11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

General

Target

11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe
Size

29KB
MD5

7cf60409e7500ebf687a8834f9adb465
SHA1

9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9
SHA256

11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2
SHA512

138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff
SSDEEP

768:f09zbo9NRL6sA00H3lhVRut/bJFXk3mSoK:fEbof8nNHlRMbJFXk3mSoK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1560	WinHelp32.exe
1116	WinHelp32.exe

Deletes itself 1 IoCs

pid	Process
1916	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 1324	1116	WinHelp32.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\WinHelp32.exe	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe
File opened for modification	C:\Program Files\Internet Explorer\WinHelp32.exe	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 284 wrote to memory of 1560	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	27
PID 284 wrote to memory of 1560	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	27
PID 284 wrote to memory of 1560	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	27
PID 284 wrote to memory of 1560	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	27
PID 284 wrote to memory of 1916	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	28
PID 284 wrote to memory of 1916	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	28
PID 284 wrote to memory of 1916	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	28
PID 284 wrote to memory of 1916	284	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	28
PID 1116 wrote to memory of 1324	1116	WinHelp32.exe	30
PID 1116 wrote to memory of 1324	1116	WinHelp32.exe	30
PID 1116 wrote to memory of 1324	1116	WinHelp32.exe	30
PID 1116 wrote to memory of 1324	1116	WinHelp32.exe	30
PID 1116 wrote to memory of 1324	1116	WinHelp32.exe	30
PID 1116 wrote to memory of 1324	1116	WinHelp32.exe	30

C:\Users\Admin\AppData\Local\Temp\11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe
"C:\Users\Admin\AppData\Local\Temp\11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:284
- C:\Program Files\Internet Explorer\WinHelp32.exe
  "C:\Program Files\Internet Explorer\WinHelp32.exe"
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11186D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1916

C:\Program Files\Internet Explorer\WinHelp32.exe
"C:\Program Files\Internet Explorer\WinHelp32.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\WinHelp32.exe

Filesize
29KB

MD5
7cf60409e7500ebf687a8834f9adb465

SHA1
9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9

SHA256
11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

SHA512
138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff

Download Submit
C:\Program Files\Internet Explorer\WinHelp32.exe

Filesize
29KB

MD5
7cf60409e7500ebf687a8834f9adb465

SHA1
9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9

SHA256
11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

SHA512
138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff

Download Submit
C:\Program Files\Internet Explorer\WinHelp32.exe

Filesize
29KB

MD5
7cf60409e7500ebf687a8834f9adb465

SHA1
9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9

SHA256
11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

SHA512
138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff

Download Submit
\Program Files\Internet Explorer\WinHelp32.exe

Filesize
29KB

MD5
7cf60409e7500ebf687a8834f9adb465

SHA1
9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9

SHA256
11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

SHA512
138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff

Download Submit
memory/284-55-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/284-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1116-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1116-63-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1324-65-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1324-67-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing