Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02/06/2024, 04:57

General

  • Target

    fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe

  • Size

    92KB

  • MD5

    1a958a367e9ad6cd9d916113ac3b2363

  • SHA1

    bcd27f053a496aff757bed648d19fdc13e8a4629

  • SHA256

    fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e

  • SHA512

    9ebfdd963b8613e3f07c218dc8ce5b13e7dc94cdc44e6e269432cf7eb1f2f79e66cb11bf01f6f7c250cd2d3855a138fde3b1238ef3fdeb4ce2914000a14076d7

  • SSDEEP

    1536:v7evnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRk8V3zhb:TevKztiIzj6xtDLBZRk8Vj5

Score
9/10

Malware Config

Signatures

  • Detects executables packed with eXPressor 3 IoCs
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe
    "C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\SysWOW64\regedit.exe
      regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259399648.reg
      2⤵
      • Modifies Installed Components in the registry
      • Runs .reg file with regedit
      PID:2792
    • C:\Windows\SysWOW64\WinHelp48.exe
      C:\Windows\system32\WinHelp48.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\regedit.exe
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259399804.reg
        3⤵
        • Modifies Installed Components in the registry
        • Runs .reg file with regedit
        PID:2356
      • C:\Windows\SysWOW64\WinHelp4.exe
        C:\Windows\system32\WinHelp4.exe kowdgjttgC:\Windows\SysWOW64\WinHelp48.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:2336

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\259399648.reg

            Filesize

            384B

            MD5

            9086c2ad9d684ad830c07b1706582372

            SHA1

            8ed1a09fb27fe1c67454b6766b8f652aa71c5861

            SHA256

            96f6992faa0dc9b46d97e3390b19eb703e500ed1e87811f754151543b20055c9

            SHA512

            4a3ab38e5e94e529d6cc2070c45c4b6dd012655fe3acde37df6d0a2a3c61bd6e2a9cc5ec0686acae9cf0b75e25945292426451e77984c219c7cf93e842aae6f6

          • C:\Users\Admin\AppData\Local\Temp\259399804.reg

            Filesize

            378B

            MD5

            a1c689d90871f371ac1eeef543e78af9

            SHA1

            b856582707581132fd9b47d0d4503902632ac907

            SHA256

            cca5af20484ba7cf4a97919ae1a6ac8f668791cffd9fe8b48366adb7c277680e

            SHA512

            77280d4131c2138b28b35bed64db9ca18cd38996b9ba36bb074831079fd828bf57b68f1df4a68c0a79047f464098a0a423c0be77ddced8cc5a1c82d22025f2eb

          • \Windows\SysWOW64\WinHelp4.exe

            Filesize

            92KB

            MD5

            45f37c1a42c85e222711e1dafe0ec5ab

            SHA1

            66e023f6c4c09c423f36f0296b8a35503e176dfc

            SHA256

            b1a3a146805023b0a72e91734b5e6b5b18c08259cfef5d148d605258c2ad2a63

            SHA512

            818f85a2c7c402c2baf48f9dd208262c5d9eb636cac05793ada03b3e1173d90375510a80d920909cd289d15db3ce5293c17053955587d127614a2d5e4c0f2fc6

          • \Windows\SysWOW64\WinHelp48.exe

            Filesize

            92KB

            MD5

            662155a9d892a12179e788f7fc98b6a2

            SHA1

            92cd5f483b873875108af2c8490b08d9a4a6ea07

            SHA256

            ff44b9714eceac61d302f35247cfc9b8b20615b4ce390eaa09a2f80e000eb848

            SHA512

            aed0a9ccc249d9256efcc6f2c79a6a65007864e672e0237d6038f7f63ee19f206cd4b8f601cfccba8b3b29a01f567e501e72267516d6ac192b37d1512f28896d

          • memory/2336-22-0x0000000013150000-0x0000000013167000-memory.dmp

            Filesize

            92KB

          • memory/2336-23-0x0000000013150000-0x0000000013167000-memory.dmp

            Filesize

            92KB