6856e5eb63d33106818e31c73d24a242e98dc013881ec391b4ab27c6d2969c2d

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcefd1d995b3009e63ef9777c6cce430N.exe
Size

62KB
MD5

dcefd1d995b3009e63ef9777c6cce430
SHA1

a968edd192a62cf4f44fac86a168d81ee015debe
SHA256

6856e5eb63d33106818e31c73d24a242e98dc013881ec391b4ab27c6d2969c2d
SHA512

2373cb373c54484d6014eee0964f40b3bcce6a4fbf0df24e1bec283623b8adf377013be9d8b82822e616c04e86033a1a6d62cd9ab533fc8afa453a1c5ab8bf2c
SSDEEP

1536:lAo0ej2d6rnJwwvlKlIUBP6vghzwYu7vih9GueIh9j2IoHAcBHUIF2kvEHrH1hy9:lAo1lOwvlKlXBP6vghzwYu7vih9GueIc

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1920	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1920	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	dcefd1d995b3009e63ef9777c6cce430N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe
File created	C:\Windows\microsofthelp.exe	dcefd1d995b3009e63ef9777c6cce430N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcefd1d995b3009e63ef9777c6cce430N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1920	2536	dcefd1d995b3009e63ef9777c6cce430N.exe	29
PID 2536 wrote to memory of 1920	2536	dcefd1d995b3009e63ef9777c6cce430N.exe	29
PID 2536 wrote to memory of 1920	2536	dcefd1d995b3009e63ef9777c6cce430N.exe	29
PID 2536 wrote to memory of 1920	2536	dcefd1d995b3009e63ef9777c6cce430N.exe	29

C:\Users\Admin\AppData\Local\Temp\dcefd1d995b3009e63ef9777c6cce430N.exe
"C:\Users\Admin\AppData\Local\Temp\dcefd1d995b3009e63ef9777c6cce430N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
62KB

MD5
dcd62e63441098f4841c71b8358328b9

SHA1
adb97f09002f1cdbe9d0d6f7da991862dcf4eddc

SHA256
2261009e10f3316eabeb20e898f70949049cf3984d26d6e35c327094329e992d

SHA512
012b7135f21da537a0880ff4239dcd47ef79cda7e43af0c1be693f5cfe33a11b6c8288939ab160ca895215634d71645fed9817fb7abf97b9566165a526976382

Download Submit
memory/1920-9-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2536-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2536-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads