3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
Size

1.6MB
MD5

4359dab85bd2da12916c5380316cfdb2
SHA1

fcc56878c8521a8e4281777352ab6d81e0ee8d76
SHA256

3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7
SHA512

a37011702fdd45c50268aad450acc9dce0080314fbca979a464bc9bb16878cb8997c06ca1345c00d8c0dad47bda1221d4d8f50d21228f98f663a254935077ba0
SSDEEP

24576:V1btkOwrVWKr33VvLV08pxkD5Or8ApOP3rWVmGPPn3o03lQGLdKW72rxGg3feJ:Vfkbr1Vv6ckD5M3O/aEOY01bL7oGCeJ

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\initial_prefere.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCXAA4A.tmp	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD7A9.tmp	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCC89.tmp	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCF0B.tmp	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCXAA6A.tmp	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD7C9.tmp	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD80A.tmp	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXD526.tmp	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe

C:\Users\Admin\AppData\Local\Temp\3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe
"C:\Users\Admin\AppData\Local\Temp\3da2d108ee95692d1a723ba957b6b60b2eee75c0ca1b1ccb9cedc4f7f30172d7.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\jar.exe

Filesize
85KB

MD5
b3c84fc58ccf14d3bb95d48f21db2552

SHA1
dc79324aa702cc0c265ebd4cd89a923e2735a676

SHA256
34cae3fbec2dd06ad80c1ffbe54e2657475d1078bca4a08dbfcc0e8d9e386462

SHA512
4a4261809bec5cd613274f815b16cc79f939b2df4193b3a260a3cd82f6e5cd95ba0245b44febdcb7bb98af163fe2d2442d784e6a3e1421ab084d06723977cceb

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
1.6MB

MD5
dd0daa2f746b6e89305fdfc092738de4

SHA1
32f8d336348c3e74930877427a1689ad355cf241

SHA256
79153357ed828bc8abcdbb3153e05fc37c9bb0e4764e930149d1de626cad6d47

SHA512
968779cdc5d5b3f6b6cdac257a58a4a4acf546eeaac0f18c23dc4c27f3dd31d58554f510b37a1412982de4cc904cbc431abe032d0adc9d01b3287c4eeeded48e

Download Submit
memory/3800-136-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-133-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-134-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-135-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-138-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-139-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-140-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-141-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3800-142-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads