026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe
Size

22KB
MD5

ffb150a87285e14a4c341a963725f1b4
SHA1

a30728c9215c4a8ee23bb397c5bb90740692dbfb
SHA256

026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53
SHA512

78ef814b05545236f04363dfe6297aa4b7ebdbfb97443cb463e12bb0f1d7305f5de23db63323cf6326328f019d7497287dccb999608637e9fe6a340c9181f0a5
SSDEEP

384:KICKqPF/EkecA6C1VqahohtgVRNVdoV7TtRu8rM/dWwYVFl2g5coW58dO0xXHV2j:7qPJtecA6C1VqahohtgVRNToV7TtRu8O

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2640	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2640	2320	026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe	29
PID 2320 wrote to memory of 2640	2320	026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe	29
PID 2320 wrote to memory of 2640	2320	026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe	29
PID 2320 wrote to memory of 2640	2320	026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe	29

C:\Users\Admin\AppData\Local\Temp\026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe
"C:\Users\Admin\AppData\Local\Temp\026632a49b6186ead4e9ceb32bd6850d286f892d9e5b9045c4378c242c680d53.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
22KB

MD5
8e61a8239e45532a87bd05536673e7a2

SHA1
1f5e2df0f47fe0cafc48b45c31979389058bc61b

SHA256
472c7addf82abb030b3d5fc8be4d6234b6ff30ac7b856818a490461d85608d1a

SHA512
670bc99af5934103be0175cf0101edb06b5babf23a072d96504241bd9f4cdb045dda73b7fa7f576d8a3404a6ba394cec12085436fd0cea9ea66f588cfe42af28

Download Submit
memory/2320-1-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/2320-3-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2640-8-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads