d9499190e918343466ccd2803219ae3627be65a67f7601c86d67ef3d336cc1d0

Analysis

max time kernel
140s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ce0a845d1222aae03918de8e55f4419.exe
Size

2.3MB
MD5

5ce0a845d1222aae03918de8e55f4419
SHA1

63258c81b89502f743506c5b285ba24c143703db
SHA256

d9499190e918343466ccd2803219ae3627be65a67f7601c86d67ef3d336cc1d0
SHA512

194c3ca53555ffd9327de1fa32f53d156283c27caa6b5c297d5500cfe311c5ede97b15108a94f0de39a8f2b6a1c808776363443d51287c688e9db2ca2a4f9dfa
SSDEEP

49152:OYyI+ge9PLY57AdbJ9xB6SmffAX3jF/DERrh0O0qfy21/RdSWX7g7nni:v+/VLY5UtJ3USn5El6yj/Anni

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	5ce0a845d1222aae03918de8e55f4419.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7C73.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7C93.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7D74.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7CB4.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7C63.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7CD4.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7D33.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7C13.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7D54.tmp	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	5ce0a845d1222aae03918de8e55f4419.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	5ce0a845d1222aae03918de8e55f4419.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	5ce0a845d1222aae03918de8e55f4419.exe

C:\Users\Admin\AppData\Local\Temp\5ce0a845d1222aae03918de8e55f4419.exe
"C:\Users\Admin\AppData\Local\Temp\5ce0a845d1222aae03918de8e55f4419.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\extcheck.exe

Filesize
161KB

MD5
b7d0fa7b5a3add82f2a13c6cc428d5e5

SHA1
c33cfe9318586b0e7826816cdb4d3fd386837390

SHA256
51ca2ea5c046c8aa934b23e3dbfef4dbfe3a4b71c73ab18acd16a7ba9a7128a2

SHA512
7966e225c88ca33064e84c53e2fb51ae6d75331f62c80874923c59b8bde7ea7ac8b34053d22d16e0b2da53ab1a7b4cac234ba33d7648793070db7d493e1d0a1c

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
2.3MB

MD5
9be97d331f3d995033091ce25225e09d

SHA1
bc37c7b8569af6f39626aa383527295c74dc39b7

SHA256
b27c478d2e9f395ef10b17a5423017f87cc65e1d7445d2d580a7096097c29b1b

SHA512
a157b3e942d33965d0f5eaf0f9a85578c7d95d04b0c1ebe9341e903f864b2602ff66553c9e1b787e8b42787e5a90dc605e7cb70ffb17d279e2b6cfad66794e46

Download Submit
memory/2372-130-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-131-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-132-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-133-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-134-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-135-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-136-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-138-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads