4b3f9c69fe374c9ab7ddbff100b4084355acc31551e8a1185c11e6849e1f6246

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
Size

77KB
MD5

f7de265ba6924cebb02ae10ec3453a50
SHA1

e1089f141f2da73e8039d96764899361d9cf9164
SHA256

4b3f9c69fe374c9ab7ddbff100b4084355acc31551e8a1185c11e6849e1f6246
SHA512

05eebe1d0208dbf086ad65b15a9a8803bd1da0c599c5af0c9aee15912a7d1d61185cf03229846b121e5fdcab1d44831dec0b1fa893a585962b4e70c4aba1c76c
SSDEEP

1536:IaiqH1s+kCtrA2UMT0mTFibDKa1XohUPYJ+l9BpBJ:p1B31bdBob2QXoHEf

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX22C0.tmp	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCX510E.tmp	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3116.tmp	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX49B1.tmp	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX542D.tmp	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6144.tmp	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCX3C74.tmp	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXE8B0.tmp	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	NEAS.f7de265ba6924cebb02ae10ec3453a50.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.f7de265ba6924cebb02ae10ec3453a50.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f7de265ba6924cebb02ae10ec3453a50.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
567KB

MD5
6975d78af10667a5d7d742659c7a0cd6

SHA1
e8d2de3bdec31005fc8d9bea85921ac8f06161e5

SHA256
52700de129947aa24b8313e160166f7afb9a1af2f94e6aff9e8e49af8bd9e92c

SHA512
2bdc5fae0cee6c54e10f1311987f7fe8f385c8290ad04fbd39d314d9b12e06dc00635416a0026f118c1f0ad2c09f214b11145d387eec5a6de8db12560a391975

Download Submit
C:\Windows\SysWOW64\xdccPrograms\RCX510E.tmp

Filesize
663.9MB

MD5
41b637f513e64df09f8db8e9dbccfa69

SHA1
32778d77b24d80a898154b8d49ff8b5a8f5a2168

SHA256
de199e581860466f68617ea43eb8ab463da9d256b4743c469b71f0ea44a9c073

SHA512
5a3a54b28bab0fbb0c0fca3daec0e6d3a5691751031be2d58dddcfddbbadf2e1f93b170e1f4788a616f83f9068d0f99c81481de507b8368f47eaa3f48f100db3

Download Submit
memory/2000-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2000-50-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2000-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2000-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2000-88-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2000-96-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads