953bea3f27dc3f4475c43a3a8106ed256f955a4493ba60f0f5d32fe4a87abc20

Analysis

max time kernel
120s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 05:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2cd8dbe1ea00951ce3bd892d40768d40N.exe
Size

61KB
MD5

2cd8dbe1ea00951ce3bd892d40768d40
SHA1

890b6f9272c603ac0ce7f968aab28468743bd5d2
SHA256

953bea3f27dc3f4475c43a3a8106ed256f955a4493ba60f0f5d32fe4a87abc20
SHA512

a7a8cf569baac90156d0d415f6858fca0cd0d423c46abf4e586f7d53095b914e1849b5aa9c2107062c481a0874e0bfa11d511f7df6113d856d12ca33ce378081
SSDEEP

1536:lAo0ej2d6rnJwwvlKlIUBP6vghzwYu7vih9GueIh9j2IoHAcBHUIFvSHbhqhJIFm:lAo1lOwvlKlXBP6vghzwYu7vih9GueIc

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3640	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
3640	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	2cd8dbe1ea00951ce3bd892d40768d40N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	2cd8dbe1ea00951ce3bd892d40768d40N.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cd8dbe1ea00951ce3bd892d40768d40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 3640	4388	2cd8dbe1ea00951ce3bd892d40768d40N.exe	84
PID 4388 wrote to memory of 3640	4388	2cd8dbe1ea00951ce3bd892d40768d40N.exe	84
PID 4388 wrote to memory of 3640	4388	2cd8dbe1ea00951ce3bd892d40768d40N.exe	84

C:\Users\Admin\AppData\Local\Temp\2cd8dbe1ea00951ce3bd892d40768d40N.exe
"C:\Users\Admin\AppData\Local\Temp\2cd8dbe1ea00951ce3bd892d40768d40N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
62KB

MD5
070b785babe48c5fddf156ea7b2b1a18

SHA1
c68a0a8ddf1990601d6b282eb782171528202783

SHA256
ee7f060b95e0c2690c0c2735f235f8ea38e54d44a910c08e03aa78072a83ac68

SHA512
99b6c4709d384bb9926544f02f796cf558ce8bda043fa7c17e68b2f73495eb8b9e7cbe30ca898de0658f0ffedc39aaea95031d727dea486ff521eac8f8b0cb43

Download Submit
memory/3640-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3640-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4388-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4388-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads