427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0

General

Target

427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe
Size

92KB
MD5

1721527216b76128cc947be2cb5eb941
SHA1

d75870c851052384e5d2bd06d8848bc65c670bed
SHA256

427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0
SHA512

5513c330d5c9121bc559530261639bdcfa87dccdc64b9e04652fa3a35023b8ad6164b168c9a9f9319b476e71bf6511f8e5a247bf65cbf4ac4274efda7540b73b
SSDEEP

1536:07AvnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRQ8V3zhb:QAvKztiIzj6xtDLBZRQ8Vj5

Score

9^/10

Malware Config

Signatures

Detects executables packed with eXPressor 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016332-2.dat	INDICATOR_EXE_Packed_eXPressor
behavioral1/files/0x0008000000016c23-14.dat	INDICATOR_EXE_Packed_eXPressor
behavioral1/memory/2164-23-0x0000000013150000-0x0000000013167000-memory.dmp	INDICATOR_EXE_Packed_eXPressor

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\=LL2LJ2<3;J<3:3?6'?8;?3KK/LJ@H=<LKw	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\=LL2LJ2<3;J<3:3?6'?8;?3KK/LJ@H=<LKw\stubpath = "C:\\Windows\\system32\\WinHelp42.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\=LL2LJ2<3;J<3:3?6'?8;?3KK/LJ@H=<LKw	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\=LL2LJ2<3;J<3:3?6'?8;?3KK/LJ@H=<LKw\stubpath = "C:\\Windows\\system32\\WinHelp7.exe"	regedit.exe

Deletes itself 1 IoCs

pid	Process
2828	WinHelp42.exe

Executes dropped EXE 2 IoCs

pid	Process
2828	WinHelp42.exe
2612	WinHelp7.exe

Loads dropped DLL 4 IoCs

pid	Process
2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe
2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe
2828	WinHelp42.exe
2828	WinHelp42.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHelp42.exe	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe
File created	C:\Windows\SysWOW64\WinHelp7.exe	WinHelp42.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2772	regedit.exe
2760	regedit.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2612	WinHelp7.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2772	2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe	28
PID 2224 wrote to memory of 2772	2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe	28
PID 2224 wrote to memory of 2772	2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe	28
PID 2224 wrote to memory of 2772	2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe	28
PID 2224 wrote to memory of 2828	2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe	29
PID 2224 wrote to memory of 2828	2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe	29
PID 2224 wrote to memory of 2828	2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe	29
PID 2224 wrote to memory of 2828	2224	427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe	29
PID 2828 wrote to memory of 2760	2828	WinHelp42.exe	30
PID 2828 wrote to memory of 2760	2828	WinHelp42.exe	30
PID 2828 wrote to memory of 2760	2828	WinHelp42.exe	30
PID 2828 wrote to memory of 2760	2828	WinHelp42.exe	30
PID 2828 wrote to memory of 2612	2828	WinHelp42.exe	31
PID 2828 wrote to memory of 2612	2828	WinHelp42.exe	31
PID 2828 wrote to memory of 2612	2828	WinHelp42.exe	31
PID 2828 wrote to memory of 2612	2828	WinHelp42.exe	31
PID 2612 wrote to memory of 2164	2612	WinHelp7.exe	32
PID 2612 wrote to memory of 2164	2612	WinHelp7.exe	32
PID 2612 wrote to memory of 2164	2612	WinHelp7.exe	32
PID 2612 wrote to memory of 2164	2612	WinHelp7.exe	32
PID 2612 wrote to memory of 2164	2612	WinHelp7.exe	32

C:\Users\Admin\AppData\Local\Temp\427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe
"C:\Users\Admin\AppData\Local\Temp\427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259430442.reg
  2⤵
  - Modifies Installed Components in the registry
  - Runs .reg file with regedit
  PID:2772
- C:\Windows\SysWOW64\WinHelp42.exe
  C:\Windows\system32\WinHelp42.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\427c7c62c71ade3dbefcd165609713bf3597dc27c23693959b604247ce7acae0.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259430707.reg
    3⤵
    - Modifies Installed Components in the registry
    - Runs .reg file with regedit
    PID:2760
- - C:\Windows\SysWOW64\WinHelp7.exe
    C:\Windows\system32\WinHelp7.exe kowdgjttgC:\Windows\SysWOW64\WinHelp42.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259430442.reg

Filesize
384B

MD5
03b5beb3170216ab42970b733d46b2ed

SHA1
f10511a3cd014c14c04f3cb5905041c500ea2a27

SHA256
0572372d06380f756e37dd82bb0f13748f96a2d1deb44b28983db830a599dec1

SHA512
c4ca39302d7ae2737dad9a8edff25241cc7e181d65b15f6d50bdab3c0961fc913cd8e9dfbd304a883bccf75856f4e9421a2bb2d963a25b0d45e766628cd0de4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\259430707.reg

Filesize
378B

MD5
559869b07dd579e9a77d83c7dfb68e03

SHA1
0d4c27f7fa57e21ac4227d0557d7237d26bf5728

SHA256
e698bd6e550ab4cd284a5c378798fd98c36ca6247fa45c405afb247ee583856a

SHA512
f6dbab259b8fb4f1fc742152ecb16b2ea6d9ebeb21d5d5a73de24ac24461c47d4918c197b44e7e8c983647b03ca15296a39b73506336a5749fb2bfc660594e71

Download Submit
\Windows\SysWOW64\WinHelp42.exe

Filesize
92KB

MD5
7a3e70e4e315be5b221cbe5404a60572

SHA1
5bda6fdbcc51f84abec5a720c4156345091368fc

SHA256
2aac354a004eb8137c95f038acbb0498796e54f3f9a9b1e0029881f0435624ba

SHA512
d89b1b45776b15c5ae1a7c3255bcb4645379da4ba10034da43a5dc6ef8e95d11fb8ba94d7d3d3c53a9661be109e57982bd47b55bbd7b4f569d76c52467d34c10

Download Submit
\Windows\SysWOW64\WinHelp7.exe

Filesize
92KB

MD5
245698122918fa674e8882bbc8f82348

SHA1
6df620ebc2181fb8b4b316bc2f6693acf7522e02

SHA256
2a1a5958bc017d88a83dec5e8b99345db5c51f09c9c0ba2d86614bc21d229ef7

SHA512
44fad2e3e49210ca727eaa15773a4fc0c37c5e201f142b27f5767de04d8c490f447bab95acfc032340f05fe987dd409d9a6f7031881ecfda88c121f5262cf733

Download Submit
memory/2164-21-0x0000000013150000-0x0000000013167000-memory.dmp

Filesize
92KB

Download
memory/2164-23-0x0000000013150000-0x0000000013167000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads