875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21/11/2022, 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe
Size

153KB
MD5

0a1c8999b2f20738db76ec16b4ebf935
SHA1

438a94d86dab97f14e4b69c4b412d8c144c56ef6
SHA256

875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb
SHA512

ebc55a29da502422ca4b4c4b75ffc9ecb6eedee49ab5591b26e43ab9de70970d3ac361bcce986ec062909285cd1f1562e9cf2cf33d40f27a8f96956f537d0b84
SSDEEP

3072:LJmz/ipFWKD0NK4oVOanCUOdF4GTu5u6y3bzcLf:ITqWMv40OyiFJSYdbQf

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000000b2d2-59.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-60.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-62.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-69.dat	aspack_v212_v242
behavioral1/files/0x000500000000b2d2-75.dat	aspack_v212_v242

Executes dropped EXE 2 IoCs

pid	Process
1812	winhlp.exe
1720	winhlp.exe

Deletes itself 1 IoCs

pid	Process
1720	winhlp.exe

Loads dropped DLL 2 IoCs

pid	Process
1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe
1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winhlp.exe	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe
File opened for modification	C:\Windows\SysWOW64\winhlp.exe	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe
File created	C:\Windows\SysWOW64\winhlp.txt	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe
File opened for modification	C:\Windows\SysWOW64\winhlp.txt	winhlp.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1488	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	winhlp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winhlp.exe

Runs net.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1316	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	27
PID 1768 wrote to memory of 1316	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	27
PID 1768 wrote to memory of 1316	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	27
PID 1768 wrote to memory of 1316	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	27
PID 1316 wrote to memory of 1196	1316	net.exe	29
PID 1316 wrote to memory of 1196	1316	net.exe	29
PID 1316 wrote to memory of 1196	1316	net.exe	29
PID 1316 wrote to memory of 1196	1316	net.exe	29
PID 1768 wrote to memory of 1812	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	30
PID 1768 wrote to memory of 1812	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	30
PID 1768 wrote to memory of 1812	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	30
PID 1768 wrote to memory of 1812	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	30
PID 1768 wrote to memory of 556	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	31
PID 1768 wrote to memory of 556	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	31
PID 1768 wrote to memory of 556	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	31
PID 1768 wrote to memory of 556	1768	875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe	31
PID 556 wrote to memory of 268	556	net.exe	33
PID 556 wrote to memory of 268	556	net.exe	33
PID 556 wrote to memory of 268	556	net.exe	33
PID 556 wrote to memory of 268	556	net.exe	33
PID 1720 wrote to memory of 1680	1720	winhlp.exe	35
PID 1720 wrote to memory of 1680	1720	winhlp.exe	35
PID 1720 wrote to memory of 1680	1720	winhlp.exe	35
PID 1720 wrote to memory of 1680	1720	winhlp.exe	35
PID 1680 wrote to memory of 1432	1680	net.exe	37
PID 1680 wrote to memory of 1432	1680	net.exe	37
PID 1680 wrote to memory of 1432	1680	net.exe	37
PID 1680 wrote to memory of 1432	1680	net.exe	37
PID 1720 wrote to memory of 1488	1720	winhlp.exe	38
PID 1720 wrote to memory of 1488	1720	winhlp.exe	38
PID 1720 wrote to memory of 1488	1720	winhlp.exe	38
PID 1720 wrote to memory of 1488	1720	winhlp.exe	38

C:\Users\Admin\AppData\Local\Temp\875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe
"C:\Users\Admin\AppData\Local\Temp\875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\net.exe
  net stop winhlp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop winhlp
    3⤵
    PID:1196
- C:\Windows\SysWOW64\winhlp.exe
  C:\Windows\system32\winhlp.exe install
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\SysWOW64\net.exe
  net start winhlp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start winhlp
    3⤵
    PID:268

C:\Windows\SysWOW64\winhlp.exe
"C:\Windows\SysWOW64\winhlp.exe" internal_start
1⤵
- Executes dropped EXE
- Deletes itself
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\net.exe
  net stop UI0Detect
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop UI0Detect
    3⤵
    PID:1432
- C:\Windows\SysWOW64\sc.exe
  sc config UI0Detect start= disabled
  2⤵
  - Launches sc.exe
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winhlp.exe

Filesize
153KB

MD5
0a1c8999b2f20738db76ec16b4ebf935

SHA1
438a94d86dab97f14e4b69c4b412d8c144c56ef6

SHA256
875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb

SHA512
ebc55a29da502422ca4b4c4b75ffc9ecb6eedee49ab5591b26e43ab9de70970d3ac361bcce986ec062909285cd1f1562e9cf2cf33d40f27a8f96956f537d0b84

Download Submit
C:\Windows\SysWOW64\winhlp.exe

Filesize
153KB

MD5
0a1c8999b2f20738db76ec16b4ebf935

SHA1
438a94d86dab97f14e4b69c4b412d8c144c56ef6

SHA256
875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb

SHA512
ebc55a29da502422ca4b4c4b75ffc9ecb6eedee49ab5591b26e43ab9de70970d3ac361bcce986ec062909285cd1f1562e9cf2cf33d40f27a8f96956f537d0b84

Download Submit
C:\Windows\SysWOW64\winhlp.exe

Filesize
153KB

MD5
0a1c8999b2f20738db76ec16b4ebf935

SHA1
438a94d86dab97f14e4b69c4b412d8c144c56ef6

SHA256
875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb

SHA512
ebc55a29da502422ca4b4c4b75ffc9ecb6eedee49ab5591b26e43ab9de70970d3ac361bcce986ec062909285cd1f1562e9cf2cf33d40f27a8f96956f537d0b84

Download Submit
C:\Windows\SysWOW64\winhlp.txt

Filesize
103B

MD5
5ad25d0195cd2fb9e81d6bb40949dacc

SHA1
c48e78702823d9c2e0036cfa14aa40435e3ab9fc

SHA256
26fb68c4f9b4e5541fac9e6cdb2739ebcf90f7c4a068125ebff55bb8ac263776

SHA512
ccc229c8b1da2b5bc009b492555a33cf7a4d0e3a79305d8afb4f0f1b2e2c4c5f7ef894b6058e975503873a9ef06e171c25d5f2a021462d645683ae4870efc8ef

Download Submit
\Windows\SysWOW64\winhlp.exe

Filesize
153KB

MD5
0a1c8999b2f20738db76ec16b4ebf935

SHA1
438a94d86dab97f14e4b69c4b412d8c144c56ef6

SHA256
875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb

SHA512
ebc55a29da502422ca4b4c4b75ffc9ecb6eedee49ab5591b26e43ab9de70970d3ac361bcce986ec062909285cd1f1562e9cf2cf33d40f27a8f96956f537d0b84

Download Submit
\Windows\SysWOW64\winhlp.exe

Filesize
153KB

MD5
0a1c8999b2f20738db76ec16b4ebf935

SHA1
438a94d86dab97f14e4b69c4b412d8c144c56ef6

SHA256
875c6f15ba2e611135c8beb204bdc9c6208bd1ccba18c5217abc55996419edbb

SHA512
ebc55a29da502422ca4b4c4b75ffc9ecb6eedee49ab5591b26e43ab9de70970d3ac361bcce986ec062909285cd1f1562e9cf2cf33d40f27a8f96956f537d0b84

Download Submit
memory/1720-78-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1720-70-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1720-72-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1720-71-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1768-56-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1768-54-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1768-73-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1768-74-0x0000000000270000-0x00000000002D4000-memory.dmp

Filesize
400KB

Download
memory/1768-55-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1768-81-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1812-66-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download