Analysis Overview
SHA256
4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74
Threat Level: Likely malicious
The file 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Loads dropped DLL
Deletes itself
Executes dropped EXE
Drops file in System32 directory
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Runs .reg file with regedit
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 13:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 13:49
Reported
2024-11-12 13:51
Platform
win7-20240729-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp83.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp11.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} | C:\Windows\SysWOW64\regedit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp11.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp11.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp83.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp11.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp11.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinHelp11.exe | C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe | N/A |
| File created | C:\Windows\SysWOW64\WinHelp83.exe | C:\Windows\SysWOW64\WinHelp11.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinHelp83.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinHelp11.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WinHelp83.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
"C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259465511.reg
C:\Windows\SysWOW64\WinHelp11.exe
C:\Windows\system32\WinHelp11.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259465683.reg
C:\Windows\SysWOW64\WinHelp83.exe
C:\Windows\system32\WinHelp83.exe kowdgjttgC:\Windows\SysWOW64\WinHelp11.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
Network
Files
memory/2008-1-0x0000000013152000-0x000000001315F000-memory.dmp
C:\Windows\SysWOW64\WinHelp11.exe
| MD5 | 0a711131a951e2d88fe251864494fe0c |
| SHA1 | 409b0163e4f78d2fa5d96e3c0783dcc5e45fcbe3 |
| SHA256 | 26babc2779fdea05e48f55223717ef64552eae7b20ebb332216a4bd75abd51e5 |
| SHA512 | 04276781a9ba16fd55e2c1fd91a4dc54d9d54372a74463b0e538f4c2d2ca56c092285f663ab3a11d6e3670fc69d689a186dec28722c2b84f6393446aad029a63 |
C:\Users\Admin\AppData\Local\Temp\259465511.reg
| MD5 | d88165fa73fcdcd831f495f80122ba27 |
| SHA1 | a189c398ddbc091fde42449a5186a55f7119a425 |
| SHA256 | 41bfbe7838def590d7ee882062c84fb9f2802375bd176a0a3bb4a5f3d027b890 |
| SHA512 | 4228185d45db7a77de1ab4277a827d5e9af6fdd8a987422a5aba0ba089d8010519225f7223a783c927b41c2b9b866c7de4bb1e4bfd78dfb59b453d095d41f523 |
memory/2736-11-0x0000000013150000-0x00000000131669F4-memory.dmp
C:\Users\Admin\AppData\Local\Temp\259465683.reg
| MD5 | 633ee34fa6a139e369ac9821ef9f7fc7 |
| SHA1 | 0e3b1edee11bfda878ef1b62f11b1b6790a45a9b |
| SHA256 | 6655ccc737d9739fefbea2271b979acead3c216153d930d4611ac4d7efc16684 |
| SHA512 | 290e57510cd276ce2e00695905e6c81ebf2bd3cc8f09943f6b52682e464dd77669ddc4d2af089754a3a2d7a5b8dd5c090aa1d5da70b3595656591b5050b62de6 |
C:\Windows\SysWOW64\WinHelp83.exe
| MD5 | be33c28723e079887106406e61abcde1 |
| SHA1 | 8fbb5fb57749424f49a903dad9c67075f9ab9ebe |
| SHA256 | 09444457c7129c5a12f7b8af9c73e89f1a615140ae1260b6c248d855e05c2980 |
| SHA512 | fd3b86426c1de33d793d6956cd1e77dfb69ce382ddef3b6eb23b7f5b3b669e8cd6c4aa0f217000d65abeab986384a7101819af6a1bbed643e3b3e60af2eb4911 |
memory/2856-24-0x0000000013150000-0x0000000013167000-memory.dmp
memory/2856-25-0x0000000013150000-0x0000000013167000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 13:49
Reported
2024-11-12 13:51
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
99s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp81.exe" | C:\Windows\SysWOW64\regedit.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp81.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WinHelp81.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WinHelp81.exe | C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WinHelp81.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WinHelp81.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
"C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"
C:\Windows\SysWOW64\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240615281.reg
C:\Windows\SysWOW64\WinHelp81.exe
C:\Windows\system32\WinHelp81.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 208
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2912-0-0x0000000013152000-0x000000001315F000-memory.dmp
C:\Windows\SysWOW64\WinHelp81.exe
| MD5 | a6c552cf16d5861b05ef86e889cf85c9 |
| SHA1 | d1174bac64399290cb6e528e6b7c69535f42f9ed |
| SHA256 | 112923c629269df40072168356eaa0c6f37cbaab752dc794f5f46dd3c52683f8 |
| SHA512 | abb9cda521f9c030b0a851ae489c345f34dd603f911c3512adf54c681f6b3926daf0bb32569fa5b33ca1c33e44aef2d781d2855b4cef8b70a15bf0294a01d023 |
memory/2664-6-0x0000000013150000-0x00000000131669F4-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240615281.reg
| MD5 | dd28387ebd21d1e38489c5c8a802e09c |
| SHA1 | e6da1b29ecb5ff0f8f3d6db7b115ee56420e4cd5 |
| SHA256 | 0a742cc86b994528e2a144c33e6c9394b0748611d342cd52bcfd66203b45afd2 |
| SHA512 | a2097850738ae1fb1c2b9a8f3060d1435d1e998b96e4dc22d32481a2342033633871dd6fc8db60ce90f668fb471fa414a839b4b216d3296502ee58ed599477ca |
memory/4344-8-0x0000000013150000-0x0000000013167000-memory.dmp
memory/2664-9-0x0000000013150000-0x00000000131669F4-memory.dmp