8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe
Size

50KB
MD5

eb1be04fa634cef2209b514bed21b0a0
SHA1

62871d0ac59c61ee7be263e033091030b5f92ffe
SHA256

8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683
SHA512

c20b825e37c7ff973293f8d5dac626a3ba16dc8e9130c277ce52fb46300541b4a69b43047605b8c464b8bfadcc08ff318b3389da776c834e8afd3723d97b10ff
SSDEEP

1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhIQ:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYVa

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3020	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
3020	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 3020	2792	8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe	28
PID 2792 wrote to memory of 3020	2792	8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe	28
PID 2792 wrote to memory of 3020	2792	8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe	28
PID 2792 wrote to memory of 3020	2792	8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe	28

C:\Users\Admin\AppData\Local\Temp\8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe
"C:\Users\Admin\AppData\Local\Temp\8133aced7c3f4c905257ae73ca60926013e76416e44f2f953ed0c27ec6bbe683N.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
51KB

MD5
1b70924d72ecfb226bd1a77cac742b4f

SHA1
aa439c5bee4863eba4ddd1d37c7942820e4937da

SHA256
aa3d1364c216829f5d859d4b973250f84c5bcb2208ddd7c05d069f7333fb6e55

SHA512
8d5aa81b402219e3e1c648c6a41cfbb5f06bf2001e5cc6ca42b41c9c5c9d6592866ba78c0881468c5706ba447d75fd2484bffa0d312d534374541c6a39b99fe9

Download Submit
memory/2792-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/2792-6-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3020-9-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads