36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
Size

84KB
MD5

b5fe8fe663cb9217e453e03aafd8d84b
SHA1

a280271ab703a82ae060e88829446f69a3d433ef
SHA256

36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027
SHA512

f6b76cd1f4fc3462482bef5aef7af2dc5e8522d223d0d4f0cf75a46c1a1587ddc13069ae0ec80183c056cfcaaa601bb8de4a9b91f885b8ed3011b00815163a1b
SSDEEP

1536:gxnhmuHsywOK6AwqmHT+SEDxsFUOHEITmic/PMbz1c6xPXfDBSjGh6:GA+XAwVHT+ZxsFHHGiTbzpJX9SjD

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe

Detects executables built or packed with MPress PE compressor 19 IoCs

resource	yara_rule
behavioral1/memory/2420-0-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00070000000153cf-8.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d1f-71.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-102-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-104-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-103-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-105-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-106-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-107-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-108-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-109-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-110-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-111-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-112-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-113-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-114-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-115-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-116-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2420-117-0x0000000000400000-0x0000000000419000-memory.dmp	INDICATOR_EXE_Packed_MPress

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX37B4.tmp	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX37D5.tmp	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX37B5.tmp	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe

C:\Users\Admin\AppData\Local\Temp\36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe
"C:\Users\Admin\AppData\Local\Temp\36b1e67e43bbfa193e15791d30a93a93f086e250436bd4742b8014127f4bc027.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\jar.exe

Filesize
47KB

MD5
0b9c74879b2b6d2226879bcf6a01ef7b

SHA1
ed54fdf0090a41d7599fc069efe2d968aebe4ebf

SHA256
8a25a32b9d4118572ba83fde65acf727c8668b5d3da568771df2c89e380331a1

SHA512
94b1fc1df2e2f2ed6eea667e4b1af385bd18c56031a22e0210d1fd5c2ce40af02c6c83c929fd26d4fd938c8a0e262a25e2cca89454953b9ee445ff9910042c4d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
683KB

MD5
42f7290a51de82397b5e7766896f2429

SHA1
63dccd716f6474e2b0db88391d65512937791b78

SHA256
a93c488c1a58f8bc8c63357a38f74205b338804c5d5b4c11c881191b3a301134

SHA512
93ddfef41770bade21540e71072ad37f35c765680f1aae503a7bb5da785736b208a59be40a6b3bdbd40d24d40f31222d1b35be3599abc1a98ba13b9e16f18363

Download Submit
memory/2420-108-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-109-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-102-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-104-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-103-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-105-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-106-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-107-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-4-0x0000000000417000-0x0000000000418000-memory.dmp

Filesize
4KB

Download
memory/2420-110-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-111-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-112-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-113-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-114-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-115-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-116-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2420-117-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads