13a40ed4f7d7d70c006b23c712334bd0fe2afc6276e507871ba6c90fc3b3834a

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2023 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
Size

486KB
MD5

b5a8e38c619dbada6cf0118f19fc6e13
SHA1

3bd351afc5a1c8305edd4270bca66b4a552a29d4
SHA256

13a40ed4f7d7d70c006b23c712334bd0fe2afc6276e507871ba6c90fc3b3834a
SHA512

be2ff87610ee37954d02b13905afc0d327dbd8a4480778a8a2a62d6e78ff013c8d45d7f3ac2fb14b786d8ead2b96e7cbc9907b65441ef252b9edf2ba689ec543
SSDEEP

12288:JdMcjIoJ+EJaFy7sswHRFePMlJhWwSAOfohQWt5Av4M9q8:JWoh+dyBGRU0PhnSdoHtidq8

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXF09D.tmp	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXF0DD.tmp	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXF03C.tmp	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXF0BD.tmp	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXF05C.tmp	b5a8e38c619dbada6cf0118f19fc6e13_JC.exe

C:\Users\Admin\AppData\Local\Temp\b5a8e38c619dbada6cf0118f19fc6e13_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b5a8e38c619dbada6cf0118f19fc6e13_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCXF07C.tmp

Filesize
38KB

MD5
3ff0d0dc6680f4db4a913c60a2fb2b64

SHA1
8dd1cbfb28a9e28ca35231e7570cdea70d511e42

SHA256
288a370a6d538d6ccb7572a5737ba1b3f4d1fa34602d3026b466c7c24442fa5e

SHA512
c1b13ee0add705cca6458efbe502457fa7d999d8321ae4af0d0f38afa7aaf8fc92af3cdb3c9138ec16766334fc3e6e9108ac17c7fe7fc963ed8c4fd6929ce1ef

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
503KB

MD5
545d7ea29fa814f6c871657ea3a101f3

SHA1
507a5758aca1de2fc5324b14de1a417ffadb19b4

SHA256
85de97189346ebafa9fe6f0dd97423341f633fe37462ddfaff4ee81e2497bc9a

SHA512
d32c8195daabba0d262435cef0041c6c049474c8d983be8e8bdec39cc0e70ad4fc7792e28e1fdae69be1b409e57b17229c9cbd62555b7195cd2922325730b501

Download Submit
memory/4240-120-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-121-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-25-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-24-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-46-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-1-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-118-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-119-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-23-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-122-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-123-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-124-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-125-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-126-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-127-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-128-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4240-129-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads