8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
Size

431KB
MD5

9d0470ba47f6d3f61072317f6904d434
SHA1

aac8a0e4bbb48c34e02587f68c7e447d40d8052f
SHA256

8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca
SHA512

091cb8c16805d2c47960baa1c3a8ac599cdec7333b0022f139a101ca6edde96ceafef8e85155d17eb9c13fd632998a58c055f576f342d701432fe95bd5cb9617
SSDEEP

6144:A3MbvBaO9o7nduQyxg3XdECeSf3pAvTd5GPtRQrY1STCJxLhsLpoq5ynENQpjBei:OMbz9obd8uXxGLd3rYo2Jdhs/qVpjBei

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD91C.tmp	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD97C.tmp	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD93C.tmp	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe

C:\Users\Admin\AppData\Local\Temp\8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe
"C:\Users\Admin\AppData\Local\Temp\8ba2dd78050386b227deb81f43b0b2b16eef33605937ff8ed6be08004fa5f7ca.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCXD91C.tmp

Filesize
119KB

MD5
6254099ef9ad7f739f50d65903937255

SHA1
b13870e37d62a929ea8ce0c6213476f2a57fa3c0

SHA256
cdd2cfe0f5bf927556acc79333f9423c1690d0e50656aea0457ceaf4b2b17a1f

SHA512
f36b68d03e4b539490455a4f43e6dfd74a82e2ab247027f7ca2bb467221ea57d476f5fb6f26dab27a749359a537a09a42f8569386442d308f8a34632422733f4

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
543KB

MD5
33818a220006692dbbf2292eba7ee904

SHA1
b83f44ea5a70a3a0fdced7981f47e3ff041f3f6e

SHA256
7e08a3b5a3fd09dac1db215e3b02ea820c833e04c1ff0958c1cc63a730934fa8

SHA512
947735788d5cbfd54913e878374cefe639bfe5b8e1a329e83f9d61729bf1ab1e14bc31bb4db22f406fc171b3319d64b205eb6cb840ba1f71fe6aeef03660522c

Download Submit
memory/4828-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-26-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-101-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-102-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-103-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-104-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-105-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-106-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-107-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4828-108-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads