3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7b

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe
Size

77KB
MD5

fb4005aa4a50fe97d797e51fd7d85170
SHA1

9c5bd0f2cbeefb15173ddeed503630d50020f5d2
SHA256

3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7b
SHA512

b92835c234a02862a306fbc37987a913b1dcf9da02471ed87aac8ffa3f70ecf23722440efb0a4e73e0a8e760928e762446b6ec24e4f1ac049f968aa371d39da6
SSDEEP

1536:86RAo0ej2d6rnJwwvlNlIUBvsI7hrhEh9cpDN/qhAvP3OInvnHvvxIfhqhcGoI/g:xAo1lOwvlNlXBvsI7hrhEh9cpDN/qhAg

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5616	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
5616	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 5616	4092	3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe	82
PID 4092 wrote to memory of 5616	4092	3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe	82
PID 4092 wrote to memory of 5616	4092	3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe	82

C:\Users\Admin\AppData\Local\Temp\3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe
"C:\Users\Admin\AppData\Local\Temp\3ff05248e1c579a1787c9bd29f42cde77f66afa1cedd781a9e5c7d9ec41fbf7bN.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
77KB

MD5
e1fae455cc3c51b92ca9881208f33b11

SHA1
fdc68ddfa1ded7f65f2e0d3fd77503c4388b47aa

SHA256
9484173f7e4c982a7066c60816655ba667ae6a00505f811e799028f13a9d1315

SHA512
ef37da8edb97ddae332a8cb521db6d1ab2cb564e630d7c058707210ac9d9c47c9da6605595662fb406aa035f1c09bc0c644861841d109598b5eaca2e56210ac1

Download Submit
memory/4092-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4092-5-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5616-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads