85841700199bb0762518be8266169250ed6a0b4e48e6dfb4e47b8da5c78d12c8

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DATA/tv/RemoteHelper.exe
Size

2.4MB
MD5

eab6450adf406fb350e611f5dacd4600
SHA1

dcd89b9de03246dfaa9682358da7169e1be87574
SHA256

b215b6042d7a72beb408540b034081901e017ed730341d8d7c7d380582267e2a
SHA512

f3f0da58c5eaa61b51f825557c20cb9f5ebbf119e201bc1f3c44b8d2b2f19c0dc46a0b17a1fd537fcf4fa6f71fe3d80bad5d8efd132bb5630beaf898adbfbf04
SSDEEP

49152:GOgmmzZJyWAfF7rt/l4kWKENl6vkj4BomLOfGPVpeyWnoDc2hsiC:Gtk7Z/l4t6v9Gm0MOD2ZC

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2380-3-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral3/memory/2492-11-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral3/memory/2504-30-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral3/memory/2380-81-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral3/memory/2492-82-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral3/memory/2504-116-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemoteHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemoteHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemoteHelper.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2504	RemoteHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2380	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe
2492	RemoteHelper.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2504	RemoteHelper.exe
2504	RemoteHelper.exe
2504	RemoteHelper.exe
2504	RemoteHelper.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2504	2492	RemoteHelper.exe	31
PID 2492 wrote to memory of 2504	2492	RemoteHelper.exe	31
PID 2492 wrote to memory of 2504	2492	RemoteHelper.exe	31
PID 2492 wrote to memory of 2504	2492	RemoteHelper.exe	31

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3"	RemoteHelper.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_HDROP = "15"	RemoteHelper.exe

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2380

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe" --restartInActiveSession --sess_id 1
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
  --justStart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

Filesize
461KB

MD5
e387cc77168c0d2d8137dabcc00c87b4

SHA1
3100cc65bfd8613a74013321e130203432dd72bb

SHA256
eca85dbca5043e6e25cd03186a7bcc1e8f6e602504713d304e6bd092a5315af4

SHA512
81ccd571ecec58e1f9ca9e7278d585db2085f62a8c6bb37e887cfdb2ba95ed983c900307786b071ac979cd54bf10c3c8cfbee5b75ce76d411ae6f2f48a5b279d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

Filesize
464KB

MD5
aeaccf91168be96e5492a4731d44804f

SHA1
79fea9b2b4eb1c330c74cbf37cf1c92f6af42f92

SHA256
bff684ae7651de1fab071a310188cb37db4c39482deefd1cbf5f61ec140b2e14

SHA512
f437b55a9e6cd2212d84a03c97ac7148a88b95131ba1028c91c44528e1286cb2469158da5d69335ab252623434e9744048895ae656caa12ce686d10085279bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

Filesize
467KB

MD5
35137be39ca6af91c0de439984082d13

SHA1
d8848e5defec72fc3b0eeac12a5c0897a9d1622e

SHA256
54e90eb158b0f144dcf0bdccba420bf3e4f08cbe81effe3a3a82fd6a8c13e0d5

SHA512
f70355aac60fad055da3ef9d609615f6185567a94a1ee53db413be556a0acc96004a5d77747677abb05ea50e0f2158dba55a5bd7512e73b35ce4f03a99469110

Download Submit
C:\Users\Admin\AppData\Local\Temp\DATA\tv\tensorrh.log

Filesize
460KB

MD5
01f1cf76991b9955172e9a6a4a5ce88d

SHA1
600e9972be5d4ffb5ead1efccbb193acb3dbc044

SHA256
73343b986e9e3737da5156e31c1a9e2dc4d3f0b96ab1f8e53fd36106a900dc3a

SHA512
2fcb8be9cc00599c81a419b7538adac08d5645440855786a4e1f98182b2976d0cbd000ba25b3eb2c2816d8622f6f85b4b0862f77ab7cb78a8af8599e6fb8f3e7

Download Submit
memory/2380-3-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/2380-81-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/2492-11-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/2492-23-0x0000000001FE0000-0x000000000278B000-memory.dmp

Filesize
7.7MB

Download
memory/2492-82-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/2504-30-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/2504-116-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download