85841700199bb0762518be8266169250ed6a0b4e48e6dfb4e47b8da5c78d12c8

Analysis

max time kernel
141s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DATA/tv/RemoteHelper.exe
Size

2.4MB
MD5

eab6450adf406fb350e611f5dacd4600
SHA1

dcd89b9de03246dfaa9682358da7169e1be87574
SHA256

b215b6042d7a72beb408540b034081901e017ed730341d8d7c7d380582267e2a
SHA512

f3f0da58c5eaa61b51f825557c20cb9f5ebbf119e201bc1f3c44b8d2b2f19c0dc46a0b17a1fd537fcf4fa6f71fe3d80bad5d8efd132bb5630beaf898adbfbf04
SSDEEP

49152:GOgmmzZJyWAfF7rt/l4kWKENl6vkj4BomLOfGPVpeyWnoDc2hsiC:Gtk7Z/l4t6v9Gm0MOD2ZC

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/4228-0-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral4/memory/1480-18-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral4/memory/4228-76-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral4/memory/1480-77-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx
behavioral4/memory/2208-113-0x0000000000400000-0x0000000000BAB000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemoteHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemoteHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RemoteHelper.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	RemoteHelper.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2208	RemoteHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
4228	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe
1480	RemoteHelper.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2208	RemoteHelper.exe
2208	RemoteHelper.exe
2208	RemoteHelper.exe
2208	RemoteHelper.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2208	1480	RemoteHelper.exe	85
PID 1480 wrote to memory of 2208	1480	RemoteHelper.exe	85
PID 1480 wrote to memory of 2208	1480	RemoteHelper.exe	85

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "3"	RemoteHelper.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats\CF_HDROP = "15"	RemoteHelper.exe

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4228

C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe" --restartInActiveSession --sess_id 1
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Users\Admin\AppData\Local\Temp\DATA\tv\RemoteHelper.exe
  --justStart
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

Filesize
462KB

MD5
9b78982593419764071b527932de1fc5

SHA1
082ddfb720e9ad7c9b3a77f174cc8dbff6cd8841

SHA256
8ba0f47f47781f368cc44ab74f6f41e01be771d74e2b138e7f2ccaa709e1763a

SHA512
3b33ebbee07b6b7747eafc36d0d9dcd4ef35bef84f8a55d8974baacb580b5a509be21832fe242eecde8637558c020eb702128f830793ddb8a61a2bb75aa07f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

Filesize
462KB

MD5
28e2f791151516c54df6f718f186b47b

SHA1
7d49cace234f8dd852a488c2902a8b92bd491ef6

SHA256
98df6257049395d680d2ae731e15845ad8e7a1aa0c2e13bb50e2d75038bff5cc

SHA512
45ec286e3b417296c22429f2ed52975169c67aef203884d28b4245c55469e7b994b9cf2626a1ea948b09f2e7fa3644f0152667d7c84517d269a25a184bd43b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

Filesize
466KB

MD5
ed0d762c86b0d3b4c758d5f54058cb6b

SHA1
1f411008cb4b08af77d6a55bb5f0a9cbc757799f

SHA256
0bbc36918ae9b18bb9d495601b29cc5ea4547a629bf8f5666b07a6926b4c347a

SHA512
ed30da60f902c2be741a352cb8254037bd7d3698ad080618cce8bec94032e3a16c9490053d48527e787a5e9f836fc456ba6898bbf5fc0c32a3dbea3e8baedc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\DATA\tv\TensorRH.log

Filesize
467KB

MD5
a95c4fe9d9f333d4ef3d8727028e0346

SHA1
e185772085ee8906157c1c04a209372d7eadecc9

SHA256
c6a99849ad8d5f1b5650b7dc018c2c538981729d6c85ea42df70a74883e24b91

SHA512
d0a8c53fb94bcdde735c2914e6eeaa54a17aa33649231a90666f2e9aeb8bc3fab7435ae1c295cc75c6815e06c8b9c716e0a22b54c4748763da24b08f1d8bce65

Download Submit
C:\Users\Admin\AppData\Local\Temp\DATA\tv\tensorrh.log

Filesize
462KB

MD5
58b706d39ad557209d67e600afb60991

SHA1
1b0b3e121acfe0317fa9f73849b1cfd1f5b58c6b

SHA256
ecfd654684f5f458c2b5c0ac366dde78d77038efa8ff7c825512ec11db32beaa

SHA512
b735ce981f3cd064e08e419dca275ad096e367184a90ac002e6b3a9f9bf431e3db4a15488284f973a8f80ea62ef7dceaba48adf75ba682211b7f97a141b4615d

Download Submit
memory/1480-18-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/1480-77-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/2208-113-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/4228-0-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download
memory/4228-76-0x0000000000400000-0x0000000000BAB000-memory.dmp

Filesize
7.7MB

Download