fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
Size

768KB
MD5

75f52358569243d6d9ed6d560ac437e0
SHA1

356cd65a57275c7a9c89b98d75d4b26e5bc61bf8
SHA256

fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45
SHA512

8d08802303277745141f494e4a906ac4e77ac7b82d093df1a11b712bb95a4b334993068060f06a548ab2c3431271be36ff02f39a0f4b8a41493c3f2d4d1e7e1c
SSDEEP

12288:51bh0JHDshEsf4SN/e+nGRfTqHeRJQhkvKQ5x0iI8V7MJIJcvwbCw:51bh8KP4a/7FHiQhkvKj22JIJc3w

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB57B.tmp	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB64C.tmp	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB62B.tmp	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB58B.tmp	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB5AC.tmp	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB60B.tmp	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB5EB.tmp	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe

C:\Users\Admin\AppData\Local\Temp\fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe
"C:\Users\Admin\AppData\Local\Temp\fe72669c64228ea7ca8d14b3035b15c1449f4ea2865e3e00c6ce96095a97fa45.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads