Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
07-01-2025 09:16
General
-
Target
WinHelpc32.exe
-
Size
1.5MB
-
MD5
4df31cd1a0ede3a4d35e720c81f8f970
-
SHA1
f8930d6dc53bfb43aa53ca089a94d3d4c6e85c08
-
SHA256
b5b2d5f9800ecf5a4d542c3b3c0812d2fb0f6ffe4333424797d2dbc13ef7739a
-
SHA512
8f43c75fa83e86ec910b7ca25065aa240124034ebe4f16696890e7e79c33b7f0bf741184d8dc7c1e0b50712841b695bf3d48cf85bed8f46e7214f911e835be95
-
SSDEEP
24576:BogQT+D6LJgmzhAhxviiQVd2WAKhhr1AvdCLPatt3AaYfqaP+C5F2oeENHQQBmOT:QTnchxvoVdNo0L0aa/aPd5pFBmOADS
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in System32 directory 2 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 6 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinHelpc32.exe"C:\Users\Admin\AppData\Local\Temp\WinHelpc32.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Add-Mppreference -ExclusionPath 'C:\Program Files (x86)', 'C:\' -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\WinHelpc32.exeC:\Windows\WinHelpc32.exe -svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "Add-Mppreference -ExclusionPath 'C:\Program Files (x86)', 'C:\' -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe -ks3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.5MB
MD54df31cd1a0ede3a4d35e720c81f8f970
SHA1f8930d6dc53bfb43aa53ca089a94d3d4c6e85c08
SHA256b5b2d5f9800ecf5a4d542c3b3c0812d2fb0f6ffe4333424797d2dbc13ef7739a
SHA5128f43c75fa83e86ec910b7ca25065aa240124034ebe4f16696890e7e79c33b7f0bf741184d8dc7c1e0b50712841b695bf3d48cf85bed8f46e7214f911e835be95
-
Filesize
446KB
MD5c6da87c29d5a9898423569362d23a3b9
SHA1bcb8f05e6d319c54585781e709d217a1750b05be
SHA256d3e40fcac762a36aee12f2369132d1246bf967cc17585f21bc632875b14dc3ad
SHA51262a5381ceeef74e34c45c8ca31f67cc5681f7f69cef834d8fbedc3781dde9af0818343361f12c6747a57715739284c86b6d8b8545934a1a2550234b138b0965b
-
Filesize
29KB
MD557d67e031dbbbb5b246ced1b67b1b78e
SHA1728fcae1fc556b7491d97aec3883821950a2133e
SHA25600f7de081e270c8703edb63d46b9df2ac58c693d96f14c0d7872c889a1623481
SHA512a8f370232c780ea78e9c5881aa4a6e9f27fe43409190a44a61ac529aaa9895d4d9a2ebdccf1df84bb3f36ea220078298aab0a61de070bb46cf0f0533d3cea30a
-
Filesize
56KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
216KB
-
Filesize
80KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
1.5MB
-
Filesize
32KB
-
Filesize
340KB
-
Filesize
340KB
-
Filesize
340KB