Analysis
-
max time kernel
95s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 13:49
Static task
static1
Behavioral task
behavioral1
Sample
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
Resource
win10v2004-20241007-en
General
-
Target
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
-
Size
49KB
-
MD5
23199494a158a78e1a1f926752ea9952
-
SHA1
5f9957054a0d69568d818b625cc8605b0dfc497c
-
SHA256
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74
-
SHA512
af3bda0090d4fda542cad1974833d92dfbaf2dbe6e8d075c516869f81e3e8860d40048c647005d8415e3fcac0d10e78bb0f5b7846d2f3580ac658ec35b1fbfe4
-
SSDEEP
768:Sv4MEc04ZzLh3VtAghWjg8qstaNC7WlH8VTrf7AshVN/OE/:SwMEcVLh3QghuGCqV8V3zhb/
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp81.exe" regedit.exe -
Deletes itself 1 IoCs
pid Process 2664 WinHelp81.exe -
Executes dropped EXE 1 IoCs
pid Process 2664 WinHelp81.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinHelp81.exe 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4492 4344 WerFault.exe 88 3308 4344 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinHelp81.exe -
Runs .reg file with regedit 1 IoCs
pid Process 4660 regedit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 2664 WinHelp81.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2912 wrote to memory of 4660 2912 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 84 PID 2912 wrote to memory of 4660 2912 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 84 PID 2912 wrote to memory of 4660 2912 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 84 PID 2912 wrote to memory of 2664 2912 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 85 PID 2912 wrote to memory of 2664 2912 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 85 PID 2912 wrote to memory of 2664 2912 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe 85 PID 2664 wrote to memory of 4344 2664 WinHelp81.exe 88 PID 2664 wrote to memory of 4344 2664 WinHelp81.exe 88 PID 2664 wrote to memory of 4344 2664 WinHelp81.exe 88 PID 2664 wrote to memory of 4344 2664 WinHelp81.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\240615281.reg2⤵
- Boot or Logon Autostart Execution: Active Setup
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:4660
-
-
C:\Windows\SysWOW64\WinHelp81.exeC:\Windows\system32\WinHelp81.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe2⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:4344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2004⤵
- Program crash
PID:4492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 2084⤵
- Program crash
PID:3308
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4344 -ip 43441⤵PID:2820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4344 -ip 43441⤵PID:1528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384B
MD5dd28387ebd21d1e38489c5c8a802e09c
SHA1e6da1b29ecb5ff0f8f3d6db7b115ee56420e4cd5
SHA2560a742cc86b994528e2a144c33e6c9394b0748611d342cd52bcfd66203b45afd2
SHA512a2097850738ae1fb1c2b9a8f3060d1435d1e998b96e4dc22d32481a2342033633871dd6fc8db60ce90f668fb471fa414a839b4b216d3296502ee58ed599477ca
-
Filesize
51KB
MD5a6c552cf16d5861b05ef86e889cf85c9
SHA1d1174bac64399290cb6e528e6b7c69535f42f9ed
SHA256112923c629269df40072168356eaa0c6f37cbaab752dc794f5f46dd3c52683f8
SHA512abb9cda521f9c030b0a851ae489c345f34dd603f911c3512adf54c681f6b3926daf0bb32569fa5b33ca1c33e44aef2d781d2855b4cef8b70a15bf0294a01d023