Malware Analysis Report

2025-08-06 02:16

Sample ID 241112-q4qgcsxkbp
Target 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe
SHA256 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74

Threat Level: Likely malicious

The file 4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Loads dropped DLL

Deletes itself

Executes dropped EXE

Drops file in System32 directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Runs .reg file with regedit

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 13:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 13:49

Reported

2024-11-12 13:51

Platform

win7-20240729-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp83.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp11.exe" C:\Windows\SysWOW64\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} C:\Windows\SysWOW64\regedit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp11.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp11.exe N/A
N/A N/A C:\Windows\SysWOW64\WinHelp83.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinHelp11.exe C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe N/A
File created C:\Windows\SysWOW64\WinHelp83.exe C:\Windows\SysWOW64\WinHelp11.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinHelp83.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinHelp11.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WinHelp83.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\regedit.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\regedit.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\regedit.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\regedit.exe
PID 2008 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\WinHelp11.exe
PID 2008 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\WinHelp11.exe
PID 2008 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\WinHelp11.exe
PID 2008 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\WinHelp11.exe
PID 2736 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WinHelp11.exe C:\Windows\SysWOW64\regedit.exe
PID 2736 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WinHelp11.exe C:\Windows\SysWOW64\regedit.exe
PID 2736 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WinHelp11.exe C:\Windows\SysWOW64\regedit.exe
PID 2736 wrote to memory of 2684 N/A C:\Windows\SysWOW64\WinHelp11.exe C:\Windows\SysWOW64\regedit.exe
PID 2736 wrote to memory of 3012 N/A C:\Windows\SysWOW64\WinHelp11.exe C:\Windows\SysWOW64\WinHelp83.exe
PID 2736 wrote to memory of 3012 N/A C:\Windows\SysWOW64\WinHelp11.exe C:\Windows\SysWOW64\WinHelp83.exe
PID 2736 wrote to memory of 3012 N/A C:\Windows\SysWOW64\WinHelp11.exe C:\Windows\SysWOW64\WinHelp83.exe
PID 2736 wrote to memory of 3012 N/A C:\Windows\SysWOW64\WinHelp11.exe C:\Windows\SysWOW64\WinHelp83.exe
PID 3012 wrote to memory of 2856 N/A C:\Windows\SysWOW64\WinHelp83.exe C:\Windows\SysWOW64\svchost.exe
PID 3012 wrote to memory of 2856 N/A C:\Windows\SysWOW64\WinHelp83.exe C:\Windows\SysWOW64\svchost.exe
PID 3012 wrote to memory of 2856 N/A C:\Windows\SysWOW64\WinHelp83.exe C:\Windows\SysWOW64\svchost.exe
PID 3012 wrote to memory of 2856 N/A C:\Windows\SysWOW64\WinHelp83.exe C:\Windows\SysWOW64\svchost.exe
PID 3012 wrote to memory of 2856 N/A C:\Windows\SysWOW64\WinHelp83.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe

"C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259465511.reg

C:\Windows\SysWOW64\WinHelp11.exe

C:\Windows\system32\WinHelp11.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\259465683.reg

C:\Windows\SysWOW64\WinHelp83.exe

C:\Windows\system32\WinHelp83.exe kowdgjttgC:\Windows\SysWOW64\WinHelp11.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

Network

N/A

Files

memory/2008-1-0x0000000013152000-0x000000001315F000-memory.dmp

C:\Windows\SysWOW64\WinHelp11.exe

MD5 0a711131a951e2d88fe251864494fe0c
SHA1 409b0163e4f78d2fa5d96e3c0783dcc5e45fcbe3
SHA256 26babc2779fdea05e48f55223717ef64552eae7b20ebb332216a4bd75abd51e5
SHA512 04276781a9ba16fd55e2c1fd91a4dc54d9d54372a74463b0e538f4c2d2ca56c092285f663ab3a11d6e3670fc69d689a186dec28722c2b84f6393446aad029a63

C:\Users\Admin\AppData\Local\Temp\259465511.reg

MD5 d88165fa73fcdcd831f495f80122ba27
SHA1 a189c398ddbc091fde42449a5186a55f7119a425
SHA256 41bfbe7838def590d7ee882062c84fb9f2802375bd176a0a3bb4a5f3d027b890
SHA512 4228185d45db7a77de1ab4277a827d5e9af6fdd8a987422a5aba0ba089d8010519225f7223a783c927b41c2b9b866c7de4bb1e4bfd78dfb59b453d095d41f523

memory/2736-11-0x0000000013150000-0x00000000131669F4-memory.dmp

C:\Users\Admin\AppData\Local\Temp\259465683.reg

MD5 633ee34fa6a139e369ac9821ef9f7fc7
SHA1 0e3b1edee11bfda878ef1b62f11b1b6790a45a9b
SHA256 6655ccc737d9739fefbea2271b979acead3c216153d930d4611ac4d7efc16684
SHA512 290e57510cd276ce2e00695905e6c81ebf2bd3cc8f09943f6b52682e464dd77669ddc4d2af089754a3a2d7a5b8dd5c090aa1d5da70b3595656591b5050b62de6

C:\Windows\SysWOW64\WinHelp83.exe

MD5 be33c28723e079887106406e61abcde1
SHA1 8fbb5fb57749424f49a903dad9c67075f9ab9ebe
SHA256 09444457c7129c5a12f7b8af9c73e89f1a615140ae1260b6c248d855e05c2980
SHA512 fd3b86426c1de33d793d6956cd1e77dfb69ce382ddef3b6eb23b7f5b3b669e8cd6c4aa0f217000d65abeab986384a7101819af6a1bbed643e3b3e60af2eb4911

memory/2856-24-0x0000000013150000-0x0000000013167000-memory.dmp

memory/2856-25-0x0000000013150000-0x0000000013167000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 13:49

Reported

2024-11-12 13:51

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE} C:\Windows\SysWOW64\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFF8FD86-05DB-4990-92A9-0EE5FDFB7BFE}\stubpath = "C:\\Windows\\system32\\WinHelp81.exe" C:\Windows\SysWOW64\regedit.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp81.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WinHelp81.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WinHelp81.exe C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WinHelp81.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WinHelp81.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\regedit.exe
PID 2912 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\WinHelp81.exe
PID 2912 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\WinHelp81.exe
PID 2912 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe C:\Windows\SysWOW64\WinHelp81.exe
PID 2664 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WinHelp81.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WinHelp81.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WinHelp81.exe C:\Windows\SysWOW64\svchost.exe
PID 2664 wrote to memory of 4344 N/A C:\Windows\SysWOW64\WinHelp81.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe

"C:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe"

C:\Windows\SysWOW64\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\240615281.reg

C:\Windows\SysWOW64\WinHelp81.exe

C:\Windows\system32\WinHelp81.exe kowdgjttgC:\Users\Admin\AppData\Local\Temp\4bb199e0d9236e5d8bb9097735e61b7a5a2a600ba6772ff105c7d000b1674e74.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 208

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2912-0-0x0000000013152000-0x000000001315F000-memory.dmp

C:\Windows\SysWOW64\WinHelp81.exe

MD5 a6c552cf16d5861b05ef86e889cf85c9
SHA1 d1174bac64399290cb6e528e6b7c69535f42f9ed
SHA256 112923c629269df40072168356eaa0c6f37cbaab752dc794f5f46dd3c52683f8
SHA512 abb9cda521f9c030b0a851ae489c345f34dd603f911c3512adf54c681f6b3926daf0bb32569fa5b33ca1c33e44aef2d781d2855b4cef8b70a15bf0294a01d023

memory/2664-6-0x0000000013150000-0x00000000131669F4-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240615281.reg

MD5 dd28387ebd21d1e38489c5c8a802e09c
SHA1 e6da1b29ecb5ff0f8f3d6db7b115ee56420e4cd5
SHA256 0a742cc86b994528e2a144c33e6c9394b0748611d342cd52bcfd66203b45afd2
SHA512 a2097850738ae1fb1c2b9a8f3060d1435d1e998b96e4dc22d32481a2342033633871dd6fc8db60ce90f668fb471fa414a839b4b216d3296502ee58ed599477ca

memory/4344-8-0x0000000013150000-0x0000000013167000-memory.dmp

memory/2664-9-0x0000000013150000-0x00000000131669F4-memory.dmp