58b851b30c4b998042c554e325fb4ba47d38679e71778da4f0d679c2c45a236a

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 10:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b5005f1a0d7bc1013e219f3b782e1000N.exe
Size

396KB
MD5

b5005f1a0d7bc1013e219f3b782e1000
SHA1

b67bd63505136460d60d425a02c63368fc416e5d
SHA256

58b851b30c4b998042c554e325fb4ba47d38679e71778da4f0d679c2c45a236a
SHA512

f7051259fa019a4b58cbc8531de8cbdf2b5825cd339cba429bc30eb9a61aebb12f7cc2e7d69e5be4c9ce98c1c4f99e380675a3244ec70a9d1a3e689fc6775f26
SSDEEP

6144:pmRC5dAARqqZXeAX7YM0y3vBVuzS8G8LB/WvnSbrd9aXBZXQ7kyfahvTnKeAA:pmRcdrVeArYMlB4b5BM+OXBZgIXLnKs

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	b5005f1a0d7bc1013e219f3b782e1000N.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9215.tmp	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9296.tmp	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX91D6.tmp	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX91B6.tmp	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9256.tmp	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX91A5.tmp	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	b5005f1a0d7bc1013e219f3b782e1000N.exe

C:\Users\Admin\AppData\Local\Temp\b5005f1a0d7bc1013e219f3b782e1000N.exe
"C:\Users\Admin\AppData\Local\Temp\b5005f1a0d7bc1013e219f3b782e1000N.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX91D6.tmp

Filesize
43KB

MD5
26634f1a72f7b49bdb8e38f1de570bbc

SHA1
01f55a7a9251c307bae8c39372fbe8bbe8502f3b

SHA256
59f9efb6fdb2b6d82fb746469ba11fc08ad470eb19df011f6d588e1bd687614a

SHA512
a5418ea8e440795597bd7453a6b6e807ae54ce67dcf67d00bec1391aecdeb6f1f8ec33afb87cf5e66ba8756cd2e798f84730f94caa7014d9c2906dcf025bd70f

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
396KB

MD5
b5005f1a0d7bc1013e219f3b782e1000

SHA1
b67bd63505136460d60d425a02c63368fc416e5d

SHA256
58b851b30c4b998042c554e325fb4ba47d38679e71778da4f0d679c2c45a236a

SHA512
f7051259fa019a4b58cbc8531de8cbdf2b5825cd339cba429bc30eb9a61aebb12f7cc2e7d69e5be4c9ce98c1c4f99e380675a3244ec70a9d1a3e689fc6775f26

Download Submit
memory/2152-133-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-134-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-37-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-38-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-2-0x0000000000424000-0x0000000000425000-memory.dmp

Filesize
4KB

Download
memory/2152-132-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-35-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-135-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-136-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-137-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-138-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-139-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2152-140-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads