Malware Analysis Report

2025-03-14 23:28

Sample ID 240407-wz9x4aah4z
Target 08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e
SHA256 08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e

Threat Level: Shows suspicious behavior

The file 08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:22

Reported

2024-04-07 18:25

Platform

win7-20240221-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe

"C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.cygdy.com udp

Files

memory/1936-0-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1936-6-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 959affcda29e008b757efbf6a3422687
SHA1 8abf02c9b094b20e4d86a882a8b75d66af2a64c0
SHA256 ff00a841055389e867153f99d0fa1c28c401a9250eca63b60ef58917d00a127b
SHA512 ffb1d606ec6dd37a62e010e0c2d8c434cc674c7cf691efe3ab69d42a3d373372d69ac90c4978cd84682b09b7f7db3ec7ce40e93a684e07edd31f802c2154fc4e

memory/1936-8-0x0000000000020000-0x000000000002C000-memory.dmp

memory/1732-9-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1732-13-0x0000000010000000-0x0000000010005000-memory.dmp

memory/1732-14-0x0000000000400000-0x000000000040C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:22

Reported

2024-04-07 18:25

Platform

win10v2004-20240226-en

Max time kernel

163s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe

"C:\Users\Admin\AppData\Local\Temp\08353cc8f2b15c9ad6a1781b9905ad7a354cf33d0db3f076fd4acc47d583328e.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp
US 8.8.8.8:53 www.cygdy.com udp

Files

memory/316-0-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 959affcda29e008b757efbf6a3422687
SHA1 8abf02c9b094b20e4d86a882a8b75d66af2a64c0
SHA256 ff00a841055389e867153f99d0fa1c28c401a9250eca63b60ef58917d00a127b
SHA512 ffb1d606ec6dd37a62e010e0c2d8c434cc674c7cf691efe3ab69d42a3d373372d69ac90c4978cd84682b09b7f7db3ec7ce40e93a684e07edd31f802c2154fc4e

memory/316-4-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Windows\HidePlugin.dll

MD5 4c0b9970f96300dfa1f45afc7539d35f
SHA1 ebbb4ed2003662d78d1f32e7b6da1b6f504ae711
SHA256 4e96660cc8be7171a79755a20860366987547322b3a809e78c9850f14c242262
SHA512 579f8787b52bf62a0296d8a24753263201fbc84abec5927033e3c97576f965ead0f8422acd3f7af1345b0df0001b0cd68fa971062e21269f6940cf3e1508ca88

memory/4400-10-0x0000000010000000-0x0000000010005000-memory.dmp

memory/4400-11-0x0000000000400000-0x000000000040C000-memory.dmp