Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 00:10
Static task
static1
Behavioral task
behavioral1
Sample
8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
Resource
win10v2004-20240704-en
General
-
Target
8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe
-
Size
92KB
-
MD5
03ef5c5c86ac5d8886b082ea239a535b
-
SHA1
ee6f6ee8fcb8bb94d5b1bfa3cddd37f57374f055
-
SHA256
8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d
-
SHA512
ce4e78b94c639dc8d0603f3baceb0a77fdb353e8d94a8a6bd7d146f806a3b538e8d998e6a5717ef5e24fe2d7c4a79b84c537f24a160a453d4572cf165a2f4e8d
-
SSDEEP
1536:g7EtvnKhWQtC3Izj6TrlDa2z6Ewd0zvPTQw9LBZRS8V3zhb:8EtvKztiIzj6xtDLBZRS8Vj5
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp3.exe" regedit.exe -
Deletes itself 1 IoCs
pid Process 3676 WinHelp3.exe -
Executes dropped EXE 1 IoCs
pid Process 3676 WinHelp3.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHelp3.exe 8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2304 3732 WerFault.exe 87 5056 3732 WerFault.exe 87 -
Runs .reg file with regedit 1 IoCs
pid Process 3284 regedit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 3676 WinHelp3.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1504 wrote to memory of 3284 1504 8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe 83 PID 1504 wrote to memory of 3284 1504 8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe 83 PID 1504 wrote to memory of 3284 1504 8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe 83 PID 1504 wrote to memory of 3676 1504 8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe 84 PID 1504 wrote to memory of 3676 1504 8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe 84 PID 1504 wrote to memory of 3676 1504 8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe 84 PID 3676 wrote to memory of 3732 3676 WinHelp3.exe 87 PID 3676 wrote to memory of 3732 3676 WinHelp3.exe 87 PID 3676 wrote to memory of 3732 3676 WinHelp3.exe 87 PID 3676 wrote to memory of 3732 3676 WinHelp3.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe"C:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\240628203.reg2⤵
- Boot or Logon Autostart Execution: Active Setup
- Runs .reg file with regedit
PID:3284
-
-
C:\Windows\SysWOW64\WinHelp3.exeC:\Windows\system32\WinHelp3.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\8e58aa464884721c1b65faf5044f4a7999dd8ad10c3fff4ad165aa1e1e8ee84d.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:3732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 2004⤵
- Program crash
PID:2304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 2084⤵
- Program crash
PID:5056
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3732 -ip 37321⤵PID:4296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3732 -ip 37321⤵PID:1416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
378B
MD5d2614c747ce333f23bf1a115a0d19deb
SHA1ec018ab2016355ed2488eab2a54dddfb9151921b
SHA25678896bfff8fe409ed64efa88b054a1b0e9f85e8c4e42681a7463dc0df78f4847
SHA512b659c67a7901b259666ff3b8a19a6342d08c070521f8e5bd8c5ae114c4b5dff424477c6b58dbd639c34bada7a92e7cc21c9a7b6d5490a24934072d70cf4f3eeb
-
Filesize
92KB
MD5c220909d4d1b361c5a5608eb1f29c91f
SHA1581b2bdf1129488d6377896c9486a48accfc6b02
SHA25614bd56fcf416a186d861e1cf0d4337ded95e3ead512a76b20ff2854814fd56b8
SHA512523eb0bc641ffecb57ea446ec5a8ffdcdc639fca7e3fef3549d0faa29825adf45023a8b588ce97317ba2efb9a000ea066adfd3717497f4d6a8db6bac66103eba