125f296c4f5617819ff56818e3b6c6e2cc463a994e7061a8a5fc58dd189ea3e3

Analysis

max time kernel
147s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-07-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

27KB
MD5

8bf8d9d1ec6093701cb0694f269d26fd
SHA1

e3a7c8ad993c5771792434c48e823f86b6a89640
SHA256

fa5c38f264aba0e77e8752feb1ce2dfec1cf80154c136e8b816f251f1ac2ab76
SHA512

ee06a25a995c77672f13ca6c9fc5477cb50c964ef4b50b4fa0dab38a72c62f5f2485cb4d54e1edcc8f504d0ed22b420f0d931cccb4b529b0db2761ab68c5a42c
SSDEEP

768:ADTNi7eKAKn3zSVy/E7fI34RocT/etFbZcoQiw/ZOuYoE:qBi7e6zSFPX/eioQiwbYH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	WinHex.exe

Loads dropped DLL 6 IoCs

pid	Process
712	setup.exe
712	setup.exe
2688	WinHex.exe
2688	WinHex.exe
2688	WinHex.exe
2688	WinHex.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	WinHex.exe
File opened (read-only)	\??\V:	WinHex.exe
File opened (read-only)	\??\J:	WinHex.exe
File opened (read-only)	\??\W:	WinHex.exe
File opened (read-only)	\??\R:	WinHex.exe
File opened (read-only)	\??\Q:	WinHex.exe
File opened (read-only)	\??\L:	WinHex.exe
File opened (read-only)	\??\K:	WinHex.exe
File opened (read-only)	\??\I:	WinHex.exe
File opened (read-only)	\??\H:	WinHex.exe
File opened (read-only)	\??\Y:	WinHex.exe
File opened (read-only)	\??\U:	WinHex.exe
File opened (read-only)	\??\T:	WinHex.exe
File opened (read-only)	\??\S:	WinHex.exe
File opened (read-only)	\??\O:	WinHex.exe
File opened (read-only)	\??\M:	WinHex.exe
File opened (read-only)	\??\G:	WinHex.exe
File opened (read-only)	\??\E:	WinHex.exe
File opened (read-only)	\??\Z:	WinHex.exe
File opened (read-only)	\??\P:	WinHex.exe
File opened (read-only)	\??\N:	WinHex.exe

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WinHex\dialogs.dat	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\rar.dll	setup.exe
File created	C:\Program Files (x86)\WinHex\Ext Directory Entry.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\Master Boot Record.tpl	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\external.dll	setup.exe
File created	C:\Program Files (x86)\WinHex\external.dll	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\psapi.dll	setup.exe
File created	C:\Program Files (x86)\WinHex\timezone.dat	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\language.dat	setup.exe
File created	C:\Program Files (x86)\WinHex\zlib1.dll	setup.exe
File created	C:\Program Files (x86)\WinHex\Reiser4 Superblock.tpl	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\m.dat	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\WinHex.cnt	setup.exe
File created	C:\Program Files (x86)\WinHex\Text file conversion Windows - UNIX.whs	setup.exe
File created	C:\Program Files (x86)\WinHex\dd_SetupUtility.txt	setup.exe
File created	C:\Program Files (x86)\WinHex\dd_vcredistMSI3E95.txt	setup.exe
File created	C:\Program Files (x86)\WinHex\Boot Sector FAT.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\language.dat	setup.exe
File created	C:\Program Files (x86)\WinHex\EBCDIC.dat	setup.exe
File created	C:\Program Files (x86)\WinHex\WinHex.cnt	setup.exe
File created	C:\Program Files (x86)\WinHex\WinHex-d.hlp	setup.exe
File created	C:\Program Files (x86)\WinHex\WinHex-d.cnt	setup.exe
File created	C:\Program Files (x86)\WinHex\dd_wcf_CA_smci_20240705_131657_543.txt	setup.exe
File created	C:\Program Files (x86)\WinHex\Ext Inode.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\Ext Superblock.tpl	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\user.txt	setup.exe
File created	C:\Program Files (x86)\WinHex\Reiser Superblock.tpl	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\hi.dll	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\Chinese2.dat	setup.exe
File created	C:\Program Files (x86)\WinHex\Ext Group Descriptor.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\WinHex.exe	setup.exe
File created	C:\Program Files (x86)\WinHex\psapi.dll	setup.exe
File created	C:\Program Files (x86)\WinHex\Text file conversion UNIX - Windows.whs	setup.exe
File created	C:\Program Files (x86)\WinHex\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	setup.exe
File created	C:\Program Files (x86)\WinHex\dd_vcredistUI3E95.txt	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\WinHex.exe	setup.exe
File created	C:\Program Files (x86)\WinHex\dialogs.dat	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\Chinese.dat	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\WinHex-d.cnt	setup.exe
File created	C:\Program Files (x86)\WinHex\NTFS FILE Record.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\Microsoft .NET Framework 4.7.2 Setup_20240705_131645718-MSI_netfx_Full_x64.msi.txt	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\hash.dll	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\EBCDIC.dat	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\DevIL.dll	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\zlib1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\zip.dll	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\WinHex.hlp	setup.exe
File created	C:\Program Files (x86)\WinHex\WinHex.hlp	setup.exe
File created	C:\Program Files (x86)\WinHex\Boot Sector FAT32.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\Boot Sector NTFS.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\FAT Directory Entry.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\WinHex Admin.cfg	WinHex.exe
File created	C:\Program Files (x86)\WinHex\dd_vcredistMSI3E50.txt	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\zip.exe	setup.exe
File created	C:\Program Files (x86)\WinHex\Sample script.whs	setup.exe
File created	C:\Program Files (x86)\WinHex\dd_wcf_CA_smci_20240705_131658_089.txt	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\timezone.dat	setup.exe
File created	C:\Program Files (x86)\WinHex\dd_vcredistUI3E50.txt	setup.exe
File created	C:\Program Files (x86)\WinHex\File Type Signatures.txt	setup.exe
File opened for modification	C:\Program Files (x86)\WinHex\WinHex-d.hlp	setup.exe
File created	C:\Program Files (x86)\WinHex\FXSAPIDebugLogFile.txt	setup.exe
File created	C:\Program Files (x86)\WinHex\FAT LFN Entry.tpl	setup.exe
File created	C:\Program Files (x86)\WinHex\HFS+ Volume Header.tpl	setup.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	helppane.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\shell	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WHXFile\	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WHXFile\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinHex\\winhex.exe\",0"	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XFCFile\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinHex\\winhex.exe\",0"	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\shell\\Command	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.whx	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHXFile\shell\Open	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XFCFile\shell	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XFCFile\shell\Open\Command\ = "\"C:\\Program Files (x86)\\WinHex\\winhex.exe\" \"%1\""	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XFCFile\ = "X-Ways Forensics Case File"	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\shell\Open	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\shell\Open\Command\ = "\"C:\\Program Files (x86)\\WinHex\\winhex.exe\" \"%1\""	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\DefaultIcon\ = "\"C:\\Program Files (x86)\\WinHex\\winhex.exe\",3"	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.whx\ = "WHXFile"	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHXFile\DefaultIcon	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.whs	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\shell\Open\Command	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHXFile\shell\Open\Command	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHXFile\shell	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XFCFile\shell\Open	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\DefaultIcon	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\shell\Command\ = "notepad.exe \"%1\""	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XFCFile	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XFCFile\DefaultIcon	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.whs\ = "WHSFile"	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WHSFile\	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WHXFile	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfc\ = "XFCFile"	WinHex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WHXFile\shell\Open\Command\ = "\"C:\\Program Files (x86)\\WinHex\\winhex.exe\" \"%1\""	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xfc	WinHex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XFCFile\shell\Open\Command	WinHex.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	712	setup.exe
Token: SeBackupPrivilege	712	setup.exe
Token: SeTakeOwnershipPrivilege	1384	helppane.exe
Token: SeTakeOwnershipPrivilege	1384	helppane.exe
Token: SeTakeOwnershipPrivilege	1384	helppane.exe
Token: SeTakeOwnershipPrivilege	1384	helppane.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1384	helppane.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2688	WinHex.exe
1384	helppane.exe
1384	helppane.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 2688	712	setup.exe	30
PID 712 wrote to memory of 2688	712	setup.exe	30
PID 712 wrote to memory of 2688	712	setup.exe	30
PID 712 wrote to memory of 2688	712	setup.exe	30
PID 712 wrote to memory of 2688	712	setup.exe	30
PID 712 wrote to memory of 2688	712	setup.exe	30
PID 712 wrote to memory of 2688	712	setup.exe	30
PID 2688 wrote to memory of 3048	2688	WinHex.exe	31
PID 2688 wrote to memory of 3048	2688	WinHex.exe	31
PID 2688 wrote to memory of 3048	2688	WinHex.exe	31
PID 2688 wrote to memory of 3048	2688	WinHex.exe	31
PID 2688 wrote to memory of 3048	2688	WinHex.exe	31
PID 2688 wrote to memory of 3048	2688	WinHex.exe	31
PID 2688 wrote to memory of 3048	2688	WinHex.exe	31

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712
- C:\Program Files (x86)\WinHex\WinHex.exe
  "C:\Program Files (x86)\WinHex\WinHex.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\winhlp32.exe
    winhlp32.exe -x
    3⤵
    PID:3048

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinHex\language.dat

Filesize
191KB

MD5
7861cb55b7d23012130a3b2284d0803d

SHA1
6a3475a9c29731a1c65205341fa8d18c377df915

SHA256
9ae718f4dafcd9da1e55e2a4b657a991653d73c8b5fe4611f7414cef382398d0

SHA512
ab54aafa69d7b51c81ab57216fa6d3e67882a23126e7381d973c094e924e469f302384eddc8b1b306174b7a81b9ec7f8982e161c216a6311345f18ce86a5d980

Download Submit
C:\Program Files (x86)\WinHex\timezone.dat

Filesize
2KB

MD5
843affb88952e79d8c1e8a49d504a985

SHA1
13155598b4177bb92eae44b49fe40a580b924777

SHA256
1cfc1a7a614e4cbf35d335d93c9130c0bb4ed55dca727b277a1537213a360e17

SHA512
4e99f9e2f2f18af2dc942dc67a40e1939e85f537e528284b0eb056b6775326128fa7526b5feb40f3c861e5bd0e4f96a9591c119dc16955efdf15e2a04d6e2c3d

Download Submit
\Program Files (x86)\WinHex\WinHex.exe

Filesize
1.4MB

MD5
0bc48abad1ce6dc97a649e42f31d668f

SHA1
66b405640d43de81951e6202c2d7c239949ed6a6

SHA256
8fb578ca01388b5e2d6749418ee072d1b52a7c03e0aebcf0265f88f74d68e138

SHA512
a5f4ddfa5d9123b9705b77b8ca801e72bcadf30a6e8c380284f4ab5357ad02c88a31471e8c09b469d70d2158861cc793fb2c91303f183779727c5bb63bfed19d

Download Submit
\Program Files (x86)\WinHex\dialogs.dat

Filesize
150KB

MD5
45c6e0a1949c5c4feecfa8c66fdab2a6

SHA1
50d286260a53b616168c85553e2b27a0b061afca

SHA256
2f7eac54a270466b035590faa774e6c6450f81645d5d5688227e75230f8b7b7a

SHA512
1dc516a3879bef83f76cd2f88bf0d1cb93685a890e5937b74b8de9d1d0a5abcef7834e69d9759e744183c23fd0dd7cd63b1b96363b39c5a3c36caa993eefc75d

Download Submit
memory/712-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/712-52-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2688-81-0x0000000000730000-0x000000000075B000-memory.dmp

Filesize
172KB

Download
memory/2688-80-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2688-84-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2688-86-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2688-88-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2688-92-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2688-94-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2688-98-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2688-100-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download