f8c6e89acc7370fa4bcb8827f74adbf8abe21b1aae549ef4785fbaf3f3b14fdc

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd99a65e2659613039cbfbd336a8f90N.exe
Size

784KB
MD5

9cd99a65e2659613039cbfbd336a8f90
SHA1

48681c97f74e6e4fbac763fe99e0022075674537
SHA256

f8c6e89acc7370fa4bcb8827f74adbf8abe21b1aae549ef4785fbaf3f3b14fdc
SHA512

b76d6d77ee3e19daf5f389a6aa3f24654199c25daec7c6d5abe6e190f6ce0844141ea9625849401f1bf63aeb0ec5fe0c36b4e90be0e3f41f486bd60577524734
SSDEEP

24576:41b3jes09zLMNRgoDPETLRu5oSmnh2g7JLEI:4VeN9zQNRgkwRu5DQ2+L3

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	9cd99a65e2659613039cbfbd336a8f90N.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3A42.tmp	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3A64.tmp	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3A63.tmp	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	9cd99a65e2659613039cbfbd336a8f90N.exe

C:\Users\Admin\AppData\Local\Temp\9cd99a65e2659613039cbfbd336a8f90N.exe
"C:\Users\Admin\AppData\Local\Temp\9cd99a65e2659613039cbfbd336a8f90N.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX3A64.tmp

Filesize
90KB

MD5
77fc370a001ed6f4d7257edfc7fa9cf9

SHA1
553f0fe589013524b58659d893806327597e5d9d

SHA256
7a7661f17db785a1a73bb5718d4adabda766aefec901fc28d94b29af1bff68dd

SHA512
81ab4a7b721e10433dcaaec81198973d4f07f176cacac5fc10a3be36d056a1b46c46ac40f0673c5c83479d0de3df375abb7501a8de52a66bca1dceb084b47c2f

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
831KB

MD5
646d4c4df4f0dae624c06d0a9c3509f4

SHA1
566fc409742f825f0c9b66215fc438b1795639a9

SHA256
c519971a2ecc8057794a431e84ed03da7faf6e40b3c0130b8cb37f10b0241377

SHA512
375b76a8f03a9539e6f6d688f03a965356617ae5a5a112b5b66fa80e61567bac537c364bdd82161d0153aad8153bbd2b9570c2ed5ffa38d5293c5e4a092d2435

Download Submit
memory/1308-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1308-95-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads