228ccdb265d6a3ed3662208be55b66a0172f8124b0919657d8ddbf094d131682

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6528814061cb80f1d13707121534fe80N.exe
Size

41KB
MD5

6528814061cb80f1d13707121534fe80
SHA1

cbd3f201ef8c36052b86f69c6dfdf3b0a94b2830
SHA256

228ccdb265d6a3ed3662208be55b66a0172f8124b0919657d8ddbf094d131682
SHA512

325b7eeb2bc99510463d405be23562ed4ac20fd24ed5602ab18685d0c91da080fe51a76a7d77ff5f80c4ff894f7fcf0e77afe6163652354d90699c7d4ca0801a
SSDEEP

768:DqPJtsA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhL:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYr

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2832	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	6528814061cb80f1d13707121534fe80N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	6528814061cb80f1d13707121534fe80N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2832	2256	6528814061cb80f1d13707121534fe80N.exe	28
PID 2256 wrote to memory of 2832	2256	6528814061cb80f1d13707121534fe80N.exe	28
PID 2256 wrote to memory of 2832	2256	6528814061cb80f1d13707121534fe80N.exe	28
PID 2256 wrote to memory of 2832	2256	6528814061cb80f1d13707121534fe80N.exe	28

C:\Users\Admin\AppData\Local\Temp\6528814061cb80f1d13707121534fe80N.exe
"C:\Users\Admin\AppData\Local\Temp\6528814061cb80f1d13707121534fe80N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
41KB

MD5
d9924e590eb60406abc805bc1619ccd3

SHA1
265942e3fd4a34616c528d92cc91253fdb997a54

SHA256
6c1d019b62523782ee0cf62652f0aa4e14aa5e65e874086f8746f09519ee493b

SHA512
f35e4c5019aa8060fe7ce7401b2b61f6d7b5dcd39c304b6253c20117bef87cfcbd42c28642aca44a0cb54ca3142a24e4ddffc43bbf035c8e8b00426aec56e481

Download Submit
memory/2256-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2256-7-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2832-8-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads