Analysis
-
max time kernel
119s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:20
Static task
static1
Behavioral task
behavioral1
Sample
6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe
Resource
win10v2004-20241007-en
General
-
Target
6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe
-
Size
38KB
-
MD5
03466761131cb9185d79541b29260ea0
-
SHA1
c57215ab211a0fad1b6bcf6b214699819b16caf8
-
SHA256
6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61
-
SHA512
b88999fe4c379ab09992a1c4912016c5c8896ad8aeb7c9a4557d5b7bfea1d6f576fbc058004da28dea795885f95fb1f26886051246a2865195779534a86575db
-
SSDEEP
768:ePyFZFASe0Ep0EpHZplRpqpd6rqxn4p6vghzwYu7vih9GueIh9j2IoHAjUvJw3/8:e6q10k0EFjed6rqJ+6vghzwYu7vih9G3
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
microsofthelp.exepid Process 4284 microsofthelp.exe -
Executes dropped EXE 1 IoCs
Processes:
microsofthelp.exepid Process 4284 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe -
Drops file in Windows directory 2 IoCs
Processes:
6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exemicrosofthelp.exedescription ioc Process File created C:\Windows\microsofthelp.exe 6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe File created C:\Windows\HidePlugin.dll microsofthelp.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exemicrosofthelp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language microsofthelp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exedescription pid Process procid_target PID 4892 wrote to memory of 4284 4892 6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe 83 PID 4892 wrote to memory of 4284 4892 6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe 83 PID 4892 wrote to memory of 4284 4892 6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe"C:\Users\Admin\AppData\Local\Temp\6a349b5412dd2c94cb78f536120cabec6c8d07237916fed10d448e81922d0d61N.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4284
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5964bbe52add974dd8026386aae56a164
SHA136b406871b0d039a4925c85440e19480ca3c093a
SHA2565cbad242b95593587e7ebdbea078126a314390cfea03a02c326c698c77dc8dc2
SHA512416d49b67a67fbcb551212a0cfb4e647e663e3f97bcd25965f4efbb48d9473befa816c496e264584cbc3574bd1ca9106fae1d59d0010384cd0c5384849ff44e2