Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 04:57
Static task
static1
Behavioral task
behavioral1
Sample
fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe
Resource
win10v2004-20240426-en
General
-
Target
fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe
-
Size
92KB
-
MD5
1a958a367e9ad6cd9d916113ac3b2363
-
SHA1
bcd27f053a496aff757bed648d19fdc13e8a4629
-
SHA256
fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e
-
SHA512
9ebfdd963b8613e3f07c218dc8ce5b13e7dc94cdc44e6e269432cf7eb1f2f79e66cb11bf01f6f7c250cd2d3855a138fde3b1238ef3fdeb4ce2914000a14076d7
-
SSDEEP
1536:v7evnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRk8V3zhb:TevKztiIzj6xtDLBZRk8Vj5
Malware Config
Signatures
-
Detects executables packed with eXPressor 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023417-4.dat INDICATOR_EXE_Packed_eXPressor behavioral2/memory/2156-6-0x0000000013150000-0x0000000013167000-memory.dmp INDICATOR_EXE_Packed_eXPressor -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\|BGG7GE77./6EA.58:1,:3@:./FF4GEEC8AGF| regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\|BGG7GE77./6EA.58:1,:3@:./FF4GEEC8AGF|\stubpath = "C:\\Windows\\system32\\WinHelp65.exe" regedit.exe -
Deletes itself 1 IoCs
pid Process 2016 WinHelp65.exe -
Executes dropped EXE 1 IoCs
pid Process 2016 WinHelp65.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHelp65.exe fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2000 2156 WerFault.exe 87 3596 2156 WerFault.exe 87 -
Runs .reg file with regedit 1 IoCs
pid Process 3132 regedit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2016 WinHelp65.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2308 wrote to memory of 3132 2308 fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe 83 PID 2308 wrote to memory of 3132 2308 fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe 83 PID 2308 wrote to memory of 3132 2308 fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe 83 PID 2308 wrote to memory of 2016 2308 fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe 85 PID 2308 wrote to memory of 2016 2308 fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe 85 PID 2308 wrote to memory of 2016 2308 fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe 85 PID 2016 wrote to memory of 2156 2016 WinHelp65.exe 87 PID 2016 wrote to memory of 2156 2016 WinHelp65.exe 87 PID 2016 wrote to memory of 2156 2016 WinHelp65.exe 87 PID 2016 wrote to memory of 2156 2016 WinHelp65.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe"C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\240597265.reg2⤵
- Modifies Installed Components in the registry
- Runs .reg file with regedit
PID:3132
-
-
C:\Windows\SysWOW64\WinHelp65.exeC:\Windows\system32\WinHelp65.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 2044⤵
- Program crash
PID:2000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 2124⤵
- Program crash
PID:3596
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2156 -ip 21561⤵PID:408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2156 -ip 21561⤵PID:644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384B
MD53f6a6dfbe9006c162a83ce98be407903
SHA156cf8e116970f4209e2317f61a15c89c48d66b14
SHA256bc285a9dd73b745bde4223d046ca6fc398797b79a62bb5a99b19ea4e5fe2ff4e
SHA5120a9d2030555ba64b0275881b5d96858313df91aee384ffacee519fbcf57c05dedf448bf65de5243359de1a013b79c28571d24499d6598d3741a6044d4addc03b
-
Filesize
92KB
MD5e1d841e767c86a2040999ab85c2524a2
SHA1502026ab19d886c5963dd51380c045460410b24b
SHA2568fe6efc9cbe057c80c1b787635d2be69c81a1cd245d9c58015258ae147d05d85
SHA5125449b63633c7a7a77506e7ef5206f41c43f8fdcfeeca547f9b29604bd444873a45f3a76c8108441d6a2df54d40e14b47d0b092f1a037fd510308b4dd1aae70ea