1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe
Size

77KB
MD5

d0ce19693ce411148a64c9336222c9c6
SHA1

f04693cb59aff527c1ba1ad8d2fbae523a007b8e
SHA256

1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d
SHA512

3d014f853b23e899d9d0cf15578515c37e1e7a306f43dc7df382259b4849d2177cea311e16b334533215472cd8dd9cdd54e4b6a228ea14f3df2b8795b58db743
SSDEEP

1536:86RAo0ej2d6rnJwwvlNlIUBvsI7hrhEh9cpDN/qhAvP3OChhW4dI0h4HCIzhUvT4:xAo1lOwvlNlXBvsI7hrhEh9cpDN/qhA2

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2720	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2720	2272	1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe	30
PID 2272 wrote to memory of 2720	2272	1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe	30
PID 2272 wrote to memory of 2720	2272	1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe	30
PID 2272 wrote to memory of 2720	2272	1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe	30

C:\Users\Admin\AppData\Local\Temp\1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe
"C:\Users\Admin\AppData\Local\Temp\1cd6a19e298189db901990779de8fd8e33134954634cc1449001d395f4f3e43d.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
78KB

MD5
940facbcaabb91db665e0dbf8e81be64

SHA1
57b90f12a8822741ff2bf0d7606bc79eb5d2f76d

SHA256
08fe334b55579730b98038aacafad8b42852920263e4302ba3732f3037e9221d

SHA512
8debaee66ca59eb3cdc9412983317e095ff48ee9c1c4da902b5e4820b4059cee0a03e551a35ce612ae032f1578f945dc23f756c9e74865cdc3b18d5b43764a1a

Download Submit
memory/2272-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2272-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2720-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2720-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads