8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe
Size

43KB
MD5

aeb4b3bd675b61f6f2bfe61001245856
SHA1

00e7cda816f26102669128e4ab0b95b9572d3939
SHA256

8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7
SHA512

388266909981bb5acde6fe2de8f10d88c0ec3d5ed8f11c2d5005e6a3361557eef6586dbb9d1170dd2ba6b33f33b4c33cc37129d9d0f7444f5327b5b620a8c530
SSDEEP

768:ePyFZFASe0Ep0EpHZplRpqpd6rqxn4p6vghzwYu7vih9GueIh9j2IoHAjU+Eh6II:e6q10k0EFjed6rqJ+6vghzwYu7vih9G8

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2776	microsofthelp.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	microsofthelp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\microsofthelp.exe	8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe
File created	C:\Windows\HidePlugin.dll	microsofthelp.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	microsofthelp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 2776	3476	8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe	85
PID 3476 wrote to memory of 2776	3476	8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe	85
PID 3476 wrote to memory of 2776	3476	8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe	85

C:\Users\Admin\AppData\Local\Temp\8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe
"C:\Users\Admin\AppData\Local\Temp\8ef3e776b6192a32d26d1c07c6dc83b9e4dba4de4d0a102054c2d38b5558d0f7.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\microsofthelp.exe
  "C:\Windows\microsofthelp.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\microsofthelp.exe

Filesize
43KB

MD5
78067662a22099bff607e8cf966320b7

SHA1
59c993952cd2e22f7816d20ae91559be5bfb07b4

SHA256
b11376307bf32dd0fbbaaad57c4db19b896380376377bea36822c8a0b4897b24

SHA512
5a0a0efd31808117ae6a62fa7f3aca673282b2d1490fb771a555f3ad323be9e76e0422ca1dc017ec19edc40bdc08279120c1ccc087793658a15459900c770a39

Download Submit
memory/2776-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3476-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3476-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads