Analysis Overview
SHA256
6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6
Threat Level: Likely malicious
The file 6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6 was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:58
Reported
2024-11-09 23:00
Platform
win7-20240708-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp3.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz | C:\Windows\SysWOW64\regedit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinHelp3.exe | C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinHelp3.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WinHelp3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe
"C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259437103.reg
C:\Windows\SysWOW64\WinHelp3.exe
C:\Windows\system32\WinHelp3.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
Network
Files
C:\Windows\SysWOW64\WinHelp3.exe
| MD5 | 934430ef9fc73acf48f6a34803940570 |
| SHA1 | b9f18822cefea4f447b5ad8651efbd7ada3ea180 |
| SHA256 | 0c8a7fce609317c9f693fe01b01956e17b2edbe0ccf107c540778079546b674c |
| SHA512 | 3ac95b8aaa065d7497ffe8e9830769bb56586ff095a301166c27bfa2187ada008509a101cfc817422228dc5b0c2f7af649916ae30eaf4ac91546199a497fa599 |
C:\Users\Admin\AppData\Local\Temp\259437103.reg
| MD5 | d2614c747ce333f23bf1a115a0d19deb |
| SHA1 | ec018ab2016355ed2488eab2a54dddfb9151921b |
| SHA256 | 78896bfff8fe409ed64efa88b054a1b0e9f85e8c4e42681a7463dc0df78f4847 |
| SHA512 | b659c67a7901b259666ff3b8a19a6342d08c070521f8e5bd8c5ae114c4b5dff424477c6b58dbd639c34bada7a92e7cc21c9a7b6d5490a24934072d70cf4f3eeb |
memory/1708-11-0x0000000013150000-0x0000000013167000-memory.dmp
memory/1708-12-0x0000000013150000-0x0000000013167000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:58
Reported
2024-11-09 23:00
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
146s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp43.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp0.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp43.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp43.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp0.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinHelp43.exe | C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe | N/A |
| File created | C:\Windows\SysWOW64\WinHelp0.exe | C:\Windows\SysWOW64\WinHelp43.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinHelp43.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinHelp0.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WinHelp0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe
"C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240613343.reg
C:\Windows\SysWOW64\WinHelp43.exe
C:\Windows\system32\WinHelp43.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240613500.reg
C:\Windows\SysWOW64\WinHelp0.exe
C:\Windows\system32\WinHelp0.exe kowdgjttgC:\Windows\SysWOW64\WinHelp43.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1072 -ip 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 204
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1072 -ip 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 244
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\WinHelp43.exe
| MD5 | 8df534d17dbcc74457e8e3d02f36d639 |
| SHA1 | d35d3db4c320b50ba4a0649936a95bc92135560c |
| SHA256 | eb73d259286542a5bfc77374ac6e32db1d2e51fe19d5861926ff86723253fd51 |
| SHA512 | a5cda1d70cf334da2d6aadb50301ef53dc9f11b5bb715b2eb47274eda509f7ba0e7a9f591b7d996891edf75c87c619ed8bc2838c87d6d358a2654c4f8fddb209 |
C:\Users\Admin\AppData\Local\Temp\240613343.reg
| MD5 | b76309b7f7a386769b2350a10fe83a93 |
| SHA1 | 85742932c28ebb5ff69583f5b08fe6968f4c5d00 |
| SHA256 | d1435b34422e117bcb78c0f91e4f1545ba732f10cf14e3beab38f73c5f86872d |
| SHA512 | 053c548fa6fded64db3029af529a6a849277a4b10988e5e4b7494ee2ff53c8c0d88c6f55fc591e4aef688da3e9809df388a3391717eac4a2321056e31f5f953a |
C:\Users\Admin\AppData\Local\Temp\240613500.reg
| MD5 | 0541b3cc70dff0d7f7b486cd26f824ab |
| SHA1 | 162d51f4dddeff78dea3bd50128992cb978c55f5 |
| SHA256 | 1fac66cdce047a619d524e01b5d4fa4048059f7eb0d9763798f4f535fb9391b3 |
| SHA512 | 95ad3d096f1051bb192bfccc988a935cb92801de62e517c03fbf5190ebbabb9d9705d76e9f02616958a3d84fd17dade551b5a03d56d237ee44c3c8a4ede3c4cd |
C:\Windows\SysWOW64\WinHelp0.exe
| MD5 | 0a66bf9eff5b73fe5876ed767fa3ad3e |
| SHA1 | 2c7f94034a478d5c681ecedf5f11467c167aac54 |
| SHA256 | 35887ffdf2f9fbe98099e127d30d3feed8475002756943ea015791d6f828be55 |
| SHA512 | 85fe151e9c9c70891c6d9ee1140b95a2b86cc6d166741c6c0fdc40dc85556d6b255810961a31da4bfe7d53ca6646b958e10e746b6d4715bc3c1024be9f4a1b17 |
memory/1072-12-0x0000000013150000-0x0000000013167000-memory.dmp