2a4351c2d22ae25da27e63d684329130676c06d30bc09aeb9ad0491f964e6a87

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3f78fb5fd48b36ce826883cc2b23d2.exe
Size

32KB
MD5

0f3f78fb5fd48b36ce826883cc2b23d2
SHA1

6eb0b5449140ff1f12bc063a6a7b20f8dec396f1
SHA256

2a4351c2d22ae25da27e63d684329130676c06d30bc09aeb9ad0491f964e6a87
SHA512

53dd069a2254352a092e3b4ff93420a516bbc308f5d8de010c08e2e05d1fee1f8f681058f168bf862d63bd68b574717ccd3abfc66a97f484aaa5a7b176f8e5ed
SSDEEP

768:/qPJtHA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNh2:/qnA6C1VqaqhtgVRNToV7TtRu8rM0wYW

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
396	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
396	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	0f3f78fb5fd48b36ce826883cc2b23d2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	0f3f78fb5fd48b36ce826883cc2b23d2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 396	5004	0f3f78fb5fd48b36ce826883cc2b23d2.exe	86
PID 5004 wrote to memory of 396	5004	0f3f78fb5fd48b36ce826883cc2b23d2.exe	86
PID 5004 wrote to memory of 396	5004	0f3f78fb5fd48b36ce826883cc2b23d2.exe	86

C:\Users\Admin\AppData\Local\Temp\0f3f78fb5fd48b36ce826883cc2b23d2.exe
"C:\Users\Admin\AppData\Local\Temp\0f3f78fb5fd48b36ce826883cc2b23d2.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
32KB

MD5
feea2ba51d8b2eafa941e809f488efe9

SHA1
d185259ea5ed6d0c1cf17882df4cdf4bfe6b506b

SHA256
e166660f5615b3389f7860bb564832c2095631237e1ee1166faff7530f3086f0

SHA512
559fba80f18a030d40e5eba5cf0d3fc01f609b3781d6df615278f98d26da79e353ceb2065ca8d919fe292831313702d6a8b7af076e8580f58255b45139e6680f

Download Submit
memory/396-6-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5004-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5004-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads