8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d

General

Target

8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
Size

92KB
MD5

03ef5c5c86ac5d8886b082ea239a535b
SHA1

ee6f6ee8fcb8bb94d5b1bfa3cddd37f57374f055
SHA256

8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d
SHA512

ce4e78b94c639dc8d0603f3baceb0a77fdb353e8d94a8a6bd7d146f806a3b538e8d998e6a5717ef5e24fe2d7c4a79b84c537f24a160a453d4572cf165a2f4e8d
SSDEEP

1536:g7EtvnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRS8V3zhb:8EtvKztiIzj6xtDLBZRS8Vj5

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp31.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp3.exe"	regedit.exe

Deletes itself 1 IoCs

pid	Process
3036	WinHelp31.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	WinHelp31.exe
3044	WinHelp3.exe

Loads dropped DLL 4 IoCs

pid	Process
1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
3036	WinHelp31.exe
3036	WinHelp31.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinHelp31.exe	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
File created	C:\Windows\SysWOW64\WinHelp3.exe	WinHelp31.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1268	regedit.exe
2432	regedit.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3044	WinHelp3.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1268	1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe	30
PID 1688 wrote to memory of 1268	1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe	30
PID 1688 wrote to memory of 1268	1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe	30
PID 1688 wrote to memory of 1268	1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe	30
PID 1688 wrote to memory of 3036	1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe	31
PID 1688 wrote to memory of 3036	1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe	31
PID 1688 wrote to memory of 3036	1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe	31
PID 1688 wrote to memory of 3036	1688	8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe	31
PID 3036 wrote to memory of 2432	3036	WinHelp31.exe	32
PID 3036 wrote to memory of 2432	3036	WinHelp31.exe	32
PID 3036 wrote to memory of 2432	3036	WinHelp31.exe	32
PID 3036 wrote to memory of 2432	3036	WinHelp31.exe	32
PID 3036 wrote to memory of 3044	3036	WinHelp31.exe	33
PID 3036 wrote to memory of 3044	3036	WinHelp31.exe	33
PID 3036 wrote to memory of 3044	3036	WinHelp31.exe	33
PID 3036 wrote to memory of 3044	3036	WinHelp31.exe	33
PID 3044 wrote to memory of 1672	3044	WinHelp3.exe	34
PID 3044 wrote to memory of 1672	3044	WinHelp3.exe	34
PID 3044 wrote to memory of 1672	3044	WinHelp3.exe	34
PID 3044 wrote to memory of 1672	3044	WinHelp3.exe	34
PID 3044 wrote to memory of 1672	3044	WinHelp3.exe	34

C:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
"C:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259460831.reg
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Runs .reg file with regedit
  PID:1268
- C:\Windows\SysWOW64\WinHelp31.exe
  C:\Windows\system32\WinHelp31.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259461003.reg
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Runs .reg file with regedit
    PID:2432
- - C:\Windows\SysWOW64\WinHelp3.exe
    C:\Windows\system32\WinHelp3.exe kowdgjttgC:\Windows\SysWOW64\WinHelp31.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Active Setup

1

T1547.014

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259460831.reg

Filesize
384B

MD5
e057f0b86eb0ede754b1a6657551f33f

SHA1
55c57ad2af44605391c3d39fdabac018471476bb

SHA256
4d4aca9960b8ef0e5148686924b3c11c91aedcf0c9f3966c2474c984bbfc6e3b

SHA512
7b49786729526e45a46dd55e2e4594b9841e7a111a1607feb182affec9ef5d0c6722cb42e693d97b91613e040da0f98e3ec50f886d8124746ff8b9ba71d51b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\259461003.reg

Filesize
378B

MD5
d2614c747ce333f23bf1a115a0d19deb

SHA1
ec018ab2016355ed2488eab2a54dddfb9151921b

SHA256
78896bfff8fe409ed64efa88b054a1b0e9f85e8c4e42681a7463dc0df78f4847

SHA512
b659c67a7901b259666ff3b8a19a6342d08c070521f8e5bd8c5ae114c4b5dff424477c6b58dbd639c34bada7a92e7cc21c9a7b6d5490a24934072d70cf4f3eeb

Download Submit
C:\Windows\SysWOW64\WinHelp3.exe

Filesize
92KB

MD5
f649889dace83edee321671db451f078

SHA1
4f0a58b3099fc819330c8945332362bec334b3e2

SHA256
b5e1fc321db580a263d3ca370456e588a475a0e4f10cb545c85c4aaaa603a0f6

SHA512
79b1ba772d36dd1b02b7d79d000aae3b10082b16f6752756a97c7fd91f6ef12fdf6b528a620e460a832fe6e977f1b6ad72654dc6746afc24c8e5e2c46eb90085

Download Submit
\Windows\SysWOW64\WinHelp31.exe

Filesize
92KB

MD5
95f0e7cee0e9e55ee6d50a15bfc2e3ee

SHA1
789e039bc03564997ad9e97e8b0c9a57baeed8a1

SHA256
986ec70b9f092a2da9bc49bc7d27bfb8900761e4f30165501da1435098f1c64d

SHA512
53dbe8c563a66ab7beb3c1ada1c87af06967d8b5b9e299f74f2fc959513a1f79a3debba164cffeb150a206dfbd1b246fd5b8b82eda56acf8e3985ed4118552d4

Download Submit
memory/1672-23-0x0000000013150000-0x0000000013167000-memory.dmp

Filesize
92KB

Download
memory/1672-22-0x0000000013150000-0x0000000013167000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads