eb0123e6ab62311fe6e0f13393b2a8548b78a9eb2c79ed20e28105e24f5a8a3a

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7732b33beeac8a521d181049cd39e8c0N.exe
Size

49KB
MD5

7732b33beeac8a521d181049cd39e8c0
SHA1

b86c6ece2d1abed5a31254afa2bfaf2377af6a28
SHA256

eb0123e6ab62311fe6e0f13393b2a8548b78a9eb2c79ed20e28105e24f5a8a3a
SHA512

399315ad72955b04cedd7aad3b0c060fc09b11d3132de1603fce769b09c8ce7368c8392c8cabd6f1df9dbdeb325eb1940c16a56a9939ab7290e03b00b06b879a
SSDEEP

1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhIz:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYVd

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2656	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	7732b33beeac8a521d181049cd39e8c0N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	7732b33beeac8a521d181049cd39e8c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7732b33beeac8a521d181049cd39e8c0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2656	3052	7732b33beeac8a521d181049cd39e8c0N.exe	31
PID 3052 wrote to memory of 2656	3052	7732b33beeac8a521d181049cd39e8c0N.exe	31
PID 3052 wrote to memory of 2656	3052	7732b33beeac8a521d181049cd39e8c0N.exe	31
PID 3052 wrote to memory of 2656	3052	7732b33beeac8a521d181049cd39e8c0N.exe	31

C:\Users\Admin\AppData\Local\Temp\7732b33beeac8a521d181049cd39e8c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7732b33beeac8a521d181049cd39e8c0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
49KB

MD5
d58a99a4185eaa93df1e96939f7ceb1e

SHA1
41a4fa10d4be504159d1c2f85574bcee85e6f315

SHA256
504005a0a53d8fde7e12a5a9e8062c1335b404999ad438112eff2692e17bdbd6

SHA512
60356e6848b17eba87bb8bbdb40649979a98691524cbfe3411a42c6285a0bff0e168276026e11820b73a6a2b0fdfec71c0193c5e4389a0da988fe9f6499d6d81

Download Submit
memory/2656-9-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3052-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3052-6-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads