Malware Analysis Report

2025-04-03 11:53

Sample ID 241109-2xzbgawrfq
Target 6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6
SHA256 6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6

Threat Level: Likely malicious

The file 6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6 was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Runs .reg file with regedit

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:58

Reported

2024-11-09 23:00

Platform

win7-20240708-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp3.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz C:\Windows\SysWOW64\regedit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp3.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinHelp3.exe C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinHelp3.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WinHelp3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\regedit.exe
PID 2568 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\regedit.exe
PID 2568 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\regedit.exe
PID 2568 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\regedit.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\WinHelp3.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\WinHelp3.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\WinHelp3.exe
PID 2568 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\WinHelp3.exe
PID 2396 wrote to memory of 1708 N/A C:\Windows\SysWOW64\WinHelp3.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 1708 N/A C:\Windows\SysWOW64\WinHelp3.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 1708 N/A C:\Windows\SysWOW64\WinHelp3.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 1708 N/A C:\Windows\SysWOW64\WinHelp3.exe C:\Windows\SysWOW64\svchost.exe
PID 2396 wrote to memory of 1708 N/A C:\Windows\SysWOW64\WinHelp3.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe

"C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259437103.reg

C:\Windows\SysWOW64\WinHelp3.exe

C:\Windows\system32\WinHelp3.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

C:\Windows\SysWOW64\WinHelp3.exe

MD5 934430ef9fc73acf48f6a34803940570
SHA1 b9f18822cefea4f447b5ad8651efbd7ada3ea180
SHA256 0c8a7fce609317c9f693fe01b01956e17b2edbe0ccf107c540778079546b674c
SHA512 3ac95b8aaa065d7497ffe8e9830769bb56586ff095a301166c27bfa2187ada008509a101cfc817422228dc5b0c2f7af649916ae30eaf4ac91546199a497fa599

C:\Users\Admin\AppData\Local\Temp\259437103.reg

MD5 d2614c747ce333f23bf1a115a0d19deb
SHA1 ec018ab2016355ed2488eab2a54dddfb9151921b
SHA256 78896bfff8fe409ed64efa88b054a1b0e9f85e8c4e42681a7463dc0df78f4847
SHA512 b659c67a7901b259666ff3b8a19a6342d08c070521f8e5bd8c5ae114c4b5dff424477c6b58dbd639c34bada7a92e7cc21c9a7b6d5490a24934072d70cf4f3eeb

memory/1708-11-0x0000000013150000-0x0000000013167000-memory.dmp

memory/1708-12-0x0000000013150000-0x0000000013167000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:58

Reported

2024-11-09 23:00

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp43.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\~@II5IG590-8G?076<3*<5><0-HH2IGCE:?IHz\stubpath = "C:\\Windows\\system32\\WinHelp0.exe" C:\Windows\SysWOW64\regedit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp43.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp43.exe N/A
N/A N/A C:\Windows\SysWOW64\WinHelp0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinHelp43.exe C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe N/A
File created C:\Windows\SysWOW64\WinHelp0.exe C:\Windows\SysWOW64\WinHelp43.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinHelp43.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinHelp0.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WinHelp0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4564 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\regedit.exe
PID 4564 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\regedit.exe
PID 4564 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\regedit.exe
PID 4564 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\WinHelp43.exe
PID 4564 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\WinHelp43.exe
PID 4564 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe C:\Windows\SysWOW64\WinHelp43.exe
PID 2644 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WinHelp43.exe C:\Windows\SysWOW64\regedit.exe
PID 2644 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WinHelp43.exe C:\Windows\SysWOW64\regedit.exe
PID 2644 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WinHelp43.exe C:\Windows\SysWOW64\regedit.exe
PID 2644 wrote to memory of 4112 N/A C:\Windows\SysWOW64\WinHelp43.exe C:\Windows\SysWOW64\WinHelp0.exe
PID 2644 wrote to memory of 4112 N/A C:\Windows\SysWOW64\WinHelp43.exe C:\Windows\SysWOW64\WinHelp0.exe
PID 2644 wrote to memory of 4112 N/A C:\Windows\SysWOW64\WinHelp43.exe C:\Windows\SysWOW64\WinHelp0.exe
PID 4112 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WinHelp0.exe C:\Windows\SysWOW64\svchost.exe
PID 4112 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WinHelp0.exe C:\Windows\SysWOW64\svchost.exe
PID 4112 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WinHelp0.exe C:\Windows\SysWOW64\svchost.exe
PID 4112 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WinHelp0.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe

"C:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240613343.reg

C:\Windows\SysWOW64\WinHelp43.exe

C:\Windows\system32\WinHelp43.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\6648a3dc523230e1d1ea0974be4480c2288267f419fb4cda625a1c52360d31f6.exe

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240613500.reg

C:\Windows\SysWOW64\WinHelp0.exe

C:\Windows\system32\WinHelp0.exe kowdgjttgC:\Windows\SysWOW64\WinHelp43.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1072 -ip 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1072 -ip 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 244

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\WinHelp43.exe

MD5 8df534d17dbcc74457e8e3d02f36d639
SHA1 d35d3db4c320b50ba4a0649936a95bc92135560c
SHA256 eb73d259286542a5bfc77374ac6e32db1d2e51fe19d5861926ff86723253fd51
SHA512 a5cda1d70cf334da2d6aadb50301ef53dc9f11b5bb715b2eb47274eda509f7ba0e7a9f591b7d996891edf75c87c619ed8bc2838c87d6d358a2654c4f8fddb209

C:\Users\Admin\AppData\Local\Temp\240613343.reg

MD5 b76309b7f7a386769b2350a10fe83a93
SHA1 85742932c28ebb5ff69583f5b08fe6968f4c5d00
SHA256 d1435b34422e117bcb78c0f91e4f1545ba732f10cf14e3beab38f73c5f86872d
SHA512 053c548fa6fded64db3029af529a6a849277a4b10988e5e4b7494ee2ff53c8c0d88c6f55fc591e4aef688da3e9809df388a3391717eac4a2321056e31f5f953a

C:\Users\Admin\AppData\Local\Temp\240613500.reg

MD5 0541b3cc70dff0d7f7b486cd26f824ab
SHA1 162d51f4dddeff78dea3bd50128992cb978c55f5
SHA256 1fac66cdce047a619d524e01b5d4fa4048059f7eb0d9763798f4f535fb9391b3
SHA512 95ad3d096f1051bb192bfccc988a935cb92801de62e517c03fbf5190ebbabb9d9705d76e9f02616958a3d84fd17dade551b5a03d56d237ee44c3c8a4ede3c4cd

C:\Windows\SysWOW64\WinHelp0.exe

MD5 0a66bf9eff5b73fe5876ed767fa3ad3e
SHA1 2c7f94034a478d5c681ecedf5f11467c167aac54
SHA256 35887ffdf2f9fbe98099e127d30d3feed8475002756943ea015791d6f828be55
SHA512 85fe151e9c9c70891c6d9ee1140b95a2b86cc6d166741c6c0fdc40dc85556d6b255810961a31da4bfe7d53ca6646b958e10e746b6d4715bc3c1024be9f4a1b17

memory/1072-12-0x0000000013150000-0x0000000013167000-memory.dmp