Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:20

General

  • Target

    6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe

  • Size

    38KB

  • MD5

    03466761131cb9185d79541b29260ea0

  • SHA1

    c57215ab211a0fad1b6bcf6b214699819b16caf8

  • SHA256

    6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61

  • SHA512

    b88999fe4c379ab09992a1c4912016c5c8896ad8aeb7c9a4557d5b7bfea1d6f576fbc058004da28dea795885f95fb1f26886051246a2865195779534a86575db

  • SSDEEP

    768:ePyFZFASe0Ep0EpHZplRpqpd6rqxn4p6vghzwYu7vih9GueIh9j2IoHAjUvJw3/8:e6q10k0EFjed6rqJ+6vghzwYu7vih9G3

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe
    "C:\Users\Admin\AppData\Local\Temp\6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Windows\microsofthelp.exe
      "C:\Windows\microsofthelp.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\microsofthelp.exe

    Filesize

    39KB

    MD5

    964bbe52add974dd8026386aae56a164

    SHA1

    36b406871b0d039a4925c85440e19480ca3c093a

    SHA256

    5cbad242b95593587e7ebdbea078126a314390cfea03a02c326c698c77dc8dc2

    SHA512

    416d49b67a67fbcb551212a0cfb4e647e663e3f97bcd25965f4efbb48d9473befa816c496e264584cbc3574bd1ca9106fae1d59d0010384cd0c5384849ff44e2

  • memory/2180-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2180-2-0x0000000000220000-0x000000000022E000-memory.dmp

    Filesize

    56KB

  • memory/2972-10-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB