6cb4d7cbe577491e9a3f62363f778233a1e7af39a67051767bdc61074db4de08

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 23:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

17d554be99b24ae188fa69a4027bd950N.exe
Size

53KB
MD5

17d554be99b24ae188fa69a4027bd950
SHA1

111e69f20195abe30861ad6bfe1c17bd179671e9
SHA256

6cb4d7cbe577491e9a3f62363f778233a1e7af39a67051767bdc61074db4de08
SHA512

8824d7f68db609056661f032342dfe4119f72c1c983d2c6c6cc5634d777502ca1c719b54ddd91cd776fa42abcf92e81c378766808f7b7a58d845c4b4dbcaba71
SSDEEP

1536:NAo0Tj2d6rnJwwvl4ulkvsaLHtj+hzhMhyvtvDh:NAoglOwvl4ulkvsaLHtj+hzhMhyvtvDh

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2308	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	17d554be99b24ae188fa69a4027bd950N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	17d554be99b24ae188fa69a4027bd950N.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2308	1704	17d554be99b24ae188fa69a4027bd950N.exe	30
PID 1704 wrote to memory of 2308	1704	17d554be99b24ae188fa69a4027bd950N.exe	30
PID 1704 wrote to memory of 2308	1704	17d554be99b24ae188fa69a4027bd950N.exe	30
PID 1704 wrote to memory of 2308	1704	17d554be99b24ae188fa69a4027bd950N.exe	30

C:\Users\Admin\AppData\Local\Temp\17d554be99b24ae188fa69a4027bd950N.exe
"C:\Users\Admin\AppData\Local\Temp\17d554be99b24ae188fa69a4027bd950N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
53KB

MD5
790998a012a64adffdf473a0e811c896

SHA1
41e8fe15f37c7b11d07367d1cbd9435fa492c1b8

SHA256
1253a287f296ad12da6165f99638db5b842401fd4ef733ad93fcc936b429867c

SHA512
9a7b2223f9b54d427b3c1a5383f753537b93ab77c0322d4151da7894e864c69e131728b02c0be94e0fdf27ce123d4b1f67c8ff528a72abbce2b5d9eab4c313d7

Download Submit
memory/1704-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2308-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2308-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads