dab9418a6114cc9b5dc93f4fd40f81399c9f832382c861c269321d624669ec0d

Analysis

max time kernel
156s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f336c0fc025e84da13bc506ab9674980.exe
Size

4.8MB
MD5

f336c0fc025e84da13bc506ab9674980
SHA1

35b7d94afab096f765b328881de314f7ebf5db3c
SHA256

dab9418a6114cc9b5dc93f4fd40f81399c9f832382c861c269321d624669ec0d
SHA512

f2ffc2bba8c722941e88e8f4dc362a3299e29de3115344dec9581f84ea0a63e75701987e41d5463b1c8d8945ac41b7f4535cba41212273570181676817fe1c25
SSDEEP

98304:Kpj64QPCCQc2TsPwZH+5TqmsNUn9hKXzo0uvd+jSHatZHbhtOOkLVn3bDpdwSj:idOYT+cmseTWduQSybyOQbfj

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	NEAS.f336c0fc025e84da13bc506ab9674980.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX997A.tmp	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX99FB.tmp	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	NEAS.f336c0fc025e84da13bc506ab9674980.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX98EB.tmp	NEAS.f336c0fc025e84da13bc506ab9674980.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.f336c0fc025e84da13bc506ab9674980.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f336c0fc025e84da13bc506ab9674980.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
4.8MB

MD5
dcb1c8581224f634d99d72eeee4f4ad0

SHA1
4e55112b784fd7711c40260959038884d5265a43

SHA256
d4388accbade096f9510aa5c81d6a5983766cfd3029968b5b092bf3d006ae83c

SHA512
8e84c7a667774722d714dca57334534ed6c02429724ff5dc01ef0b7520d54096f5f12ba14123829c2e9a5a3fbf8ead64468f79b5b0b736de83b67baf07cea8b4

Download Submit
memory/2424-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-34-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-138-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-139-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-140-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads