8d82e6472a932eb96fb1986c2bfabc704ab190ef02bee0237641ade7395dc739

Analysis

max time kernel
119s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f209236477efb43774dc4ddf4c8820N.exe
Size

90KB
MD5

17f209236477efb43774dc4ddf4c8820
SHA1

efbb00376b0c7fe38f0983ef434ecb1c2dd00b33
SHA256

8d82e6472a932eb96fb1986c2bfabc704ab190ef02bee0237641ade7395dc739
SHA512

ebba271da3678f11abc1f7234d53e9d4e03c27721d1eea4b828ca3e3c0c2b6067048ebf41069fe8c8c373eb6926e56dda04e623fa0278d8a4cbc6cb214d7ab29
SSDEEP

1536:NDj2d6rnJbJnJBSX1nV1b1N1Il1k1YFI1x1J1MuEqx517Q/1T1Jzct01Nsqnl1Rw:FlnnJBSX1nV1b1N1Il1k1YFI1x1J1MuT

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1292	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1292	microsofthelp.exe

Loads dropped DLL 1 IoCs

pid	Process
1292	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	17f209236477efb43774dc4ddf4c8820N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	17f209236477efb43774dc4ddf4c8820N.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17f209236477efb43774dc4ddf4c8820N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsofthelp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1292	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1292	2900	17f209236477efb43774dc4ddf4c8820N.exe	84
PID 2900 wrote to memory of 1292	2900	17f209236477efb43774dc4ddf4c8820N.exe	84
PID 2900 wrote to memory of 1292	2900	17f209236477efb43774dc4ddf4c8820N.exe	84

C:\Users\Admin\AppData\Local\Temp\17f209236477efb43774dc4ddf4c8820N.exe
"C:\Users\Admin\AppData\Local\Temp\17f209236477efb43774dc4ddf4c8820N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HidePlugin.dll

Filesize
5KB

MD5
4c0b9970f96300dfa1f45afc7539d35f

SHA1
ebbb4ed2003662d78d1f32e7b6da1b6f504ae711

SHA256
4e96660cc8be7171a79755a20860366987547322b3a809e78c9850f14c242262

SHA512
579f8787b52bf62a0296d8a24753263201fbc84abec5927033e3c97576f965ead0f8422acd3f7af1345b0df0001b0cd68fa971062e21269f6940cf3e1508ca88

Download Submit
C:\Windows\microsofthelp.exe

Filesize
90KB

MD5
2dd5d8ad9a09fe45882515813d167288

SHA1
0d358cca6afb8e265bb71249a5f544eec9b1cb83

SHA256
6c8a76c67e3d16fa66b5a3c44dee0ee71c38035a7fcdf933ac1232f150e136e8

SHA512
4dbfabd9fed4f869d41cacaa0f6ff5a64295e513b0f93162c226c399601894a4058c8d95729c849abd69e2971759070e85649e9bad320788229e67dfe649d9b7

Download Submit
memory/1292-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1292-12-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1292-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2900-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2900-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads