Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09/01/2024, 01:48

General

  • Target

    ezhelpsetup.exe

  • Size

    9.6MB

  • MD5

    ae8c9e21fbd3596440e993f15d93309a

  • SHA1

    65939be0a8d7683e3f7a1cb82ade1dd6c93e4666

  • SHA256

    e8af8bbf0e4f6bfbf3f6cc0a86b533dbe23be7e286b37c6c90ca293331d08de8

  • SHA512

    548e0f106305b2beb4558765852122ef02a3564ff95f3d813969c2fa4c1353bd6bab421536cccb36470e35e112e96e7812f3a80c2530e4deaf8c51e4c063e30b

  • SSDEEP

    196608:4g/VhdnBdl9MytypjpMwdyMLbzs9ubeI63ClNPs9xJF:4gRdQjKwdW9m63mNsz

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ezhelpsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\ezhelpsetup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\is-044JC.tmp\ezhelpsetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-044JC.tmp\ezhelpsetup.tmp" /SL5="$70124,9752993,56832,C:\Users\Admin\AppData\Local\Temp\ezhelpsetup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe
        "C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe
          "C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe" elevation
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2468
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
    1⤵
      PID:1204

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\ezHelp\viewer\MSVCR100.dll

            Filesize

            232KB

            MD5

            bf30eb19f5aad99d6e972228c1e5d341

            SHA1

            35df64365185a9c197b6e9a097090c1629a2610d

            SHA256

            d829e437f1a7c0c69e6ab3cc95e36b9561cb5af5db34830728529571825b36b3

            SHA512

            d164a9cef69e8a73427d91da06868983259461eb63aefc088e6d8003be1480e17adf9cd6dafad529c5c528d614cbd0a8cdee4caa1a767aa77543069d6bc01d2b

          • C:\Program Files (x86)\ezHelp\viewer\ezHelpChat.bin

            Filesize

            329KB

            MD5

            2861966b349c12e7af5ad746ca6731ab

            SHA1

            920c33c3360a3c4808c62cd2b4814935171af78a

            SHA256

            1b87411395d45e8b075e1054c48264f21b044b216fb2fc65911d0673450cd7b8

            SHA512

            b1a9dceb237b8ef3b0fa6ea21b862a5d50147c996d7b39af61b995685a72dfe1c6b9f9072bd0e45c726f435daead57edd5cac4acd284eefb1450bd25824ff820

          • C:\Program Files (x86)\ezHelp\viewer\ezHelpDownloader.exe

            Filesize

            170KB

            MD5

            96ebac8441652f401b0a4eb56c2d54b5

            SHA1

            b3b6344d763cc6bec01e19d4d58cdaaebd974d3d

            SHA256

            cd9d08433f2f61da239b6c24a9c25772df4471dadcfce22137ce76a382802dca

            SHA512

            f5ccecb290e031c6a17d58bdec1b28f2dbc13b5b8f891729edf021ce73b2d62d3f17012d2649249eb747dc9083545460c4be33437cf346e1a89e7974a9234f99

          • C:\Program Files (x86)\ezHelp\viewer\ezHelpManager.exe

            Filesize

            268KB

            MD5

            3514b3945cc874a639f0382cefb092e7

            SHA1

            23d98039e0ab39e5a94b2858126380f7419c32ec

            SHA256

            fdee00af078a5b67f9bdec5faf8021285b6ff39091ade435b73157fb51cc4a91

            SHA512

            95b7e00d217e918e9ff3f83fb2431fb191c24033acecd70c7ac19084603c46023fd711a4b8a3c2f5d1453ee7b83d840cc60e07565c0ca64206a21088db9fc056

          • C:\Program Files (x86)\ezHelp\viewer\libcurl.dll

            Filesize

            641KB

            MD5

            2021be8c79cb888bc2e61a53119d2c2d

            SHA1

            3f1964fab771fb2a2c90c7d6a8abb4fee4ec2b7c

            SHA256

            bee5878788be9455b3bba5763ddc5ccc32d11498df8cb1d4f6069a3bae4dee0a

            SHA512

            1ed8ec505a70f2f1a23d120cdbbbb1c53cd17205a36545e7ebd00900f03da1245acb5b08a046348820781b0647d9e8ad40da3c9e36c1997a71a4cfc0a9b7edb4

          • C:\Program Files (x86)\ezHelp\viewer\version.ini

            Filesize

            25B

            MD5

            3e17776260ca18f023e567a302f82a09

            SHA1

            34a0a01e264bd8ce6efb6b461433e0402c41022c

            SHA256

            4270bbacebb2a1941449c3cafc1d592ea41fad4234de91f5a2218086360e1671

            SHA512

            5039fe42e18d169e84365635306e3033da7e2e1f0adf8e06b1eb8fe79e25e87cf80794bcc98c05801770041671bf1f77f824eecd1a704a7a6f26647e874821b0

          • C:\Users\Admin\AppData\Local\Temp\CabC4E7.tmp

            Filesize

            65KB

            MD5

            ac05d27423a85adc1622c714f2cb6184

            SHA1

            b0fe2b1abddb97837ea0195be70ab2ff14d43198

            SHA256

            c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

            SHA512

            6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

          • C:\Users\Admin\AppData\Local\Temp\TarCC0B.tmp

            Filesize

            171KB

            MD5

            9c0c641c06238516f27941aa1166d427

            SHA1

            64cd549fb8cf014fcd9312aa7a5b023847b6c977

            SHA256

            4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

            SHA512

            936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

          • \Program Files (x86)\ezHelp\viewer\ezHelpDownloader.exe

            Filesize

            184KB

            MD5

            b64872d1dcf53dd6ce919cb860ecd06b

            SHA1

            7a58a05ec838a1bd728cdd6b35b4243b4a13bb4f

            SHA256

            f89c21e654add84671dc64b32af7a80fa1eaf837606f08c4ae1b8b3c9fa26fc2

            SHA512

            e1a50557b80a08221055b0da4fd7bdab673d1f3fc4055ae02821614fa72173a549a1af26a242fc2f621585e53d83e8906277d9e0a6b2e467d54fc91b004215d5

          • \Program Files (x86)\ezHelp\viewer\ezHelpDownloader.exe

            Filesize

            167KB

            MD5

            57b6868ab981651ca0fc1e87405363db

            SHA1

            7f3e1a140309fcfca7117d0de438e85897f17103

            SHA256

            70554f58a82c0d08d4b546007d91fb48795f5d4d7752d435940b10a4f7967c85

            SHA512

            f967c15bb1b6ba82845066c86d4cde83aebc18d9be26351babe718ced39c5de458aeaa44228ad2773213cf95ef2a996df05435f2371642f0d9d545e8bb273af2

          • \Program Files (x86)\ezHelp\viewer\ezHelpManager.exe

            Filesize

            307KB

            MD5

            f8f75baf9d2dbcfdc457f6029c43a4fc

            SHA1

            98a0da5fb5e421673d802ed88ff49f55f92360b1

            SHA256

            f634ea118014817e1e6ea6dddf57337f2502ce84bf23e4d46f7da4a39797ac21

            SHA512

            775449e24a7dce73175b2bbf2476bb6e0b88d3566bbb16a03fa687eecc791219e8e879ecd601917c6414ab28aeecd32436a92ce6011418ceeb0a1f9939ca9a1a

          • \Program Files (x86)\ezHelp\viewer\ezHelpManager.exe

            Filesize

            540KB

            MD5

            2c02c021b0355f426e9cb4c67c25551b

            SHA1

            4fa31b064cf34b79c00558d54b0a2f674a56364a

            SHA256

            a3be47ef7363d2d347e821a36ccf1b65a12fbbb5bb5198b7fc7c8fcf728f4343

            SHA512

            68b9ded6448ba00200bd687ab5ae1973907df047c8ada8dfa5a010964751e8cbefe27c02eaeaf6d431bd211dfbd61e696530a517cdfebec8d671f4ffa0c429a7

          • \Program Files (x86)\ezHelp\viewer\libcurl.dll

            Filesize

            421KB

            MD5

            197d026c9f4d81f028f006708b611327

            SHA1

            5c322f8013f469435540331f20320b82f2373546

            SHA256

            03e43433bc021e9aac8f7593b7332158185d65d108d07c6461c1c0165b415990

            SHA512

            efe1946b3b55c83f50ce40b173f2800f7a7f0ccf50c5435229fe5d5f089e3a2f036b8ae45af8af0294cb2b0a4249ed67b981d8f855093beb490650139a687caf

          • \Program Files (x86)\ezHelp\viewer\libcurl.dll

            Filesize

            250KB

            MD5

            99833c16537d0fae109f34531fd7757c

            SHA1

            62b05a85ea89b599c302163c97669818e7ef26b9

            SHA256

            2c4881699d918291ebb27e3afa03a6e42d5a3b9078cb200e0f4f2580ef315257

            SHA512

            786537f96d6e55cad9db0bcfb4f4819811f4fc919219a8d4da3afbd504f347b7e66943ec9ca0df55fa17fa4ad16c6f81f850c273d3d9a21e9fe73474917852b1

          • \Program Files (x86)\ezHelp\viewer\msvcr100.dll

            Filesize

            400KB

            MD5

            d963f85d2760e05d9fd992271f8b53a4

            SHA1

            640788f3594f4cc52316e7c6ac07ea496f80bd13

            SHA256

            df3a5c45a45675755e923eed30c8ca2d079ed7c2c67ba49306b1ae1f1e4c2b06

            SHA512

            e281e3981a4ee7a0db1bae64583c22f8ee6e3ba9079494cf60b0d0d60920b0bc03f413d1d35fe014c0924f5ca3b5c36add1935f4436e9bb4e438ead016d6c65a

          • \Program Files (x86)\ezHelp\viewer\msvcr100.dll

            Filesize

            280KB

            MD5

            36090ba5f0a6e7a9a29c4dc4ff21da9a

            SHA1

            7461089e7f22be07419ba330e87fe167cf837a4c

            SHA256

            06cbd4b8658b0397793109095a408da297da7e94d81f9024ca9038782b623155

            SHA512

            092140815d4933acac1ce398e9cc57247d63719ac2b485e5b090fcca4b1468570da7bad6fc3700b8175590f86521d4b21a875f8c08e280c0e42dbbd547a7ac76

          • \Users\Admin\AppData\Local\Temp\is-044JC.tmp\ezhelpsetup.tmp

            Filesize

            698KB

            MD5

            0a6e91851751531a19c52547db3ddf20

            SHA1

            8e7341651d865542cca22012ce0fb102ff932a6b

            SHA256

            94235d9138d0d15a34fc1b7bdb8ce24802030da2e94441983198038a57326490

            SHA512

            bfed615ac4d5c7d7945d3989a02a2e3c3aff94f669a58923c6aa4bdc3238ed4e9eae3f53234a8340c12fcf771a174c5a57d3b2c29a034807bea1c34cc34c3c28

          • \Users\Admin\AppData\Local\Temp\is-S192D.tmp\_isetup\_shfoldr.dll

            Filesize

            22KB

            MD5

            92dc6ef532fbb4a5c3201469a5b5eb63

            SHA1

            3e89ff837147c16b4e41c30d6c796374e0b8e62c

            SHA256

            9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

            SHA512

            9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

          • memory/688-99-0x0000000000820000-0x000000000091B000-memory.dmp

            Filesize

            1004KB

          • memory/688-106-0x0000000000820000-0x000000000091B000-memory.dmp

            Filesize

            1004KB

          • memory/688-107-0x0000000002900000-0x00000000029FB000-memory.dmp

            Filesize

            1004KB

          • memory/1636-98-0x0000000000400000-0x0000000000414000-memory.dmp

            Filesize

            80KB

          • memory/1636-15-0x0000000000400000-0x0000000000414000-memory.dmp

            Filesize

            80KB

          • memory/1636-0-0x0000000000400000-0x0000000000414000-memory.dmp

            Filesize

            80KB

          • memory/1636-2-0x0000000000400000-0x0000000000414000-memory.dmp

            Filesize

            80KB

          • memory/2468-111-0x0000000000820000-0x000000000091B000-memory.dmp

            Filesize

            1004KB

          • memory/2468-146-0x00000000002B0000-0x00000000002B1000-memory.dmp

            Filesize

            4KB

          • memory/2468-142-0x0000000000330000-0x000000000038E000-memory.dmp

            Filesize

            376KB

          • memory/2468-141-0x0000000000330000-0x000000000038E000-memory.dmp

            Filesize

            376KB

          • memory/2468-195-0x0000000000330000-0x000000000038E000-memory.dmp

            Filesize

            376KB

          • memory/2468-194-0x0000000000330000-0x000000000038E000-memory.dmp

            Filesize

            376KB

          • memory/2468-193-0x0000000000820000-0x000000000091B000-memory.dmp

            Filesize

            1004KB

          • memory/2468-191-0x0000000000820000-0x000000000091B000-memory.dmp

            Filesize

            1004KB

          • memory/2652-75-0x0000000003CD0000-0x0000000003CE0000-memory.dmp

            Filesize

            64KB

          • memory/2652-16-0x0000000000400000-0x00000000004BC000-memory.dmp

            Filesize

            752KB

          • memory/2652-8-0x00000000002C0000-0x00000000002C1000-memory.dmp

            Filesize

            4KB

          • memory/2652-97-0x0000000003DB0000-0x0000000003EAB000-memory.dmp

            Filesize

            1004KB

          • memory/2652-192-0x0000000003DB0000-0x0000000003EAB000-memory.dmp

            Filesize

            1004KB

          • memory/2652-84-0x0000000003CD0000-0x0000000003CE0000-memory.dmp

            Filesize

            64KB

          • memory/2652-96-0x0000000000400000-0x00000000004BC000-memory.dmp

            Filesize

            752KB

          • memory/2652-91-0x00000000002C0000-0x00000000002C1000-memory.dmp

            Filesize

            4KB