3a75ade070475b5ee6067c324434a7972455b938420ce0a2d1213bd2ad62bef8

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

downhelper.exe
Size

584KB
MD5

a31b1a5e7af0ce89acdf6cc00057a215
SHA1

49d2ecaf42e99ca3de1a9c9bd76ce267956c7153
SHA256

faf5ec17e7945ee2f56f62c439998c9399b6f6e385495f7ddeda46c1077634b3
SHA512

331d73a14515489a2c966cde8632febc2eb540060266a1251ba2b4c0091e0395c5c637f158ddfd11f50ee592882a960d1985fc58d95b8fdcf02e0404e55ade98
SSDEEP

12288:ZriXi5rRgZ/HAKqdasDofR5HCP5k4WKx1R3/:ZriXwvKSu5pCP519H

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 6 IoCs

pid	Process
3392	Regsvr32.exe
2572	Regsvr32.exe
2504	Regsvr32.exe
3376	downhelper.exe
3376	downhelper.exe
3376	downhelper.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	downhelper.exe
File opened for modification	C:\Windows\SysWOW64\TABCTL32.OCX	downhelper.exe
File opened for modification	C:\Windows\SysWOW64\SkinH_VB6.dll	downhelper.exe
File opened for modification	C:\Windows\SysWOW64\skinh.she	downhelper.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Required Categories	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Control	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\FLAGS\ = "2"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Programmable	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\InprocServer32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObjectFiles"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\CLSID\ = "{48E59293-9880-11CF-9754-00AA00C00908}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}\ = "Internet Control URL Property Page Object"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ = "Microsoft Internet Transfer Control, version 6.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ = "IVBDataObject"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib\Version = "1.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\Version = "1.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\MiscStatus	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Version	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\FLAGS\ = "2"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\CLSID\ = "{BDC217C5-ED16-11CD-956C-0000C04E4C0A}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\CLSID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DA06D40-54A0-11CF-A521-0080C77A7786}\ = "SSTabCtl General Property Page Object"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet.1\ = "Microsoft Internet Transfer Control, version 6.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\InprocServer32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\FLAGS	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "1.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59292-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InetCtls.Inet\ = "Microsoft Internet Transfer Control, version 6.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\0	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\ = "ISSTabCtl"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TabDlg.SSTab\CurVer	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\ = "IInet"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{48E59291-9880-11CF-9754-00AA00C00908}\TypeLib\ = "{48E59290-9880-11CF-9754-00AA00C00908}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\VersionIndependentProgID\ = "InetCtls.Inet"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\MiscStatus\1	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}\1.0\ = "Microsoft Internet Transfer Control 6.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BDC217C8-ED16-11CD-956C-0000C04E4C0A}\1.1\ = "Microsoft Tabbed Dialog Control 6.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\ToolboxBitmap32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2A4FCCB0-DFF1-11CF-8E74-00A0C90F26F8}\TypeLib\ = "{BDC217C8-ED16-11CD-956C-0000C04E4C0A}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}\ = "DSSTabCtlEvents"	Regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3376	downhelper.exe
2504	Regsvr32.exe
3376	downhelper.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3392	3376	downhelper.exe	88
PID 3376 wrote to memory of 3392	3376	downhelper.exe	88
PID 3376 wrote to memory of 3392	3376	downhelper.exe	88
PID 3376 wrote to memory of 2572	3376	downhelper.exe	90
PID 3376 wrote to memory of 2572	3376	downhelper.exe	90
PID 3376 wrote to memory of 2572	3376	downhelper.exe	90
PID 3376 wrote to memory of 2504	3376	downhelper.exe	92
PID 3376 wrote to memory of 2504	3376	downhelper.exe	92
PID 3376 wrote to memory of 2504	3376	downhelper.exe	92
PID 3376 wrote to memory of 1524	3376	downhelper.exe	93
PID 3376 wrote to memory of 1524	3376	downhelper.exe	93
PID 3376 wrote to memory of 1524	3376	downhelper.exe	93

C:\Users\Admin\AppData\Local\Temp\downhelper.exe
"C:\Users\Admin\AppData\Local\Temp\downhelper.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32 /s C:\Windows\system32\MSINET.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3392
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32 /s C:\Windows\system32\TABCTL32.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2572
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32 /s C:\Windows\system32\SkinH_VB6.dll
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2504
- C:\Windows\SysWOW64\Regsvr32.exe
  Regsvr32 /s C:\Windows\system32\skinh.she
  2⤵
  PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Windows\SysWOW64\SkinH_VB6.dll

Filesize
96KB

MD5
0b49103bb37ddd6bc90807aaa0865995

SHA1
1e8fd3df6f50d3bed0ad04d26c0ec77ca6181df9

SHA256
79034d7c9483ebcdd8a100a78790408dfaa5e2530dcf12def4a9087cfb298117

SHA512
0d79d78ead8e1050995eb48870f314bc2c849088f3dfb14386d596e0a57643f449cd69c5beccec836138ba0189f8ef61222cc36c798f13ac7ff601f2808be922

Download Submit
C:\Windows\SysWOW64\TABCTL32.OCX

Filesize
204KB

MD5
2bae02cd88d9ef0c03bdab250904f802

SHA1
ff421bffb17f2dafdf028a198ed6e540e0c8dce9

SHA256
76f99cb0983a76385e55dca92577bb53de488aafdf0d6ffcbe03ec5fa85d15c5

SHA512
faed7f90b18bdacc68e44a145e81be967cac163d44cbfef6ec32d36b53c7ae57d3b8e7a5526c0d6f97226c19432c70c390068d505ed69c6f4ceaa9e63dda745e

Download Submit
C:\Windows\SysWOW64\skinh.she

Filesize
30KB

MD5
f33a83fa32cd6699e5e5e6c3af069848

SHA1
eb7d23b63cfb78d4656399213a131def56d74f23

SHA256
0e420494b7365f9bda03883842e1101689192dc56b40c83d0e7877d0286a7ce5

SHA512
332071fa924d88d1508626c80324bbedb0cedab8b719d0d92f34bd8ac45fa7cc93aba679798ad7115e58d81621468fe413bf841dffb66ad84d8e60211cc83a20

Download Submit
memory/2504-11-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2504-12-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2504-21-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3376-18-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3376-19-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/3376-20-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download