758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe
Size

34KB
MD5

1b9b3203971f5a0b467ed9a3770feac5
SHA1

8f2e60098813435ef93656e61574c38bb83d5d6c
SHA256

758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319
SHA512

6426b0be3bc32f70cd333b1321655dbd6db92534deca705148e0e242f9b1f4b560872db172b6665c39b745fa54cd990f8b47ad72fd98dacf47856ba0d334246a
SSDEEP

768:/qPJtHA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhN:/qnA6C1VqaqhtgVRNToV7TtRu8rM0wYt

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

microsofthelp.exe

pid process

2368 microsofthelp.exe
Executes dropped EXE 1 IoCs

Processes:

microsofthelp.exe

pid process

2368 microsofthelp.exe

pid	process
2368	microsofthelp.exe

pid	process
2368	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe

Drops file in Windows directory 1 IoCs

Processes:

758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe

description ioc process

File created C:\Windows\microsofthelp.exe 758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe

description	ioc	process
File created	C:\Windows\microsofthelp.exe	758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe

description	pid	process	target process
PID 2864 wrote to memory of 2368	2864	758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe	microsofthelp.exe
PID 2864 wrote to memory of 2368	2864	758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe	microsofthelp.exe
PID 2864 wrote to memory of 2368	2864	758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe	microsofthelp.exe
PID 2864 wrote to memory of 2368	2864	758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe	microsofthelp.exe

C:\Users\Admin\AppData\Local\Temp\758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe
"C:\Users\Admin\AppData\Local\Temp\758e8e3685b5ccf1e1412d22a83a5dc63a0e8552edde22c7f7e6ecead55e2319.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\microsofthelp.exe
"C:\Windows\microsofthelp.exe"
2⤵
- Deletes itself
- Executes dropped EXE
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
34KB

MD5
a9f78659a2a2a841cb26f8ebd23bb1c1

SHA1
355ac32cb1d38f9f0de85b62faece641efac1497

SHA256
59865a389d9afffeee241fc1b905e465ee3f8f2ad5af8e8ce8983fca98304dac

SHA512
d9060c9861143286000f27bd97a190135e5e99384ccc7d919dc557dc57bb45b1d530d69df5c07dc9d2c34ccc2ea5035af7e305354f6f5a5aa9e5af611986c633

Download Submit
memory/2368-9-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2864-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2864-3-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download
memory/2864-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download