Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
Resource
win10v2004-20241007-en
General
-
Target
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
-
Size
49KB
-
MD5
23199494a158a78e1a1f926752ea9952
-
SHA1
5f9957054a0d69568d818b625cc8605b0dfc497c
-
SHA256
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74
-
SHA512
af3bda0090d4fda542cad1974833d92dfbaf2dbe6e8d075c516869f81e3e8860d40048c647005d8415e3fcac0d10e78bb0f5b7846d2f3580ac658ec35b1fbfe4
-
SSDEEP
768:Sv4MEc04ZzLh3VtAghWjg8qstaNC7WlH8VTrf7AshVN/OE/:SwMEcVLh3QghuGCqV8V3zhb/
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp83.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp11.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} regedit.exe -
Deletes itself 1 IoCs
pid Process 2736 WinHelp11.exe -
Executes dropped EXE 2 IoCs
pid Process 2736 WinHelp11.exe 3012 WinHelp83.exe -
Loads dropped DLL 4 IoCs
pid Process 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 2736 WinHelp11.exe 2736 WinHelp11.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHelp11.exe 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe File created C:\Windows\SysWOW64\WinHelp83.exe WinHelp11.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelp83.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelp11.exe -
Runs .reg file with regedit 2 IoCs
pid Process 2724 regedit.exe 2684 regedit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 3012 WinHelp83.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2724 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 30 PID 2008 wrote to memory of 2724 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 30 PID 2008 wrote to memory of 2724 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 30 PID 2008 wrote to memory of 2724 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 30 PID 2008 wrote to memory of 2736 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 31 PID 2008 wrote to memory of 2736 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 31 PID 2008 wrote to memory of 2736 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 31 PID 2008 wrote to memory of 2736 2008 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 31 PID 2736 wrote to memory of 2684 2736 WinHelp11.exe 32 PID 2736 wrote to memory of 2684 2736 WinHelp11.exe 32 PID 2736 wrote to memory of 2684 2736 WinHelp11.exe 32 PID 2736 wrote to memory of 2684 2736 WinHelp11.exe 32 PID 2736 wrote to memory of 3012 2736 WinHelp11.exe 33 PID 2736 wrote to memory of 3012 2736 WinHelp11.exe 33 PID 2736 wrote to memory of 3012 2736 WinHelp11.exe 33 PID 2736 wrote to memory of 3012 2736 WinHelp11.exe 33 PID 3012 wrote to memory of 2856 3012 WinHelp83.exe 34 PID 3012 wrote to memory of 2856 3012 WinHelp83.exe 34 PID 3012 wrote to memory of 2856 3012 WinHelp83.exe 34 PID 3012 wrote to memory of 2856 3012 WinHelp83.exe 34 PID 3012 wrote to memory of 2856 3012 WinHelp83.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\259465511.reg2⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2724
-
-
C:\Windows\SysWOW64\WinHelp11.exeC:\Windows\system32\WinHelp11.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe2⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\259465683.reg3⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:2684
-
-
C:\Windows\SysWOW64\WinHelp83.exeC:\Windows\system32\WinHelp83.exe kowdgjttgC:\Windows\SysWOW64\WinHelp11.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:2856
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384B
MD5d88165fa73fcdcd831f495f80122ba27
SHA1a189c398ddbc091fde42449a5186a55f7119a425
SHA25641bfbe7838def590d7ee882062c84fb9f2802375bd176a0a3bb4a5f3d027b890
SHA5124228185d45db7a77de1ab4277a827d5e9af6fdd8a987422a5aba0ba089d8010519225f7223a783c927b41c2b9b866c7de4bb1e4bfd78dfb59b453d095d41f523
-
Filesize
384B
MD5633ee34fa6a139e369ac9821ef9f7fc7
SHA10e3b1edee11bfda878ef1b62f11b1b6790a45a9b
SHA2566655ccc737d9739fefbea2271b979acead3c216153d930d4611ac4d7efc16684
SHA512290e57510cd276ce2e00695905e6c81ebf2bd3cc8f09943f6b52682e464dd77669ddc4d2af089754a3a2d7a5b8dd5c090aa1d5da70b3595656591b5050b62de6
-
Filesize
50KB
MD50a711131a951e2d88fe251864494fe0c
SHA1409b0163e4f78d2fa5d96e3c0783dcc5e45fcbe3
SHA25626babc2779fdea05e48f55223717ef64552eae7b20ebb332216a4bd75abd51e5
SHA51204276781a9ba16fd55e2c1fd91a4dc54d9d54372a74463b0e538f4c2d2ca56c092285f663ab3a11d6e3670fc69d689a186dec28722c2b84f6393446aad029a63
-
Filesize
50KB
MD5be33c28723e079887106406e61abcde1
SHA18fbb5fb57749424f49a903dad9c67075f9ab9ebe
SHA25609444457c7129c5a12f7b8af9c73e89f1a615140ae1260b6c248d855e05c2980
SHA512fd3b86426c1de33d793d6956cd1e77dfb69ce382ddef3b6eb23b7f5b3b669e8cd6c4aa0f217000d65abeab986384a7101819af6a1bbed643e3b3e60af2eb4911