Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 09:42
Static task
static1
Behavioral task
behavioral1
Sample
cec16af49a8c7a4e5df2479215fda540N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
cec16af49a8c7a4e5df2479215fda540N.exe
Resource
win10v2004-20240802-en
General
-
Target
cec16af49a8c7a4e5df2479215fda540N.exe
-
Size
39KB
-
MD5
cec16af49a8c7a4e5df2479215fda540
-
SHA1
200412b6bd6f2da2dc5f7b7ebb76aee9a0d91d52
-
SHA256
b6fea780abb9aed2b86d1af02eb4128705095c0a3f6e2ee6d55e5fe1755314a4
-
SHA512
d7e9beb68c79143cd54596905035f9d031a9b2bca2763b692329224a453409bc56df01b24950603ab9166e274cda74b321f72163873daeb4acf30080674809c7
-
SSDEEP
768:ePyFZFASe0Ep0EpHZplRpqpd6rqxn4p6vghzwYu7vih9GueIh9j2IoHAjU+Eh6I+:e6q10k0EFjed6rqJ+6vghzwYu7vih9Gi
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 4824 microsofthelp.exe -
Executes dropped EXE 1 IoCs
pid Process 4824 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" cec16af49a8c7a4e5df2479215fda540N.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\microsofthelp.exe cec16af49a8c7a4e5df2479215fda540N.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cec16af49a8c7a4e5df2479215fda540N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language microsofthelp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4180 wrote to memory of 4824 4180 cec16af49a8c7a4e5df2479215fda540N.exe 83 PID 4180 wrote to memory of 4824 4180 cec16af49a8c7a4e5df2479215fda540N.exe 83 PID 4180 wrote to memory of 4824 4180 cec16af49a8c7a4e5df2479215fda540N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\cec16af49a8c7a4e5df2479215fda540N.exe"C:\Users\Admin\AppData\Local\Temp\cec16af49a8c7a4e5df2479215fda540N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4824
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5d2c9649b35db5c40f814fad9bed05314
SHA1327efa9080f594e92efa5a1f01f94dd7b9a2e6f1
SHA25626ca4b4080c94cc239a800e4830b64dee930ae1ce5f8ccf171a2367bf445ee9a
SHA5128859a9225bb52a7e593c093b6713c709a4dce97a01b70b68c384670062849d715a5efb968b652d702d0212115175cb654ce34de5b3d915ecea85c4c1854e9d7e