efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1

Analysis

max time kernel
149s
max time network
196s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
Size

10.1MB
MD5

a65903fca5089fb8959cd9ea6c96da3b
SHA1

0937bbe1199fdca67cad8836e0b3b109aead8fb6
SHA256

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1
SHA512

5522fed40404d9eebadf550daaa7461c49bd0f95e397cf4c6564d993306877259bd32c2ee1ee234a2e5210ee52bbc0aea8248c2f1556e77b321ebd93348f9dcd

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmpwinhlp.exe

pid process

1660 efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
1696 winhlp.exe

pid	process
1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
1696	winhlp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\winhlp.exe	upx
C:\Users\Admin\AppData\Roaming\winhlp.exe	upx
C:\Users\Admin\AppData\Roaming\winhlp.exe	upx

Loads dropped DLL 6 IoCs

Processes:

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exeefeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmpwinhlp.exe

pid	process
1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
1696	winhlp.exe
1696	winhlp.exe
1696	winhlp.exe
1696	winhlp.exe

Drops file in Windows directory 1 IoCs

Processes:

notepad.exe

description ioc process

File created C:\Windows\Tasks\winhlp.job notepad.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

winhlp.exedllhost.exe

pid process

1696 winhlp.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

dllhost.exe

pid process

1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe
1524 dllhost.exe

description	ioc	process
File created	C:\Windows\Tasks\winhlp.job	notepad.exe

pid	process
1696	winhlp.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe

pid	process
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe
1524	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exeefeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmpwinhlp.exedllhost.exe

description	pid	process	target process
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 1112 wrote to memory of 1660	1112	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
PID 1660 wrote to memory of 1696	1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	winhlp.exe
PID 1660 wrote to memory of 1696	1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	winhlp.exe
PID 1660 wrote to memory of 1696	1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	winhlp.exe
PID 1660 wrote to memory of 1696	1660	efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp	winhlp.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1696 wrote to memory of 1524	1696	winhlp.exe	dllhost.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1640	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1648	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1648	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1648	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1648	1524	dllhost.exe	cmd.exe
PID 1524 wrote to memory of 1648	1524	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe
"C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\is-T352E.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T352E.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp" /SL5="$40118,9529176,831488,C:\Users\Admin\AppData\Local\Temp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Roaming\winhlp.exe
"C:\Users\Admin\AppData\Roaming\winhlp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\system32\dllhost.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
5⤵
PID:2044

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
PID:1944

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
5⤵
- Drops file in Windows directory
PID:1460

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-T352E.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
MD5
dd0edfde096c5acb72a52588d55a5617

SHA1
56ccbba8010cdbea9c5d195c5c5ad232a18f840b

SHA256
d4eb8f8f03146518a7d6c008f9c761270fb4b2e232bc339919a4b8c933873131

SHA512
fe410229548d7562343eb6170312d66bf98f59cc15084b008416f6fe6d38b44cbaef889de7608f9d8098c23bc46de7194783f275e6d2f80d9a1e94e166167363

Download Submit
C:\Users\Admin\AppData\Roaming\BORLNDMM.DLL
MD5
d329682a25bb2433bc05d170b8e3e9b0

SHA1
76e3a2004e5ba7f5126fac9922336f38e928d733

SHA256
b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618

SHA512
432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3

Download Submit
C:\Users\Admin\AppData\Roaming\CC32220MT.DLL
MD5
cfc08b3fd01b4e96517ee75a67a59e88

SHA1
d9cb08009aa04b316486a51a38a47d59a837cbc5

SHA256
4c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba

SHA512
26bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5

Download Submit
C:\Users\Admin\AppData\Roaming\MSIMG32.dll
MD5
f956f88f284182978001f09a49381155

SHA1
41555a08de90bb0acbddfd69f61eafc07b94b759

SHA256
a0c84cfe467ef4034df6fae0ed2d10bb7454715e8cd1bb8118da1e686f06454d

SHA512
96a57034ae7e005ace67b575b14f975461a71facd1c91be5d224df387955ef865219e6cf1972c2f391e2b8b8e518ce6db3cb3eff1567c1e1dee21fea74a129ed

Download Submit
C:\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
C:\Users\Admin\AppData\Roaming\winhlp.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
C:\Users\Admin\AppData\Roaming\winhlp.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
\Users\Admin\AppData\Local\Temp\is-T352E.tmp\efeae42fa3e5f7e5b088384977e2cfc9296e26c53437c138c4e711a8815eaed1.tmp
MD5
dd0edfde096c5acb72a52588d55a5617

SHA1
56ccbba8010cdbea9c5d195c5c5ad232a18f840b

SHA256
d4eb8f8f03146518a7d6c008f9c761270fb4b2e232bc339919a4b8c933873131

SHA512
fe410229548d7562343eb6170312d66bf98f59cc15084b008416f6fe6d38b44cbaef889de7608f9d8098c23bc46de7194783f275e6d2f80d9a1e94e166167363

Download Submit
\Users\Admin\AppData\Roaming\MSIMG32.dll
MD5
f956f88f284182978001f09a49381155

SHA1
41555a08de90bb0acbddfd69f61eafc07b94b759

SHA256
a0c84cfe467ef4034df6fae0ed2d10bb7454715e8cd1bb8118da1e686f06454d

SHA512
96a57034ae7e005ace67b575b14f975461a71facd1c91be5d224df387955ef865219e6cf1972c2f391e2b8b8e518ce6db3cb3eff1567c1e1dee21fea74a129ed

Download Submit
\Users\Admin\AppData\Roaming\borlndmm.dll
MD5
d329682a25bb2433bc05d170b8e3e9b0

SHA1
76e3a2004e5ba7f5126fac9922336f38e928d733

SHA256
b3cc3f8b65b37a807843e07c3848eba3b86f6e2d0b67c6d7cb14e9660a881618

SHA512
432f454d32622b352badabe71546e522949a83dfefdcd12dcd6992d9e57d10d13de305dc67c8993d6e90c28cabdc9d6b20829c844efe8e175cb80f51bcd407d3

Download Submit
\Users\Admin\AppData\Roaming\cc32220mt.dll
MD5
cfc08b3fd01b4e96517ee75a67a59e88

SHA1
d9cb08009aa04b316486a51a38a47d59a837cbc5

SHA256
4c7ba4b43e9ef88ab0b0073d966a5923bf5d236aee0a436256fe225ffc31a5ba

SHA512
26bec56dc2748e1d88bba12c4adcd24beb48809bd6c3927155a38f0487d7ed2dcd63b783c84b8ea44e3f2e9ab8bebb1448ff3f7c5acab12e816a7a365890ecb5

Download Submit
\Users\Admin\AppData\Roaming\rtl220.bpl
MD5
654f94911b454928dc60e6640d511e2a

SHA1
be83ffc9fdacb4fd5ee5168454a83e341ea65d61

SHA256
0082c561f3d9a41c35aa99f15be51733aced230c8ffdc6658611b51f470f855f

SHA512
fddcc9bfbb677ac12ed1e3fb4105450f3e0f31f77b00bb4427f4729967b41fbc9ebd4f89cd1d4adfc89a8481039e54e9e9600f49045b13eb07bdd542f9ecf4b6

Download Submit
\Users\Admin\AppData\Roaming\winhlp.exe
MD5
4939d280485bdc0ac67b49012bdcec08

SHA1
fc7d1d37b82e126d999ac8a6c5c9343363925fe6

SHA256
30b6a34230e15d9941fd4d37fe392c3306c8ef4c1de59c5c87d80068514565df

SHA512
6a175d3f71d7430479b7e21b92db07f1758a9ea63a341375107bb002df4cbfe90031a04705b560a130ce02e9eae1b51c189d93a864b0f253cdfc03ae652b1868

Download Submit
memory/1112-53-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1112-60-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1460-85-0x0000000000000000-mapping.dmp

Download
memory/1460-86-0x0000000000080000-0x0000000000089000-memory.dmp

Filesize
36KB

Download
memory/1460-87-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/1524-74-0x0000000000000000-mapping.dmp

Download
memory/1524-76-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1524-77-0x0000000002060000-0x0000000002095000-memory.dmp

Filesize
212KB

Download
memory/1524-78-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/1660-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1660-57-0x0000000000000000-mapping.dmp

Download
memory/1696-63-0x0000000000000000-mapping.dmp

Download