Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 02:15
Static task
static1
Behavioral task
behavioral1
Sample
75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe
Resource
win10v2004-20240426-en
General
-
Target
75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe
-
Size
33KB
-
MD5
0dc292019116873470af8eb0fcb5f000
-
SHA1
bc47ce3c051a93c174340319a409ab02ce2fb35c
-
SHA256
75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c
-
SHA512
9b0370b2e14bc67be77b7102cabebbb521fc8446ef5c8f8fcded3985625312896d8fceb2f076fdea2251105134085dbcf1d31410f55f1315c0f066caf12deefe
-
SSDEEP
768:/qPJtHA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNho:/qnA6C1VqaqhtgVRNToV7TtRu8rM0wYI
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
microsofthelp.exepid process 2068 microsofthelp.exe -
Executes dropped EXE 1 IoCs
Processes:
microsofthelp.exepid process 2068 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe -
Drops file in Windows directory 1 IoCs
Processes:
75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exedescription ioc process File created C:\Windows\microsofthelp.exe 75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exedescription pid process target process PID 2992 wrote to memory of 2068 2992 75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe microsofthelp.exe PID 2992 wrote to memory of 2068 2992 75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe microsofthelp.exe PID 2992 wrote to memory of 2068 2992 75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe microsofthelp.exe PID 2992 wrote to memory of 2068 2992 75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe microsofthelp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe"C:\Users\Admin\AppData\Local\Temp\75a2c239627a38963cd0ad4c0a26e89e5eb4fe1eb374c589200fb3f808e1b37c.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\microsofthelp.exeFilesize
34KB
MD5fc2ed3e32c5a1ccaf688575dee5a97b2
SHA1333e9d56fee24429201ad4af401546377a42b2e0
SHA256382cdd2112e5537fd5033d5a912373273aeaeba3da214eb539fbfed7a24154bb
SHA5123b4d2b0e979b5b88129716e7aa3ab5bb1d54f1aef019eaffd165cf833a23a7ad4121e3cd2ee3ad8006e64e66a8df64d8c7f8799640a1ff9bf40c36ccdd345314
-
memory/2068-8-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/2992-0-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB
-
memory/2992-3-0x0000000000220000-0x0000000000223000-memory.dmpFilesize
12KB