a0896d6053e7d56ff4523f4a2c0b2aed0d7b400fa9850ac1f4ceadfa7b56f5fe

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a9bce03d83f37b68a94e8cab425cea0N.exe
Size

44KB
MD5

7a9bce03d83f37b68a94e8cab425cea0
SHA1

209951802339b7cc117dd7d692f0c3c784e09237
SHA256

a0896d6053e7d56ff4523f4a2c0b2aed0d7b400fa9850ac1f4ceadfa7b56f5fe
SHA512

b10c4538e3e45d9f0918a9a0535785d0452e539a4463339332e9c0c013deae810b7279fa0ac7923f39c9ea3fe16642c3f828cd137548003779310166f0aa7341
SSDEEP

768:DqPJtsA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhR:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYx

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2900	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	7a9bce03d83f37b68a94e8cab425cea0N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	7a9bce03d83f37b68a94e8cab425cea0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a9bce03d83f37b68a94e8cab425cea0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2900	2396	7a9bce03d83f37b68a94e8cab425cea0N.exe	30
PID 2396 wrote to memory of 2900	2396	7a9bce03d83f37b68a94e8cab425cea0N.exe	30
PID 2396 wrote to memory of 2900	2396	7a9bce03d83f37b68a94e8cab425cea0N.exe	30
PID 2396 wrote to memory of 2900	2396	7a9bce03d83f37b68a94e8cab425cea0N.exe	30

C:\Users\Admin\AppData\Local\Temp\7a9bce03d83f37b68a94e8cab425cea0N.exe
"C:\Users\Admin\AppData\Local\Temp\7a9bce03d83f37b68a94e8cab425cea0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
44KB

MD5
0533cf6f9edb90182a31294749ec9c52

SHA1
6a826165fa209685431985796b2a8b2c781136eb

SHA256
462f65d9c5555d67c8afd4ab6efad18d9c3c09421813ad8a33b8d11ba1470e08

SHA512
889d19a79a3777385e93004cca6976b208ff308d446039c7e3d12196815cb1f84f91c1ac9bdf340dee031d3f2e6bce79ed4f28c63ce474dafb3f5598b2a75708

Download Submit
memory/2396-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2396-6-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2900-8-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads