Analysis
-
max time kernel
119s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe
Resource
win10v2004-20241007-en
General
-
Target
07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe
-
Size
31KB
-
MD5
f3292feda6c29202608e38bf2d1e619f
-
SHA1
aace0d9937163aa5961fe84bab2c1eb04733d904
-
SHA256
07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8
-
SHA512
1588f6b8c5440332e89e5d8092c61f93a231b0ef1166a8b7741978ac09fbb86584e9a028da67a210f547f843ee6b40d316d0f7a2b08aebd0d3708da0536537b4
-
SSDEEP
768:DqPJtsA6C1VqahohtgVRNToV7TtRu8rM0wk7IErqyEOGNFbuSxhLIsv/hDhtMI2j:DqMA6C1VqaqhtgVRNToV7TtRu8rM0wk/
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
microsofthelp.exepid process 1708 microsofthelp.exe -
Executes dropped EXE 1 IoCs
Processes:
microsofthelp.exepid process 1708 microsofthelp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe" 07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe -
Drops file in Windows directory 1 IoCs
Processes:
07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exedescription ioc process File created C:\Windows\microsofthelp.exe 07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exemicrosofthelp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language microsofthelp.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exedescription pid process target process PID 4516 wrote to memory of 1708 4516 07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe microsofthelp.exe PID 4516 wrote to memory of 1708 4516 07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe microsofthelp.exe PID 4516 wrote to memory of 1708 4516 07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe microsofthelp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe"C:\Users\Admin\AppData\Local\Temp\07e5c3065c9ad1448a0248cd87904fe66ebe9c914db413ae513e9c78e74bb3d8.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\microsofthelp.exe"C:\Windows\microsofthelp.exe"2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5aea27e9532f395d52062e0d889ed1822
SHA15059ad4149ededf634d94cffc5e194138280e4e3
SHA256c1b4f3ae058af8c4502a8954544fed243a33480cd5dde69e4931bd9f8162dd3e
SHA512467bf7c00efe09c5e3e0edcdf6b83c42eea825f86afda97b08c7dc13ab9e17a902e432528e2c2659c96098edc0a0e4766e9763d2e0b88ebef7b07b69662c8415