Analysis

  • max time kernel
    119s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 05:11

General

  • Target

    d4423635ad41c429b7908098ff2cfc3784ffec2bfd64ca9ae45ce7e8ca3f396cN.exe

  • Size

    73KB

  • MD5

    659e67f12587172d9ada26935f25a0d0

  • SHA1

    1fe76da9b1b4faac3b10b6a66b9720fbd896d415

  • SHA256

    d4423635ad41c429b7908098ff2cfc3784ffec2bfd64ca9ae45ce7e8ca3f396c

  • SHA512

    71ad510d424476876ad01c83d2257a6f0b1e8eb8e93a9a1736a22207df866c3ee56c0f1a042958fbd1f96b01eb0c253e59982cb9aeb151b40f5d0747ab1381c7

  • SSDEEP

    1536:lAo0ej2d6rnJwwvlKlIUBP6vghzwYu7vih9GueIh9j2IoHAcBHUIFvSHbhhH/HQf:lAo1lOwvlKlXBP6vghzwYu7vih9GueI8

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4423635ad41c429b7908098ff2cfc3784ffec2bfd64ca9ae45ce7e8ca3f396cN.exe
    "C:\Users\Admin\AppData\Local\Temp\d4423635ad41c429b7908098ff2cfc3784ffec2bfd64ca9ae45ce7e8ca3f396cN.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\microsofthelp.exe
      "C:\Windows\microsofthelp.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\microsofthelp.exe

    Filesize

    73KB

    MD5

    5c9851712303991bf6d0a9a28de71004

    SHA1

    dc41a8155b4a61ed49688096e21fa438a056b518

    SHA256

    4344078b7bda626f4e4f0320be5aa21d2bb84068dd1bc1351965a1d4dd694433

    SHA512

    77325dae6c4d59fa9e6ddd197f0489315e36755b193da072d6cc8fa52bf970fd809bdeaf714994bde3b48104e77209c354e25d81d8b036171ad5326fbaff9a9f

  • memory/1532-8-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/1532-10-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2156-0-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

  • memory/2156-6-0x0000000000400000-0x000000000040F000-memory.dmp

    Filesize

    60KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.