391f2de6b0d739e93649703e08bd8aa5489eacff99789c903633fa24a97c746b

Analysis

max time kernel
118s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241fc92010656375a2457ba4428b31e0N.exe
Size

91KB
MD5

241fc92010656375a2457ba4428b31e0
SHA1

ef39db03d0880f5860e5cb33071eeda755018405
SHA256

391f2de6b0d739e93649703e08bd8aa5489eacff99789c903633fa24a97c746b
SHA512

9701eef800338ee2edc68109069ae0fe8ba554860e1375ec697a997dee320c8d1539f45e4eae44a7ddd852eb05d2c9fdcd9f291dbd53bc58f25c8b4223da3538
SSDEEP

1536:4aiqH1s+kCtrA2UMT0mTFibDKa1Xk+SezSOY6Ukg2dTtzy:51B31bdBob2QXbSezI6UPl

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	241fc92010656375a2457ba4428b31e0N.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\createdump.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	241fc92010656375a2457ba4428b31e0N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	241fc92010656375a2457ba4428b31e0N.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	241fc92010656375a2457ba4428b31e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	241fc92010656375a2457ba4428b31e0N.exe

C:\Users\Admin\AppData\Local\Temp\241fc92010656375a2457ba4428b31e0N.exe
"C:\Users\Admin\AppData\Local\Temp\241fc92010656375a2457ba4428b31e0N.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
930KB

MD5
41e68af1212e06985e13f287ffb0aa47

SHA1
9eac9f884e328daefd135ec1a6ec39a64f766a1f

SHA256
b640c539ce1831b85365338b2c5076c43469d503caf6e429ec1d1e9566d7d0f6

SHA512
c7fc36e1cdbb6de9cbc3ce6c7637fb66a63da5bf5cb9a87eed4da7401750be89993b7cc5e5d1290a038d4551e2a478bd74c8d2f54efe4cb3ee08119aebe78869

Download Submit
memory/3224-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3224-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads