Malware Analysis Report

2025-03-14 23:45

Sample ID 240603-gmkp4sfa76
Target ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a
SHA256 ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a

Threat Level: Shows suspicious behavior

The file ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Deletes itself

Executes dropped EXE

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:55

Reported

2024-06-03 05:57

Platform

win7-20240221-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe N/A
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe

"C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

N/A

Files

memory/2776-0-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2776-6-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 e3cc663ff39b5fccd31caeddfdbfa204
SHA1 e512b7d4af793918385016a678904d9a36d1b273
SHA256 f4ee6108080cf8751b4d811b3fab89f1369c0b8e4d6b51d58e106e328a812182
SHA512 ec4880ae6c728f7fd32cf165220408190db5161eb67fecc77bacdc1ae33f85fdbeb04c2da38a0102327b62de934825cc92dfe6b4abd57c3520c68d7b5c6b604f

memory/2272-8-0x0000000000400000-0x000000000040D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:55

Reported

2024-06-03 05:57

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\microsofthelp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\HidePlugin.dll C:\Windows\microsofthelp.exe N/A
File created C:\Windows\microsofthelp.exe C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe

"C:\Users\Admin\AppData\Local\Temp\ff735cb480153176febbce467a02bff6520d015a219071dc06525c8433114b0a.exe"

C:\Windows\microsofthelp.exe

"C:\Windows\microsofthelp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/400-0-0x0000000000400000-0x000000000040D000-memory.dmp

C:\Windows\microsofthelp.exe

MD5 e3cc663ff39b5fccd31caeddfdbfa204
SHA1 e512b7d4af793918385016a678904d9a36d1b273
SHA256 f4ee6108080cf8751b4d811b3fab89f1369c0b8e4d6b51d58e106e328a812182
SHA512 ec4880ae6c728f7fd32cf165220408190db5161eb67fecc77bacdc1ae33f85fdbeb04c2da38a0102327b62de934825cc92dfe6b4abd57c3520c68d7b5c6b604f

memory/400-4-0x0000000000400000-0x000000000040D000-memory.dmp