3c736a5302f15d0866dbdd2ff3db647e8257b61820913dafb580c53a6ca70c8c

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f512a5666891a62563a255801e8f00b4_JC.exe
Size

389KB
MD5

f512a5666891a62563a255801e8f00b4
SHA1

d63b9091acfe2e19b9724ff80b5ab72426da0137
SHA256

3c736a5302f15d0866dbdd2ff3db647e8257b61820913dafb580c53a6ca70c8c
SHA512

ed789bd34e88b0c3d3ec20409e594929134c1a29e47033485e1acc574e0d239c9ae0948366bb11bc220258dbd4f7419f8cb4bc7b470015bfb14f53b8dd3fdc29
SSDEEP

12288:NMs1MVOT824zPb3BOkeJuDMUiPOg/sX8Jg6UsE:NMs1MVbP7LbAdUykXRRsE

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	f512a5666891a62563a255801e8f00b4_JC.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX476.tmp	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\BackupAssert.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3C8.tmp	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX455.tmp	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	f512a5666891a62563a255801e8f00b4_JC.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	f512a5666891a62563a255801e8f00b4_JC.exe

C:\Users\Admin\AppData\Local\Temp\f512a5666891a62563a255801e8f00b4_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f512a5666891a62563a255801e8f00b4_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX476.tmp

Filesize
37KB

MD5
d196855c706ee5ff38ccf616d2a94526

SHA1
9880d901359f12d9c01c86f9411fa004972eb302

SHA256
b99dcb1349e9f39d93aad8c94e83df67976028e436894937fd6e711a62c2d036

SHA512
752a727babad767af1873d0582e63de67e5fe5b16522a735de847622b64b3adff43e735c541d85aea37d05e9d81c09255d647777863ff7a0d4375af99999e007

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
847KB

MD5
8395b3b8b9b847ae0aaba74f629ba79f

SHA1
4c49465086cce8802c2113ac31b3e7a14da7dd66

SHA256
37746ac810389c04e8b361f386573093e3fa4032e6efb164073eb091dfa7b371

SHA512
c6ced9d462c68718a1429bbb88bc6b379e6b6f29988d76c68ab616a281377a392fe59a8492818c65f1d641fe2c68aec3c81469ce1efd82f014bb91ebe48d1204

Download Submit
memory/1872-38-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-102-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-37-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-43-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-47-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-51-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-54-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-1-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-34-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-103-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-104-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-105-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-106-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-107-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-108-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-109-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1872-110-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads