9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51

General

Target

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
Size

92KB
MD5

a8642f40de24fe2cb0948abdb9dbe717
SHA1

21e7f94d218f65e8be7a925cb988cb2060923ed5
SHA256

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51
SHA512

4fb51ddca9d09ca9aa2fd0586795ae19ec13dafeae081781eb3d3285b7c57dbd64effc22ca5fe8f141297800b9fd6fccbdbd2a93edd1d4961e7c9a1fb23e1a1b
SSDEEP

1536:Z7AvnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRws8V3zhb:5AvKztiIzj6xtDLBZRws8Vj5

Score

9^/10

persistence

Malware Config

Signatures

Detects executables packed with eXPressor 2 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\WinHelp29.exe	INDICATOR_EXE_Packed_eXPressor
behavioral1/memory/2592-12-0x0000000013150000-0x0000000013167000-memory.dmp	INDICATOR_EXE_Packed_eXPressor

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\=LL2LJ2<3;J<3:3?6'?8;?3KK/LJ@H=<LKw	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\=LL2LJ2<3;J<3:3?6'?8;?3KK/LJ@H=<LKw\stubpath = "C:\\Windows\\system32\\WinHelp29.exe"	regedit.exe

Deletes itself 1 IoCs

Processes:

WinHelp29.exe

pid process

1768 WinHelp29.exe
Executes dropped EXE 1 IoCs

Processes:

WinHelp29.exe

pid process

1768 WinHelp29.exe

pid	process
1768	WinHelp29.exe

pid	process
1768	WinHelp29.exe

Loads dropped DLL 2 IoCs

Processes:

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe

pid	process
3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe

Drops file in System32 directory 1 IoCs

Processes:

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe

description ioc process

File created C:\Windows\SysWOW64\WinHelp29.exe 9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2100 regedit.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WinHelp29.exe

description pid process

Token: SeShutdownPrivilege 1768 WinHelp29.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WinHelp29.exe	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe

pid	process
2100	regedit.exe

description	pid	process
Token: SeShutdownPrivilege	1768	WinHelp29.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exeWinHelp29.exe

description	pid	process	target process
PID 3028 wrote to memory of 2100	3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	regedit.exe
PID 3028 wrote to memory of 2100	3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	regedit.exe
PID 3028 wrote to memory of 2100	3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	regedit.exe
PID 3028 wrote to memory of 2100	3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	regedit.exe
PID 3028 wrote to memory of 1768	3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	WinHelp29.exe
PID 3028 wrote to memory of 1768	3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	WinHelp29.exe
PID 3028 wrote to memory of 1768	3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	WinHelp29.exe
PID 3028 wrote to memory of 1768	3028	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	WinHelp29.exe
PID 1768 wrote to memory of 2592	1768	WinHelp29.exe	svchost.exe
PID 1768 wrote to memory of 2592	1768	WinHelp29.exe	svchost.exe
PID 1768 wrote to memory of 2592	1768	WinHelp29.exe	svchost.exe
PID 1768 wrote to memory of 2592	1768	WinHelp29.exe	svchost.exe
PID 1768 wrote to memory of 2592	1768	WinHelp29.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
"C:\Users\Admin\AppData\Local\Temp\9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259397729.reg
2⤵
- Modifies Installed Components in the registry
- Runs .reg file with regedit
PID:2100

C:\Windows\SysWOW64\WinHelp29.exe
C:\Windows\system32\WinHelp29.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259397729.reg

Filesize
384B

MD5
aceaa9cd57aea50edf9548688ff58d2b

SHA1
ec8135fea1bb704f71fd381ba6913ccefea55acc

SHA256
2ccd81886a1bb142d3f348270056dc05a60ace9273e7ba9d2671338468e42754

SHA512
68a9d18e449f6cfb839358fc52829e2142f2056667e4ee49416221d2d8f3e2f04432d495111746f2b4c8503861618fcdb78f36b9cb2fbf805cbf28789104761a

Download Submit
\Windows\SysWOW64\WinHelp29.exe

Filesize
92KB

MD5
c74d939bc6ab418b42313c0f211caee6

SHA1
0999cebde4a11a51b8046a100bf21a2cad36831a

SHA256
05b30146ba9e85fa4d398b2f60625f368f9ddf13ea0305ba35f517092858a9b7

SHA512
113763fef6af59db7ba81944d2a1f699100261544e80821d4b3b0856d291832ca23eb2949b2216e8f1ae965edb6675b5c0dd5b55b8294425a1c4dfd3d102994f

Download Submit
memory/2592-11-0x0000000013150000-0x0000000013167000-memory.dmp

Filesize
92KB

Download
memory/2592-12-0x0000000013150000-0x0000000013167000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads