e476b1392c1161131b186d74c23bcd79e42c22f4cbd5ab3a97e596da3b97d900

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

610c86ae262081179d8ded93e101ab80N.exe
Size

73KB
MD5

610c86ae262081179d8ded93e101ab80
SHA1

64e78420d27eeb661c6f098ba3b7c0e6d8cc715b
SHA256

e476b1392c1161131b186d74c23bcd79e42c22f4cbd5ab3a97e596da3b97d900
SHA512

2301321ffc66b229fa1e14215d692bf863f17a22198b39728ed714fdd9411b18936490b1def6812153a3f6c5f0b216cd411d76ee01d9b2ba9d0c78c00a433d0b
SSDEEP

1536:86RAo0ej2d6rnJwwvlNlIUBvsI7hrhEh9cpDN/qhAvP3OChhW4dI0h4HCIzhUvTn:xAo1lOwvlNlXBvsI7hrhEh9cpDN/qhAV

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1752	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1752	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	610c86ae262081179d8ded93e101ab80N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	610c86ae262081179d8ded93e101ab80N.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	610c86ae262081179d8ded93e101ab80N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 1752	580	610c86ae262081179d8ded93e101ab80N.exe	29
PID 580 wrote to memory of 1752	580	610c86ae262081179d8ded93e101ab80N.exe	29
PID 580 wrote to memory of 1752	580	610c86ae262081179d8ded93e101ab80N.exe	29
PID 580 wrote to memory of 1752	580	610c86ae262081179d8ded93e101ab80N.exe	29

C:\Users\Admin\AppData\Local\Temp\610c86ae262081179d8ded93e101ab80N.exe
"C:\Users\Admin\AppData\Local\Temp\610c86ae262081179d8ded93e101ab80N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
73KB

MD5
33dc9ffdf3ef3ddd3e2a1e7e0425daab

SHA1
f875aa501d0f94290cea1acf31c2f6b4572debd1

SHA256
bebaca71c101bbd3e6592eb27fe2e69776dbbd5616b9c6f68fc526decc6e465d

SHA512
689e1ce19f9201de60ec80dd9dfdc04e655f177619deaba091905052ac0b47b5c90a51cedf8d1cadbc26b51701bac410df17ff4de0985e6d74717d9871199f87

Download Submit
memory/580-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1752-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1752-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads