71e33c6219b52ba633326260fd11bd12ae7f3af520abf619db25170d0ff2c9ef

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059131ae0e63ddd4c4239bdae91ec149.exe
Size

83KB
MD5

059131ae0e63ddd4c4239bdae91ec149
SHA1

4d896849d28cff39d142002794f5a4fa77d8c508
SHA256

71e33c6219b52ba633326260fd11bd12ae7f3af520abf619db25170d0ff2c9ef
SHA512

f0e2fd8e0d97252c23a7fab71995cd915728d786a5445e8954477e7660016a66c43aabd19b2e36229e2345ef6341352434482b9610cd103384b2ff8aadfeeba0
SSDEEP

1536:vAowfbJFgjQ284U+w2EwRz/IUqX514n2222n2n2LIEHuIUH7NOE96EtjtujE/EXu:vAowVFgjQiUkEwt/XqX514n2222n2n2a

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1932	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1932	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	059131ae0e63ddd4c4239bdae91ec149.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	059131ae0e63ddd4c4239bdae91ec149.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1932	940	059131ae0e63ddd4c4239bdae91ec149.exe	86
PID 940 wrote to memory of 1932	940	059131ae0e63ddd4c4239bdae91ec149.exe	86
PID 940 wrote to memory of 1932	940	059131ae0e63ddd4c4239bdae91ec149.exe	86

C:\Users\Admin\AppData\Local\Temp\059131ae0e63ddd4c4239bdae91ec149.exe
"C:\Users\Admin\AppData\Local\Temp\059131ae0e63ddd4c4239bdae91ec149.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
83KB

MD5
a6107e8cd05203fd6c95fd57f620496b

SHA1
b17ede3f1d8627f3477555ab5f31f97d4511cbda

SHA256
36aba16a8a5619f2b8ad4b56cdf0a8319a52b8779f9f28cbb4351805eddb21ef

SHA512
9829329bb9ea80b84dca85a258c64a2919cc1843192071e9b3d92216a40cbf33a51d056dfc8a6b59fcc268b360631224cfc218b787fc8a16c318edd8b3fc666c

Download Submit
memory/940-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/940-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1932-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads