9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51

General

Target

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
Size

92KB
MD5

a8642f40de24fe2cb0948abdb9dbe717
SHA1

21e7f94d218f65e8be7a925cb988cb2060923ed5
SHA256

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51
SHA512

4fb51ddca9d09ca9aa2fd0586795ae19ec13dafeae081781eb3d3285b7c57dbd64effc22ca5fe8f141297800b9fd6fccbdbd2a93edd1d4961e7c9a1fb23e1a1b
SSDEEP

1536:Z7AvnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRws8V3zhb:5AvKztiIzj6xtDLBZRws8Vj5

Score

9^/10

persistence

Malware Config

Signatures

Detects executables packed with eXPressor 2 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\WinHelp40.exe	INDICATOR_EXE_Packed_eXPressor
behavioral2/memory/1628-6-0x0000000013150000-0x0000000013167000-memory.dmp	INDICATOR_EXE_Packed_eXPressor

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\=LL2LJ2<3;J<3:3?6'?8;?3KK/LJ@H=<LKw	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\=LL2LJ2<3;J<3:3?6'?8;?3KK/LJ@H=<LKw\stubpath = "C:\\Windows\\system32\\WinHelp40.exe"	regedit.exe

Deletes itself 1 IoCs

Processes:

WinHelp40.exe

pid process

3956 WinHelp40.exe
Executes dropped EXE 1 IoCs

Processes:

WinHelp40.exe

pid process

3956 WinHelp40.exe
Drops file in System32 directory 1 IoCs

Processes:

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe

description ioc process

File created C:\Windows\SysWOW64\WinHelp40.exe 9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1692 1628 WerFault.exe svchost.exe
4028 1628 WerFault.exe svchost.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

3368 regedit.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WinHelp40.exe

description pid process

Token: SeShutdownPrivilege 3956 WinHelp40.exe

pid	process
3956	WinHelp40.exe

pid	process
3956	WinHelp40.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WinHelp40.exe	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe

pid	pid_target	process	target process
1692	1628	WerFault.exe	svchost.exe
4028	1628	WerFault.exe	svchost.exe

pid	process
3368	regedit.exe

description	pid	process
Token: SeShutdownPrivilege	3956	WinHelp40.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exeWinHelp40.exe

description	pid	process	target process
PID 1168 wrote to memory of 3368	1168	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	regedit.exe
PID 1168 wrote to memory of 3368	1168	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	regedit.exe
PID 1168 wrote to memory of 3368	1168	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	regedit.exe
PID 1168 wrote to memory of 3956	1168	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	WinHelp40.exe
PID 1168 wrote to memory of 3956	1168	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	WinHelp40.exe
PID 1168 wrote to memory of 3956	1168	9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe	WinHelp40.exe
PID 3956 wrote to memory of 1628	3956	WinHelp40.exe	svchost.exe
PID 3956 wrote to memory of 1628	3956	WinHelp40.exe	svchost.exe
PID 3956 wrote to memory of 1628	3956	WinHelp40.exe	svchost.exe
PID 3956 wrote to memory of 1628	3956	WinHelp40.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
"C:\Users\Admin\AppData\Local\Temp\9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240599640.reg
2⤵
- Modifies Installed Components in the registry
- Runs .reg file with regedit
PID:3368

C:\Windows\SysWOW64\WinHelp40.exe
C:\Windows\system32\WinHelp40.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\9b4e8b32a97083a636f78d95fd8ed5fab8b43cfaa67eb72ee9fbbd41f6cdcc51.exe
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 200
4⤵
- Program crash
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 240
4⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1628 -ip 1628
1⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1628 -ip 1628
1⤵
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240599640.reg

Filesize
384B

MD5
37177711b3521f15a84e443d238e0a5d

SHA1
bdd36013855de08c98dba88a42becad487bb3506

SHA256
fcf39b438bb365cc33eea90031d687250598e419fc160f7f405900f0cb547660

SHA512
24dd1a1f6bcf5f82ea05941710f541c5c9504d59f6f709b28a6643c16649d7b1fb77e287c7dd15dffe839b3d5922cde027f94f9cfaf069750d67ffabd3c3f81c

Download Submit
C:\Windows\SysWOW64\WinHelp40.exe

Filesize
92KB

MD5
69bff0539cef80616f57d7c103cb1e8d

SHA1
6e63ac25ab6cb36d1e13b819f955bc985ad5d374

SHA256
f736bd4ded33dcd405dee8ae3b5589fad8f00c24862c6ca23248136bba91551b

SHA512
802216a394986a7fcf397c72b0387c53f6eabf51532f2fa6327022d7a3c43254f58378c80c6b1a8c539693cfdd4269fee145d8b02a0b37f54e5e11c3fce5d7c5

Download Submit
memory/1628-6-0x0000000013150000-0x0000000013167000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads