6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c

Analysis

max time kernel
169s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-10-2022 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
Size

252KB
MD5

a11189e873cc2badb2ce2b9ff738e211
SHA1

75be2cd28bebddeeef3e82e1c54ab4182a41033e
SHA256

6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c
SHA512

85a412b590402e7b4180fdcb8b748a35db67c5870718665c047af0dc1eb31da0855a4027561be2be81fc5b862df8bab12250f5d48e2986c9913f431951db6dc6
SSDEEP

6144:w731bdBaByGctpZROEGcd5dOdUILGK349JMsqXS6rvfh0+:i1b4e1Gc5dOiILbI9JMsqXS6rRR

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCC37.tmp	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\BackupAssert.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCC57.tmp	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\BackupAssert.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCC77.tmp	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCB5B.tmp	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe

C:\Users\Admin\AppData\Local\Temp\6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe
"C:\Users\Admin\AppData\Local\Temp\6df7efbda8d22d83f8ecaed948f5787923a6944eb0f8c39b3bd1baa66868200c.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads