fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f

Analysis

max time kernel
135s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
Size

1.7MB
MD5

954474c2d39e30cfa300ab3135bb3fec
SHA1

64bcc05ef8ab5a41906f50d60412466f25ee16b1
SHA256

fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f
SHA512

f5cfcfeea4140acb19a75080cce0d207ddccac0757b0db0abf93fbcf0bf90cea73cfe5d47388eb38e87578c66a03fae59066a5e8af4407f78026e5088fbf3820
SSDEEP

49152:Aa3V/QzJw+3LtyVL6bJ5z1ZVZ/w3Rnia0A7UKXiA:n3V/QdwO4L6FdwBi0DSA

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe

Detects executables built or packed with MPress PE compressor 4 IoCs

resource	yara_rule
behavioral1/memory/2712-0-0x0000000000400000-0x000000000041A000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0007000000015c73-7.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00050000000194ee-69.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2712-127-0x0000000000400000-0x000000000041A000-memory.dmp	INDICATOR_EXE_Packed_MPress

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX937C.tmp	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX935C.tmp	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX941C.tmp	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX93DD.tmp	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX932B.tmp	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX933C.tmp	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX93BC.tmp	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe

C:\Users\Admin\AppData\Local\Temp\fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe
"C:\Users\Admin\AppData\Local\Temp\fc47491c59dbd8a8bbc245fcd64e28c5936bae5e0ca9554af714240dcc69a17f.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX935C.tmp

Filesize
95KB

MD5
aa42d8980e5750941eabf338ae6e1467

SHA1
f962ae910c33e68daff3064d5fe9f595744a0a63

SHA256
f79ed89e3d630aa09e105a98a66aff8532b2caf3cdc0c00346912ab88e5cf4f8

SHA512
6dbec3d3d91f267d3551ba50b9c193635e8200d8393f85512965399c5ac4ba04eb4b2f6ecd671977dab6193f2873435ca381acb696187dd353618f2055e0b5de

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
1.7MB

MD5
c902c6d92346301249c2c1ca9214b731

SHA1
ec1c0c60bd5871d3fbc50f2273dbe5f546202c80

SHA256
db5842a51a5bbb4a5fe5fa85894d017b6b07b0e6777caf4ff091f81e11f36d5f

SHA512
6fea66ed5e70db4e0d3ffca5b97ddda2b639da0073456a1412d24559b9b64592ff463f4a6c97b2e5146c03673b3a2aa33faa45527314637d5d9db9d6b6f66a12

Download Submit
memory/2712-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2712-127-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads