Malware Analysis Report

2025-06-16 07:24

Sample ID 240602-flhzfsbg8w
Target fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e
SHA256 fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e

Threat Level: Known bad

The file fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e was found to be: Known bad.

Malicious Activity Summary

persistence

Detects executables packed with eXPressor

Detects executables packed with eXPressor

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Deletes itself

Drops file in System32 directory

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Runs .reg file with regedit

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 04:57

Signatures

Detects executables packed with eXPressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 04:57

Reported

2024-06-02 05:00

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe"

Signatures

Detects executables packed with eXPressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\|BGG7GE77./6EA.58:1,:3@:./FF4GEEC8AGF| C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\|BGG7GE77./6EA.58:1,:3@:./FF4GEEC8AGF|\stubpath = "C:\\Windows\\system32\\WinHelp48.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\|BGG7GE77./6EA.58:1,:3@:./FF4GEEC8AGF| C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\|BGG7GE77./6EA.58:1,:3@:./FF4GEEC8AGF|\stubpath = "C:\\Windows\\system32\\WinHelp4.exe" C:\Windows\SysWOW64\regedit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp48.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp48.exe N/A
N/A N/A C:\Windows\SysWOW64\WinHelp4.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinHelp48.exe C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe N/A
File created C:\Windows\SysWOW64\WinHelp4.exe C:\Windows\SysWOW64\WinHelp48.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WinHelp4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\regedit.exe
PID 836 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\regedit.exe
PID 836 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\regedit.exe
PID 836 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\regedit.exe
PID 836 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\WinHelp48.exe
PID 836 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\WinHelp48.exe
PID 836 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\WinHelp48.exe
PID 836 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\WinHelp48.exe
PID 3052 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WinHelp48.exe C:\Windows\SysWOW64\regedit.exe
PID 3052 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WinHelp48.exe C:\Windows\SysWOW64\regedit.exe
PID 3052 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WinHelp48.exe C:\Windows\SysWOW64\regedit.exe
PID 3052 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WinHelp48.exe C:\Windows\SysWOW64\regedit.exe
PID 3052 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WinHelp48.exe C:\Windows\SysWOW64\WinHelp4.exe
PID 3052 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WinHelp48.exe C:\Windows\SysWOW64\WinHelp4.exe
PID 3052 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WinHelp48.exe C:\Windows\SysWOW64\WinHelp4.exe
PID 3052 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WinHelp48.exe C:\Windows\SysWOW64\WinHelp4.exe
PID 3036 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WinHelp4.exe C:\Windows\SysWOW64\svchost.exe
PID 3036 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WinHelp4.exe C:\Windows\SysWOW64\svchost.exe
PID 3036 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WinHelp4.exe C:\Windows\SysWOW64\svchost.exe
PID 3036 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WinHelp4.exe C:\Windows\SysWOW64\svchost.exe
PID 3036 wrote to memory of 2336 N/A C:\Windows\SysWOW64\WinHelp4.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe

"C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259399648.reg

C:\Windows\SysWOW64\WinHelp48.exe

C:\Windows\system32\WinHelp48.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259399804.reg

C:\Windows\SysWOW64\WinHelp4.exe

C:\Windows\system32\WinHelp4.exe kowdgjttgC:\Windows\SysWOW64\WinHelp48.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

\Windows\SysWOW64\WinHelp48.exe

MD5 662155a9d892a12179e788f7fc98b6a2
SHA1 92cd5f483b873875108af2c8490b08d9a4a6ea07
SHA256 ff44b9714eceac61d302f35247cfc9b8b20615b4ce390eaa09a2f80e000eb848
SHA512 aed0a9ccc249d9256efcc6f2c79a6a65007864e672e0237d6038f7f63ee19f206cd4b8f601cfccba8b3b29a01f567e501e72267516d6ac192b37d1512f28896d

C:\Users\Admin\AppData\Local\Temp\259399648.reg

MD5 9086c2ad9d684ad830c07b1706582372
SHA1 8ed1a09fb27fe1c67454b6766b8f652aa71c5861
SHA256 96f6992faa0dc9b46d97e3390b19eb703e500ed1e87811f754151543b20055c9
SHA512 4a3ab38e5e94e529d6cc2070c45c4b6dd012655fe3acde37df6d0a2a3c61bd6e2a9cc5ec0686acae9cf0b75e25945292426451e77984c219c7cf93e842aae6f6

C:\Users\Admin\AppData\Local\Temp\259399804.reg

MD5 a1c689d90871f371ac1eeef543e78af9
SHA1 b856582707581132fd9b47d0d4503902632ac907
SHA256 cca5af20484ba7cf4a97919ae1a6ac8f668791cffd9fe8b48366adb7c277680e
SHA512 77280d4131c2138b28b35bed64db9ca18cd38996b9ba36bb074831079fd828bf57b68f1df4a68c0a79047f464098a0a423c0be77ddced8cc5a1c82d22025f2eb

\Windows\SysWOW64\WinHelp4.exe

MD5 45f37c1a42c85e222711e1dafe0ec5ab
SHA1 66e023f6c4c09c423f36f0296b8a35503e176dfc
SHA256 b1a3a146805023b0a72e91734b5e6b5b18c08259cfef5d148d605258c2ad2a63
SHA512 818f85a2c7c402c2baf48f9dd208262c5d9eb636cac05793ada03b3e1173d90375510a80d920909cd289d15db3ce5293c17053955587d127614a2d5e4c0f2fc6

memory/2336-22-0x0000000013150000-0x0000000013167000-memory.dmp

memory/2336-23-0x0000000013150000-0x0000000013167000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 04:57

Reported

2024-06-02 05:00

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe"

Signatures

Detects executables packed with eXPressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\|BGG7GE77./6EA.58:1,:3@:./FF4GEEC8AGF| C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\|BGG7GE77./6EA.58:1,:3@:./FF4GEEC8AGF|\stubpath = "C:\\Windows\\system32\\WinHelp65.exe" C:\Windows\SysWOW64\regedit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp65.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp65.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinHelp65.exe C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WinHelp65.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\regedit.exe
PID 2308 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\regedit.exe
PID 2308 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\regedit.exe
PID 2308 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\WinHelp65.exe
PID 2308 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\WinHelp65.exe
PID 2308 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe C:\Windows\SysWOW64\WinHelp65.exe
PID 2016 wrote to memory of 2156 N/A C:\Windows\SysWOW64\WinHelp65.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2156 N/A C:\Windows\SysWOW64\WinHelp65.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2156 N/A C:\Windows\SysWOW64\WinHelp65.exe C:\Windows\SysWOW64\svchost.exe
PID 2016 wrote to memory of 2156 N/A C:\Windows\SysWOW64\WinHelp65.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe

"C:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240597265.reg

C:\Windows\SysWOW64\WinHelp65.exe

C:\Windows\system32\WinHelp65.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\fe270757a9e04664508fa0caa16ac1c01f228b37c68fd7a0b6fd12f17bf4fe5e.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2156 -ip 2156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2156 -ip 2156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 212

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp

Files

C:\Windows\SysWOW64\WinHelp65.exe

MD5 e1d841e767c86a2040999ab85c2524a2
SHA1 502026ab19d886c5963dd51380c045460410b24b
SHA256 8fe6efc9cbe057c80c1b787635d2be69c81a1cd245d9c58015258ae147d05d85
SHA512 5449b63633c7a7a77506e7ef5206f41c43f8fdcfeeca547f9b29604bd444873a45f3a76c8108441d6a2df54d40e14b47d0b092f1a037fd510308b4dd1aae70ea

C:\Users\Admin\AppData\Local\Temp\240597265.reg

MD5 3f6a6dfbe9006c162a83ce98be407903
SHA1 56cf8e116970f4209e2317f61a15c89c48d66b14
SHA256 bc285a9dd73b745bde4223d046ca6fc398797b79a62bb5a99b19ea4e5fe2ff4e
SHA512 0a9d2030555ba64b0275881b5d96858313df91aee384ffacee519fbcf57c05dedf448bf65de5243359de1a013b79c28571d24499d6598d3741a6044d4addc03b

memory/2156-6-0x0000000013150000-0x0000000013167000-memory.dmp