b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe
Size

55KB
MD5

1953df37df4a3235f7254df8d698fa11
SHA1

0c2723f10fde3c4bb46a9ee8e89fb1cf743a92aa
SHA256

b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7
SHA512

7b353a54ee7019a303096f7414f6573986db0df83acb4b471fff61ef2a1dd4e06187c1afd02ad1780982beb2dacfffb73d53ccc24f5f58b972ac2149ad76e294
SSDEEP

1536:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wYVFl2g5u58dO0xXHQEyYfdhNhFO5h3xhIe:+MA6C1VqaqhtgVRNToV7TtRu8rM0wYV8

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2340	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2340	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2340	3452	b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe	83
PID 3452 wrote to memory of 2340	3452	b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe	83
PID 3452 wrote to memory of 2340	3452	b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe	83

C:\Users\Admin\AppData\Local\Temp\b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe
"C:\Users\Admin\AppData\Local\Temp\b98c52824b8c339477ea3a1c737cb559ffa41f5bed1b56646571fdd3589c57f7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
55KB

MD5
ce5e6325cad064a08ccbf3336b90ddc2

SHA1
b50c6d959f6666adb3ca65990dd06e171b87df3d

SHA256
7591fc2b66e1ba6734c27796177872087666aa876c3e5cc834efaaf75df43e48

SHA512
04bfd957f8cf5b2129d595686ee0315562fe5415b88328699861e49545bc5c31102ecd09c8d1f8e6658ed91610f6d7e20974c2b97c6b7d1e4e974a4e7f9615be

Download Submit
memory/2340-6-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3452-0-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/3452-5-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads