Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
02/09/2024, 02:56
Static task
static1
Behavioral task
behavioral1
Sample
16f7253b4e82e53573654fe99a23fac0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
16f7253b4e82e53573654fe99a23fac0N.exe
Resource
win10v2004-20240802-en
General
-
Target
16f7253b4e82e53573654fe99a23fac0N.exe
-
Size
78KB
-
MD5
16f7253b4e82e53573654fe99a23fac0
-
SHA1
1ad6716ed06dfc9e379709d1fdc2047bba404a33
-
SHA256
335c23d6b7ee0543594c65daac973952602513908cd391deeca078bfedcc2a7d
-
SHA512
8b2992b820c31f85c7892331b96d7424bb830d0e8b19b890cbe2fd431ccaa6af73af8de4beed9045c36710b3590b29a1ba28f76f868467de90c9df0586809bd8
-
SSDEEP
1536:86RAo0ej2d6rnJwwvlNlIUBvsI7hrhEh9cpDN/qhAvP3OChhW4dI0h4HCIzhUvTv:xAo1lOwvlNlXBvsI7hrhEh9cpDN/qhAF
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2344 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 2344 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 16f7253b4e82e53573654fe99a23fac0N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe 16f7253b4e82e53573654fe99a23fac0N.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 16f7253b4e82e53573654fe99a23fac0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2344 3068 16f7253b4e82e53573654fe99a23fac0N.exe 30 PID 3068 wrote to memory of 2344 3068 16f7253b4e82e53573654fe99a23fac0N.exe 30 PID 3068 wrote to memory of 2344 3068 16f7253b4e82e53573654fe99a23fac0N.exe 30 PID 3068 wrote to memory of 2344 3068 16f7253b4e82e53573654fe99a23fac0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\16f7253b4e82e53573654fe99a23fac0N.exe"C:\Users\Admin\AppData\Local\Temp\16f7253b4e82e53573654fe99a23fac0N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
PID:2344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD50272f4a36c71068f3e2a0920eaf0a5d6
SHA19dca7bb7a02156742351d770a72064ce31aab2be
SHA2567b9053fcaf63df7677091b8963b8df30e82ff93435d8f5ecb9d06fea881819d2
SHA5122cf89baccf6c564c88cd9a76367a5226163dd1d62480acbc450b1ed64ea9b97e74ab8eada2d6873b133446885f18d6b62d8766042ea744909070a4c39f6527ef