aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 10:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe
Size

78KB
MD5

d7bf99b42af4fd1e99d4b5799a04b290
SHA1

093fa1a9fba52c4f6a86d873d6fa0e9aaefbf7db
SHA256

aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4
SHA512

18f6000a252c5e2b2a0a108a6a604e75f27103a36436372c7b7a8535fcea6b6b37d3f46d51c4495d19ea431c097cea3126a524d5e6d2b11a029ad609c345445e
SSDEEP

1536:86RAo0ej2d6rnJwwvlNlIUBvsI7hrhEh9cpDN/qhAvP3OChhW4dI0h4HCIzhUvTH:xAo1lOwvlNlXBvsI7hrhEh9cpDN/qhAZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2732	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2732	2272	aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe	30
PID 2272 wrote to memory of 2732	2272	aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe	30
PID 2272 wrote to memory of 2732	2272	aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe	30
PID 2272 wrote to memory of 2732	2272	aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe	30

C:\Users\Admin\AppData\Local\Temp\aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe
"C:\Users\Admin\AppData\Local\Temp\aaa04e182cd7a3ddd03b7d00dcf3ec848bbe6eab1db1f05059fe1aa13e02abb4N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
79KB

MD5
b6f4a5689595a5fcc4325071b09f0753

SHA1
e2567f0be5fb03684316e44ff6674741c932be31

SHA256
8fcbabee7ac6a33266ec1b803f8593809e44e112aaa28eede30305606e0e19a5

SHA512
24e4fe7f7e6a3a3a1ed58ab0e5f5b1c03f00d492190357c46b8a992a3c67f63b432a16fd79c70a93b4923f2c93d1b82a416ee8115fd5e8379fea216b8a096a1d

Download Submit
memory/2272-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2272-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2732-8-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2732-10-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads