c897f43b6fa06a39dce688a59ef61bd0288c7f2e93d086986f7dd33d7f2cadc8

Analysis

max time kernel
88s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ba1476ea94020a4cfbb5fab4bb8e65.exe
Size

2.6MB
MD5

a6ba1476ea94020a4cfbb5fab4bb8e65
SHA1

9f2988eb3c84d9ceef80fab53c07b714d626e298
SHA256

c897f43b6fa06a39dce688a59ef61bd0288c7f2e93d086986f7dd33d7f2cadc8
SHA512

eb5fd901e63ac57af96194c434fb9a7c3e830ba8b4cd28add74cb9f20871a1a931f6665d92e3d82faa69140b115810f51a84a45e642f081114ba6e312864a33f
SSDEEP

49152:pZINO9Wp5UON4jvCh90mLI5TbMtjmUL0kpj++algT/7l+PjuqTAk3SBJgu:v5y3KDI9pKALoX+gUZ+PqYiBp

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	a6ba1476ea94020a4cfbb5fab4bb8e65.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	a6ba1476ea94020a4cfbb5fab4bb8e65.exe

C:\Users\Admin\AppData\Local\Temp\a6ba1476ea94020a4cfbb5fab4bb8e65.exe
"C:\Users\Admin\AppData\Local\Temp\a6ba1476ea94020a4cfbb5fab4bb8e65.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
7KB

MD5
36e094916aecc8c31e004c05d9e9d1d9

SHA1
bc70e7c3bbef0d12421cb2ad93a9288720ff08be

SHA256
e362c5cf99f77905bd51eefe60066668af3f8ae46f17e43fdb523cb6b7289813

SHA512
195c3d6ab1d16d36e7ce69e1e34acf028b4f1b9cba89f620be95d96d19f9dee5a4063dc479cfd0dc022965a8fac5b5bbb8fb45435fb515cf06fc26177a30533c

Download Submit
memory/4524-43-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-83-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-86-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-87-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-88-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-89-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-90-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-91-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-92-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-93-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4524-95-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads