a433647ac84c583fce6d0a2f7164996801a9d42c271de0d9a71e5a6b0e8851f6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1234789dc119daef7ee5e9da8012ff70.exe
Size

62KB
MD5

1234789dc119daef7ee5e9da8012ff70
SHA1

1bdf026a6dfa1cb50cb1a782c767b816b9b4a8ec
SHA256

a433647ac84c583fce6d0a2f7164996801a9d42c271de0d9a71e5a6b0e8851f6
SHA512

88029d17f2c71e28922136d16c1499ec7f14decd5c41b5cebbddf87d23e74ecd50ee592e82bc70711eaa629728d67f0fc375d8df97150dbf9a21870ac3deea9c
SSDEEP

768:zfuSjFkS+Y1HD1mQwh5I6O5yXX2+57cySpzyRuqL77DG++SO4uPVGyMSaCbJmg0g:VxnhvmXm+tSpzy42b+S5uPYyMSaMo31y

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	1234789dc119daef7ee5e9da8012ff70.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	1234789dc119daef7ee5e9da8012ff70.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	1234789dc119daef7ee5e9da8012ff70.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	1234789dc119daef7ee5e9da8012ff70.exe

C:\Users\Admin\AppData\Local\Temp\1234789dc119daef7ee5e9da8012ff70.exe
"C:\Users\Admin\AppData\Local\Temp\1234789dc119daef7ee5e9da8012ff70.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe

Filesize
96KB

MD5
23bfd2f052bc1e70cf511bfc5e9dcb0f

SHA1
e309c4a6b46d9263e9f6eebb3bd1484ba36c77de

SHA256
8b497c575dbf8551717135742336c634a3c5112c55be17fe2039abf2655909fb

SHA512
f46262d524a252114e6baeb4ec302050e13b1ba28538916f70065ae61298b312fab51e9eae806fcea4dbd8a6f17296ec1a4debadf20c4f5d172784a3c7ce0dbf

Download Submit
memory/2648-79-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-2-0x0000000000424000-0x0000000000425000-memory.dmp

Filesize
4KB

Download
memory/2648-23-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-78-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-80-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-82-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-83-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-84-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-85-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2648-86-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads