965180f13b7dbc23e90a7982b40446a2cc8f6c825435a5723eb3dcde978b8948

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81b89a090bea2faf9c94d0a09b1871c0N.exe
Size

52KB
MD5

81b89a090bea2faf9c94d0a09b1871c0
SHA1

b31612b951a44b0e3c532188cb7485c3a30c3baf
SHA256

965180f13b7dbc23e90a7982b40446a2cc8f6c825435a5723eb3dcde978b8948
SHA512

0ba938b8b10f058b5c284b5f900ba5108b826311251e8cbf9e11979e591793294e6de4904e036d655af18ae6d9710a2b0887a6ec16659fa426072b500209e507
SSDEEP

1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhIm:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYVQ

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1624	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
1624	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	81b89a090bea2faf9c94d0a09b1871c0N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	81b89a090bea2faf9c94d0a09b1871c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81b89a090bea2faf9c94d0a09b1871c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1624	5084	81b89a090bea2faf9c94d0a09b1871c0N.exe	83
PID 5084 wrote to memory of 1624	5084	81b89a090bea2faf9c94d0a09b1871c0N.exe	83
PID 5084 wrote to memory of 1624	5084	81b89a090bea2faf9c94d0a09b1871c0N.exe	83

C:\Users\Admin\AppData\Local\Temp\81b89a090bea2faf9c94d0a09b1871c0N.exe
"C:\Users\Admin\AppData\Local\Temp\81b89a090bea2faf9c94d0a09b1871c0N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
52KB

MD5
40b1270469cc7d2d828320a12198e422

SHA1
42ee82d6bb7fa0c138c0047b87cd1008d3dab645

SHA256
1647581e37e264a1f7da43e60d9ee4bb50207c429f8e20b7927601b2d5606671

SHA512
8d7ebfa9dc5ec72fc4adacff248c75c42b1c3b423825f793c24ec5dfbb2b901431f81387a90283d8689a1ca2cf83f6e005fb0a9de10bb0d479da6caf8ee627e9

Download Submit
memory/1624-6-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5084-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5084-3-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads