e2e6fe31615846eccf919b4a3666325eadd09068f36329066d0a1ed5e0d40d16

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82999d5425898b535b14abcd994a7c2f_JC.exe
Size

568KB
MD5

82999d5425898b535b14abcd994a7c2f
SHA1

5dba78327d04cd171e0102818f6b958a60dfedec
SHA256

e2e6fe31615846eccf919b4a3666325eadd09068f36329066d0a1ed5e0d40d16
SHA512

6bf80079da68281decb536cca64aad5cb6ceefa39f7d230e50879546824db7b0e6d2ee16b83b37b4a8781fb0c45b4fc213f20c7d63831ceb360d46e0633841f1
SSDEEP

12288:Hw61ovtukaBc7SdtH4mOnt2yRDVOZmdbsi+L8K08YtrE:Hw61/BntZQ1Rksbsi2/VY6

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	82999d5425898b535b14abcd994a7c2f_JC.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	82999d5425898b535b14abcd994a7c2f_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	82999d5425898b535b14abcd994a7c2f_JC.exe

C:\Users\Admin\AppData\Local\Temp\82999d5425898b535b14abcd994a7c2f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\82999d5425898b535b14abcd994a7c2f_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
847KB

MD5
61c2c9a48fef254f5b2ac47b8ef8c2d3

SHA1
82dc924c9eac98ebd655b7745bc0c90c3e9306e0

SHA256
9bc670b11f0a295062f52ae74ce1645a9b8ad21db557e88c659e9277eaa4ad86

SHA512
6d27fdc75eeccc4c90ea48090169b66c89b27b17308a6d17cc754ccb4dd1095e57997a789c428ca5115840effe6f75b58e194d3459d6a2cf392e0b5106abff7c

Download Submit
memory/3780-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3780-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads