfb528665b4a892

        SHA256

        1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

        SHA512

        734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

        Download Submit

      • memory/3592-15-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-16-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-17-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-21-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-22-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-24-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-23-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-25-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-27-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3592-26-0x0000022FD8DE0000-0x0000022FD8DE1000-memory.dmp

        Filesize

        4KB

        Download