Analysis Overview
SHA256
dcf0d360bfad9fa995ba28199b789d7c46422cd44672d519cc6ca66d6fa9d827
Threat Level: Shows suspicious behavior
The file 8acba11035b2d9ab3622b6dc5702327d was found to be: Shows suspicious behavior.
Malicious Activity Summary
Installs/modifies Browser Helper Object
Drops file in Windows directory
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-02 23:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-02 23:23
Reported
2024-02-02 23:26
Platform
win7-20231215-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\BROWSER HELPER OBJECTS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\BROWSER HELPER OBJECTS\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\he1p | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{2670000A-7350-4F3C-8081-5663EE0C6C49} | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\se\command | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\se | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\se\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe\" \"%1\" \"-desknav\"" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Software\Classes\http\shell | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http\shell\open | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Software | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http\shell\se\command | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http\shell\se | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.IE\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\http | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\http\shell | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\http\shell\ = "se" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http\shell | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http\shell\se\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe\" \"%1\" \"-desknav\"" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.IE | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\http\shell\ = "se" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe
"C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe"
Network
Files
memory/760-0-0x0000000000400000-0x0000000000546000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-02 23:23
Reported
2024-02-02 23:26
Platform
win10v2004-20231222-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\he1p | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{2670000A-7350-4F3C-8081-5663EE0C6C49} | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http\shell | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http\shell\se\command | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http\shell\se | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http\shell\se\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe\" \"%1\" \"-desknav\"" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Software | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\http\shell | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\http\shell\ = "se" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\se\command | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\se\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe\" \"%1\" \"-desknav\"" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.IE | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Software\Classes\http\shell | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Classes\http | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http\shell\open\command | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http\shell\open | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http\shell\ = "se" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\se | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.IE\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\http\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MiniIE.exe\" \"%1\"" | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe
"C:\Users\Admin\AppData\Local\Temp\8acba11035b2d9ab3622b6dc5702327d.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3760 -ip 3760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 1248
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ad.zzinfor.cn | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/3760-0-0x0000000000400000-0x0000000000546000-memory.dmp