1447b2d2f8b0f9979976c4a55f5f8c71ae484c3fca50a707fd295358b52cf8a4

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 20:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c965694a05e9f0c8c592a60a55382f00N.exe
Size

1.0MB
MD5

c965694a05e9f0c8c592a60a55382f00
SHA1

e759373ea1a99deeeda9f6f1edcf5960ba718111
SHA256

1447b2d2f8b0f9979976c4a55f5f8c71ae484c3fca50a707fd295358b52cf8a4
SHA512

9a34dd467539414106a9c0540f1da425029240618a911be4b9309d66ab32b69833e904099d39e819d8d0b44748455e8b171dd34b048929be27af71d2be28f56a
SSDEEP

24576:51bWskQL2jINViDsO/mwcKvR60qrNmOXD/odsfwP83ggnK:5IQMOVMc4fcNm8JfWXKK

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	c965694a05e9f0c8c592a60a55382f00N.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExitSwitch.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1BEE.tmp	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1BCC.tmp	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExitSwitch.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1BCB.tmp	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1BAB.tmp	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	c965694a05e9f0c8c592a60a55382f00N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX1C0E.tmp	c965694a05e9f0c8c592a60a55382f00N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	c965694a05e9f0c8c592a60a55382f00N.exe

C:\Users\Admin\AppData\Local\Temp\c965694a05e9f0c8c592a60a55382f00N.exe
"C:\Users\Admin\AppData\Local\Temp\c965694a05e9f0c8c592a60a55382f00N.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX1BCC.tmp

Filesize
62KB

MD5
c28efdd834ed453de90e550a8052f4b6

SHA1
1b4bd9e6b5254afdffa1d67e4f7f41fd320baee3

SHA256
ef1d62466f858e8f95d22c09679542c14ed2e711b64c7c75f5dd9edbd6da0ce3

SHA512
650ddc81119bf722a1af9ad01b5b76997b7cdcd075ea1a34f60ddc14902f1d0238eb8c272e83cefa2ee9f840097daedbe230049a1e7a7c1427ab9fcab30c1d47

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
1.0MB

MD5
8024d3b7795b0948137fa04ed4217b5b

SHA1
5d75408b9aaf96f9d76fd642356a7dcbca0287d3

SHA256
63d5d4bf393ac1ceef2fb39130da491cb8221968f5317313422fcd8971bbe3fe

SHA512
9ba2ec9be706c4807e6d65bf53b06ca44e42ff207c83bcde8e8b388eceb038ddcbabc42425b6dfb82a21eeb5f84b5ce9e3c592e3030f5b558f10029db3b28e88

Download Submit
memory/1856-114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-111-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-42-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-115-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-118-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-119-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1856-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads