440ae1d9fc4161eee5531a5a98462a999ed2790ec79abf93ff7fcec3f1c1c05d

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 10:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e6fdc93541d8bc8209663d89be15f370N.exe
Size

40KB
MD5

e6fdc93541d8bc8209663d89be15f370
SHA1

a584f98d80d1ecc1412a5a4941b77ac42923ce8d
SHA256

440ae1d9fc4161eee5531a5a98462a999ed2790ec79abf93ff7fcec3f1c1c05d
SHA512

f79da65d1462d1f19c20b75e06e048ec1aed4eddf7e3bdb33ae9fdb07573325d4499135c69d2c1bdfbf8f10765f5a1d9f280d772ac3cb4d91e745463753792ec
SSDEEP

768:DqPJtsA6C1VqahohtgVRNToV7TtRu8rM0wYVFl2g5coW58dO0xXHV2EfKYfdhNhm:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYG

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1500	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1500	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	e6fdc93541d8bc8209663d89be15f370N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	e6fdc93541d8bc8209663d89be15f370N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6fdc93541d8bc8209663d89be15f370N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1500	3048	e6fdc93541d8bc8209663d89be15f370N.exe	31
PID 3048 wrote to memory of 1500	3048	e6fdc93541d8bc8209663d89be15f370N.exe	31
PID 3048 wrote to memory of 1500	3048	e6fdc93541d8bc8209663d89be15f370N.exe	31
PID 3048 wrote to memory of 1500	3048	e6fdc93541d8bc8209663d89be15f370N.exe	31

C:\Users\Admin\AppData\Local\Temp\e6fdc93541d8bc8209663d89be15f370N.exe
"C:\Users\Admin\AppData\Local\Temp\e6fdc93541d8bc8209663d89be15f370N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
40KB

MD5
8ca2b861734562dc3715b8f3af356a4d

SHA1
5b9e35aeebc14a9a925c79b6bb2fdfa4393d3682

SHA256
2f7708f4930077f20a737373f60ef391466ef58e6890bdb5221375cb477b40ad

SHA512
48dfba4f2205ed2bea6c31cc21226ca13c9d6bcb8a9025beca8149cc91d9980864fc4c98cb5a88b1934cfdbf5a6fb40e139c0c7f5c85212e643c4a362a8ed008

Download Submit
memory/1500-9-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3048-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3048-3-0x0000000000220000-0x0000000000223000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads