35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe
Size

81KB
MD5

fd5460c39d79510164b4d9db0424a4ba
SHA1

70614810aefbea1247a26e62a33fed8f84b17ef2
SHA256

35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46
SHA512

e7bd4284211df66a240570fc299e419c843774871037319c3507e906731513bfe3e8c47772a2a45f8c66e33654a6d92896f1699bd658f204ff10d6d345d4faaa
SSDEEP

1536:YAowfUJFgjT284U+w2EwRz6OlvaeEpIaCtwUaSvcmGCCCCCHCChCHCCCdg1WCCCh:YAowyFgjTiUkEwt6OlvaeEpIaCtwUaSy

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2244	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2244	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2244	2964	35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe	28
PID 2964 wrote to memory of 2244	2964	35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe	28
PID 2964 wrote to memory of 2244	2964	35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe	28
PID 2964 wrote to memory of 2244	2964	35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe	28

C:\Users\Admin\AppData\Local\Temp\35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe
"C:\Users\Admin\AppData\Local\Temp\35442accada9695a7c44d2ffac2cf9b1dce454096dc50558d1c28800699fed46.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
82KB

MD5
2649617a9160ab3ebf437c69da2b3da4

SHA1
4aa4ca348a4647eb61bec1e130b2181e0dbc8df0

SHA256
0eb205e60cc346ae75c31f167e8c00c3ff2f9e2d7c87c8212cc8607b558e0c71

SHA512
a23b637aecd5af1ea2bafed35d979cb385d4861a93bb77e884f9595527e9de7a6cb4e926dd15baff7cbd843f626315fd83977ba015bdd975710a0a9214d39f81

Download Submit
memory/2244-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2244-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2964-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2964-7-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2964-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads