6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d

Analysis

max time kernel
149s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe
Size

60KB
MD5

575e13a7fb71ebcf97c4316c5b4d9b53
SHA1

f27df9e7625565396cd2a629aa5b9003476bd65e
SHA256

6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d
SHA512

8724ae0ed3ecbdd6f5ac9a451f647a62d67152b58277a23d52134381bb0fc649f00f4e179303a63096c11995bdc8437b878f4587a8a7e4e8047dd68d363e5b2e
SSDEEP

1536:NAo0Tj2d6rnJwwvl4ulkP6vghzwYu7vih9GueIh9j2IoHAcBHUIFvSHbhqhJIhmO:NAoglOwvl4ulkP6vghzwYu7vih9GueIl

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2828	1752	6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe	29
PID 1752 wrote to memory of 2828	1752	6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe	29
PID 1752 wrote to memory of 2828	1752	6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe	29
PID 1752 wrote to memory of 2828	1752	6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe	29

C:\Users\Admin\AppData\Local\Temp\6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe
"C:\Users\Admin\AppData\Local\Temp\6dd6bc92c43a0eba4bed0b714cad04f1f04f2302a45f149cf5680dc862202d8d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
61KB

MD5
4d4c4404c973a5e23c7b841ceecf66e9

SHA1
72321d9c81f4e56caf93680aa15fa1139b7e0c05

SHA256
599e3ad4652cc458d1b167017e6b3116811d5a7e13149844dfb70e2432e4c09b

SHA512
551a311a5865e5d1333fd24c09396c04ff546b795c3506eb7dab5e4fe70174438919ee9350a0ca8a6ad8b0c3b84fffd3c91e48f597460340aebad217f71c2664

Download Submit
memory/1752-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1752-3-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/1752-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2828-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads