d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5

General

Target

d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe
Size

32KB
MD5

6cf18d70d862b7956662279d1c207ddb
SHA1

84b9cf4104d9af4090d93141c45a0a5605e56c4a
SHA256

d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5
SHA512

77f810650615f1aa10e70708d7bb3f8fa24290e4c99017e556edfe324b08b19b019550384de49482f4fe6f1df2ed0a13e37f7d3e502f1e8aab442ffbc40eb035
SSDEEP

768:tA+eZ9hQ7WcdcXa2jFkbb4vSCTxRGAa3d/GmyfPIJN:tA+sgzdcXa2j2YZ8E3k

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\PCIDump.sys	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\PCIDump.sys	W1nHelp32.exe

Executes dropped EXE 1 IoCs

pid	Process
1284	W1nHelp32.exe

Deletes itself 1 IoCs

pid	Process
1488	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe
1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\W1nHelp32.exe	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe
File opened for modification	C:\Windows\SysWOW64\W1nHelp32.exe	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe
File created	C:\Windows\SysWOW64\W1nHelp32.exe	W1nHelp32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe
Token: SeIncBasePriorityPrivilege	1284	W1nHelp32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1284	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe	28
PID 1348 wrote to memory of 1284	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe	28
PID 1348 wrote to memory of 1284	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe	28
PID 1348 wrote to memory of 1284	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe	28
PID 1348 wrote to memory of 1488	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe	29
PID 1348 wrote to memory of 1488	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe	29
PID 1348 wrote to memory of 1488	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe	29
PID 1348 wrote to memory of 1488	1348	d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe	29
PID 1284 wrote to memory of 1916	1284	W1nHelp32.exe	30
PID 1284 wrote to memory of 1916	1284	W1nHelp32.exe	30
PID 1284 wrote to memory of 1916	1284	W1nHelp32.exe	30
PID 1284 wrote to memory of 1916	1284	W1nHelp32.exe	30

C:\Users\Admin\AppData\Local\Temp\d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe
"C:\Users\Admin\AppData\Local\Temp\d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\SysWOW64\W1nHelp32.exe
  "C:\Windows\system32\W1nHelp32.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\W1NHEL~1.EXE > nul
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D6241A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\W1nHelp32.exe

Filesize
32KB

MD5
6cf18d70d862b7956662279d1c207ddb

SHA1
84b9cf4104d9af4090d93141c45a0a5605e56c4a

SHA256
d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5

SHA512
77f810650615f1aa10e70708d7bb3f8fa24290e4c99017e556edfe324b08b19b019550384de49482f4fe6f1df2ed0a13e37f7d3e502f1e8aab442ffbc40eb035

Download Submit
C:\Windows\SysWOW64\W1nHelp32.exe

Filesize
32KB

MD5
6cf18d70d862b7956662279d1c207ddb

SHA1
84b9cf4104d9af4090d93141c45a0a5605e56c4a

SHA256
d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5

SHA512
77f810650615f1aa10e70708d7bb3f8fa24290e4c99017e556edfe324b08b19b019550384de49482f4fe6f1df2ed0a13e37f7d3e502f1e8aab442ffbc40eb035

Download Submit
C:\Windows\SysWOW64\drivers\PCIDump.sys

Filesize
4KB

MD5
7434b98a847fdcb753d8db6341680db7

SHA1
859816f07486ae2ffdffd56f1ff77677bfd14f2b

SHA256
5947ff34e874e7e455cc441b017b11b63fc4fb315b311766fb83070ea7012259

SHA512
8d8de33e245eadabfb2d111aee51dbb0b64238cc82bc1cdd55a440f0f985466d2090a50c6363960bef09b41dd4bdf5888a2a99d37940211b092112ec5030ab53

Download Submit
\Windows\SysWOW64\W1nHelp32.exe

Filesize
32KB

MD5
6cf18d70d862b7956662279d1c207ddb

SHA1
84b9cf4104d9af4090d93141c45a0a5605e56c4a

SHA256
d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5

SHA512
77f810650615f1aa10e70708d7bb3f8fa24290e4c99017e556edfe324b08b19b019550384de49482f4fe6f1df2ed0a13e37f7d3e502f1e8aab442ffbc40eb035

Download Submit
\Windows\SysWOW64\W1nHelp32.exe

Filesize
32KB

MD5
6cf18d70d862b7956662279d1c207ddb

SHA1
84b9cf4104d9af4090d93141c45a0a5605e56c4a

SHA256
d6241a963f881115579c7b791625c4246d39c0d3791f2eeeb12cb032165b8ac5

SHA512
77f810650615f1aa10e70708d7bb3f8fa24290e4c99017e556edfe324b08b19b019550384de49482f4fe6f1df2ed0a13e37f7d3e502f1e8aab442ffbc40eb035

Download Submit
memory/1348-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing