a433647ac84c583fce6d0a2f7164996801a9d42c271de0d9a71e5a6b0e8851f6

Analysis

max time kernel
141s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1234789dc119daef7ee5e9da8012ff70.exe
Size

62KB
MD5

1234789dc119daef7ee5e9da8012ff70
SHA1

1bdf026a6dfa1cb50cb1a782c767b816b9b4a8ec
SHA256

a433647ac84c583fce6d0a2f7164996801a9d42c271de0d9a71e5a6b0e8851f6
SHA512

88029d17f2c71e28922136d16c1499ec7f14decd5c41b5cebbddf87d23e74ecd50ee592e82bc70711eaa629728d67f0fc375d8df97150dbf9a21870ac3deea9c
SSDEEP

768:zfuSjFkS+Y1HD1mQwh5I6O5yXX2+57cySpzyRuqL77DG++SO4uPVGyMSaCbJmg0g:VxnhvmXm+tSpzy42b+S5uPYyMSaMo31y

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	1234789dc119daef7ee5e9da8012ff70.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX38EB.tmp	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX390B.tmp	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX39EA.tmp	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	1234789dc119daef7ee5e9da8012ff70.exe

C:\Users\Admin\AppData\Local\Temp\1234789dc119daef7ee5e9da8012ff70.exe
"C:\Users\Admin\AppData\Local\Temp\1234789dc119daef7ee5e9da8012ff70.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX390B.tmp

Filesize
43KB

MD5
26634f1a72f7b49bdb8e38f1de570bbc

SHA1
01f55a7a9251c307bae8c39372fbe8bbe8502f3b

SHA256
59f9efb6fdb2b6d82fb746469ba11fc08ad470eb19df011f6d588e1bd687614a

SHA512
a5418ea8e440795597bd7453a6b6e807ae54ce67dcf67d00bec1391aecdeb6f1f8ec33afb87cf5e66ba8756cd2e798f84730f94caa7014d9c2906dcf025bd70f

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
930KB

MD5
9e94943b395d60b69bfe65f73f710ba2

SHA1
eae202ca5b6b700356986f8176d98c36ebd751f3

SHA256
bafbedf01573037412156d1f2640c6356a3ab64ee1a3cf441e962606fbf2c321

SHA512
d574634488d3262bceed744f96e8712119f1453cf704a9f343b9e2be165712892d6c70da7f30c193ac495f524a3ee281ea6cefb38de7aa4ba25f3e097a634f1e

Download Submit
memory/2924-111-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-114-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-4-0x0000000000424000-0x0000000000425000-memory.dmp

Filesize
4KB

Download
memory/2924-109-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-108-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-110-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-112-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-113-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-32-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-115-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-116-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-117-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-118-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-119-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-120-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2924-121-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads