a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec

Analysis

max time kernel
124s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
Size

141KB
MD5

c79e93c89ebf22feee4fef424e2ec69a
SHA1

6a6874d796a236daea37ada3b5bf6924f0282fde
SHA256

a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec
SHA512

0843a3656a977113e6f54a5484fda268890e867563aa78ac0e95d12b168ce5e32bc4a737b8a7470fa6d91390d8498d5fff03a3ab860ef2c3b299730b36f60544
SSDEEP

3072:l1B31bdBob2QXGrzNsKkJIpEq6eshVDlp1c3HOvBbZ/S:l731bdBaBkzNsK+IjJshVDbq3HaBU

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX805D.tmp	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7FDB.tmp	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX805C.tmp	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7FFB.tmp	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX807E.tmp	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX801B.tmp	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe

C:\Users\Admin\AppData\Local\Temp\a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe
"C:\Users\Admin\AppData\Local\Temp\a4945b0acf67f6860b41a51481c992c60259a7aea60341279f74f69c7315b7ec.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads