3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
Size

90KB
MD5

f6bf8f15fdb763aa41ebef2ad57bcb74
SHA1

1c8b0c92c72c21133b59c9242d0ed71dd5317097
SHA256

3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852
SHA512

d6a9985ff0e45f7bf0523582925dd9398fa8ffcde003140cd60884c4e59243942bf70f61e22c82a12ca0d828839def5059f98543f64007c7da4e5008c8397f34
SSDEEP

1536:IaiqH1s+kCtrA2UMT0mTFibDKa1Xoh+RgZG8IvyP0dJwe9:p1B31bdBob2QXovZbt0dp9

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD7DA.tmp	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD898.tmp	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD8B8.tmp	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD8D8.tmp	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD7BA.tmp	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe

C:\Users\Admin\AppData\Local\Temp\3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe
"C:\Users\Admin\AppData\Local\Temp\3cce63f1ed40f2adf1d3069d4cb7b8d3c49ac0e6d003d94011f1a5adbf783852.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
116KB

MD5
a81f387a529ab4433cdb393bc5f5e041

SHA1
0d14f960a1f871cff3607401a11cbed2f380c7d9

SHA256
7c6fb09edf42c492ebda9082bbc5acc82a280636375859d41a15b4bb3bfae879

SHA512
e6c3cd34e5cc74f12306477a8f867028b69b76f8dcac3e312e78136438038cf9a2793a9959cb0fc779ed9e11e81709b31c1482f5e5795ac380b73f11dc2e32f8

Download Submit
memory/1668-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-115-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-116-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-118-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-119-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-120-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-121-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-122-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-123-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-124-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-125-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-126-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads