Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-2c4qfscg7w
Target 7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65
SHA256 7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65

Threat Level: Shows suspicious behavior

The file 7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 22:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 22:27

Reported

2024-04-06 22:29

Platform

win7-20240221-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe

"C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

N/A

Files

memory/2240-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 6113cb3ce6ad794324917344fa0dad72
SHA1 6c959680525ed93ee87ed691102b052aadfed0ce
SHA256 f8f23ef9fb22cc1432ab87ae9a1f16067341c7fa5f9626a4b9aed649d7eb278b
SHA512 fee26b9ad862ec77b1544c5a0e7d48d9b737706a93d615a01db16d93ab69cdb46e6cea127813c520dfb69841cf3d56999cedbd63e3acee0da094df0558c90a76

memory/2240-3-0x00000000001B0000-0x00000000001BD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 22:27

Reported

2024-04-06 22:29

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe

"C:\Users\Admin\AppData\Local\Temp\7732e1955b57bfc31b238fd898e16484af3f9764182c5d2120999ae6c9d40c65.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp

Files

memory/4960-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 6113cb3ce6ad794324917344fa0dad72
SHA1 6c959680525ed93ee87ed691102b052aadfed0ce
SHA256 f8f23ef9fb22cc1432ab87ae9a1f16067341c7fa5f9626a4b9aed649d7eb278b
SHA512 fee26b9ad862ec77b1544c5a0e7d48d9b737706a93d615a01db16d93ab69cdb46e6cea127813c520dfb69841cf3d56999cedbd63e3acee0da094df0558c90a76

memory/4960-4-0x0000000000400000-0x000000000040D000-memory.dmp