Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe
Resource
win10v2004-20241007-en
General
-
Target
dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe
-
Size
58KB
-
MD5
428c9771c3b90b77244909cfcf2189d0
-
SHA1
568be9cbc5c50f757a4c93006ae9ed3c14f5e75b
-
SHA256
dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990f
-
SHA512
5785510c7c7aa987c8a53824c91fa1c61b5f91da6089d2094abb983812185446b97e2d104bf371eb435545755400bb78d791c2d962e7a1358e2efea87f215508
-
SSDEEP
1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhI5:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYV7
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
microsofthelp.exepid process 392 microsofthelp.exe -
Executes dropped EXE 1 IoCs
Processes:
microsofthelp.exepid process 392 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe -
Drops file in Windows directory 1 IoCs
Processes:
dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exedescription ioc process File created C:\Windows\microsofthelp.exe dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exemicrosofthelp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language microsofthelp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exedescription pid process target process PID 2308 wrote to memory of 392 2308 dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe microsofthelp.exe PID 2308 wrote to memory of 392 2308 dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe microsofthelp.exe PID 2308 wrote to memory of 392 2308 dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe microsofthelp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe"C:\Users\Admin\AppData\Local\Temp\dfc246812f2e54b370d5597c8d1cfa964179da876e23d23ded539cc78855990fN.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:392
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58KB
MD5495d22365b8dacbab48789ce76c5ff97
SHA17a2241c9d0e59c08a92664dec28b7ceae72b004e
SHA256fec157317aca20b911bdb219f9fc1accf511c81e68b664541b39e1af9be3a1ed
SHA5128b05d1e9c888abe94a67255f15c50895460d4203409df6f3e708553f6b77a2c098f674d66e12289b40cb83d7c2b19c2017357e6be671a9a21baaf52cb472d0ee