Analysis
-
max time kernel
119s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
18/08/2024, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
dcefd1d995b3009e63ef9777c6cce430N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
dcefd1d995b3009e63ef9777c6cce430N.exe
Resource
win10v2004-20240802-en
General
-
Target
dcefd1d995b3009e63ef9777c6cce430N.exe
-
Size
62KB
-
MD5
dcefd1d995b3009e63ef9777c6cce430
-
SHA1
a968edd192a62cf4f44fac86a168d81ee015debe
-
SHA256
6856e5eb63d33106818e31c73d24a242e98dc013881ec391b4ab27c6d2969c2d
-
SHA512
2373cb373c54484d6014eee0964f40b3bcce6a4fbf0df24e1bec283623b8adf377013be9d8b82822e616c04e86033a1a6d62cd9ab533fc8afa453a1c5ab8bf2c
-
SSDEEP
1536:lAo0ej2d6rnJwwvlKlIUBP6vghzwYu7vih9GueIh9j2IoHAcBHUIF2kvEHrH1hy9:lAo1lOwvlKlXBP6vghzwYu7vih9GueIc
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1920 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 1920 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" dcefd1d995b3009e63ef9777c6cce430N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\HidePlugin.dll microsofthelp.exe File created C:\Windows\microsofthelp.exe dcefd1d995b3009e63ef9777c6cce430N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dcefd1d995b3009e63ef9777c6cce430N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2536 wrote to memory of 1920 2536 dcefd1d995b3009e63ef9777c6cce430N.exe 29 PID 2536 wrote to memory of 1920 2536 dcefd1d995b3009e63ef9777c6cce430N.exe 29 PID 2536 wrote to memory of 1920 2536 dcefd1d995b3009e63ef9777c6cce430N.exe 29 PID 2536 wrote to memory of 1920 2536 dcefd1d995b3009e63ef9777c6cce430N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcefd1d995b3009e63ef9777c6cce430N.exe"C:\Users\Admin\AppData\Local\Temp\dcefd1d995b3009e63ef9777c6cce430N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
PID:1920
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
62KB
MD5dcd62e63441098f4841c71b8358328b9
SHA1adb97f09002f1cdbe9d0d6f7da991862dcf4eddc
SHA2562261009e10f3316eabeb20e898f70949049cf3984d26d6e35c327094329e992d
SHA512012b7135f21da537a0880ff4239dcd47ef79cda7e43af0c1be693f5cfe33a11b6c8288939ab160ca895215634d71645fed9817fb7abf97b9566165a526976382