11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

Analysis

max time kernel
89s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe
Size

29KB
MD5

7cf60409e7500ebf687a8834f9adb465
SHA1

9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9
SHA256

11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2
SHA512

138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff
SSDEEP

768:f09zbo9NRL6sA00H3lhVRut/bJFXk3mSoK:fEbof8nNHlRMbJFXk3mSoK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1680	WinHelp32.exe
560	WinHelp32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 1828	560	WinHelp32.exe	91

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\WinHelp32.exe	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe
File opened for modification	C:\Program Files\Internet Explorer\WinHelp32.exe	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5056	1820	WerFault.exe	80
4896	1680	WerFault.exe	84
2732	1828	WerFault.exe	91

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1820	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1680	1820	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	84
PID 1820 wrote to memory of 1680	1820	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	84
PID 1820 wrote to memory of 1680	1820	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	84
PID 1820 wrote to memory of 4764	1820	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	85
PID 1820 wrote to memory of 4764	1820	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	85
PID 1820 wrote to memory of 4764	1820	11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe	85
PID 560 wrote to memory of 1828	560	WinHelp32.exe	91
PID 560 wrote to memory of 1828	560	WinHelp32.exe	91
PID 560 wrote to memory of 1828	560	WinHelp32.exe	91
PID 560 wrote to memory of 1828	560	WinHelp32.exe	91
PID 560 wrote to memory of 1828	560	WinHelp32.exe	91

C:\Users\Admin\AppData\Local\Temp\11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe
"C:\Users\Admin\AppData\Local\Temp\11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 384
  2⤵
  - Program crash
  PID:5056
- C:\Program Files\Internet Explorer\WinHelp32.exe
  "C:\Program Files\Internet Explorer\WinHelp32.exe"
  2⤵
  - Executes dropped EXE
  PID:1680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 408
    3⤵
    - Program crash
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11186D~1.EXE > nul
  2⤵
  PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1820 -ip 1820
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1680 -ip 1680
1⤵
PID:4940

C:\Program Files\Internet Explorer\WinHelp32.exe
"C:\Program Files\Internet Explorer\WinHelp32.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 12
    3⤵
    - Program crash
    PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1828 -ip 1828
1⤵
PID:792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\WinHelp32.exe

Filesize
29KB

MD5
7cf60409e7500ebf687a8834f9adb465

SHA1
9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9

SHA256
11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

SHA512
138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff

Download Submit
C:\Program Files\Internet Explorer\WinHelp32.exe

Filesize
29KB

MD5
7cf60409e7500ebf687a8834f9adb465

SHA1
9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9

SHA256
11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

SHA512
138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff

Download Submit
C:\Program Files\Internet Explorer\WinHelp32.exe

Filesize
29KB

MD5
7cf60409e7500ebf687a8834f9adb465

SHA1
9950d39b3e4bdf7ea862e4f92f9e8c9577fc00e9

SHA256
11186d4b765da5f84536cd0e5c5724d0783d10b8331d9bc4df43cc296ce1b3e2

SHA512
138a3c8a675aed4ae3173621f57c1c728dd20d16acdc09bcedb73fa384fbb940b47b84a13835595220dfaba92679c3a670553e566ee7a91d616e187a6a30b7ff

Download Submit
memory/560-139-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/560-142-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1820-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1820-137-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download