f8c6e89acc7370fa4bcb8827f74adbf8abe21b1aae549ef4785fbaf3f3b14fdc

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9cd99a65e2659613039cbfbd336a8f90N.exe
Size

784KB
MD5

9cd99a65e2659613039cbfbd336a8f90
SHA1

48681c97f74e6e4fbac763fe99e0022075674537
SHA256

f8c6e89acc7370fa4bcb8827f74adbf8abe21b1aae549ef4785fbaf3f3b14fdc
SHA512

b76d6d77ee3e19daf5f389a6aa3f24654199c25daec7c6d5abe6e190f6ce0844141ea9625849401f1bf63aeb0ec5fe0c36b4e90be0e3f41f486bd60577524734
SSDEEP

24576:41b3jes09zLMNRgoDPETLRu5oSmnh2g7JLEI:4VeN9zQNRgkwRu5DQ2+L3

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	9cd99a65e2659613039cbfbd336a8f90N.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX5D98.tmp	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\dotnet.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\createdump.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX5D78.tmp	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\initial_prefere.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX5D99.tmp	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\initial_prefere.exe	9cd99a65e2659613039cbfbd336a8f90N.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	9cd99a65e2659613039cbfbd336a8f90N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9cd99a65e2659613039cbfbd336a8f90N.exe

C:\Users\Admin\AppData\Local\Temp\9cd99a65e2659613039cbfbd336a8f90N.exe
"C:\Users\Admin\AppData\Local\Temp\9cd99a65e2659613039cbfbd336a8f90N.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX5D98.tmp

Filesize
90KB

MD5
77fc370a001ed6f4d7257edfc7fa9cf9

SHA1
553f0fe589013524b58659d893806327597e5d9d

SHA256
7a7661f17db785a1a73bb5718d4adabda766aefec901fc28d94b29af1bff68dd

SHA512
81ab4a7b721e10433dcaaec81198973d4f07f176cacac5fc10a3be36d056a1b46c46ac40f0673c5c83479d0de3df375abb7501a8de52a66bca1dceb084b47c2f

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
930KB

MD5
e0a583d1eb5dd9552f843151f873be86

SHA1
d3ac6316aa8b98d70e557f94a8c37bbc6162a268

SHA256
b74a8e267a27b13014b40de7c37f5265c1d7c5e4f6bea631d477ea1ae34f7373

SHA512
eed1afe55ad7f9914c3d266e9ec43fcfe63da1f242cdbfc01ff1c5d6d44baa1d25194a5666c81059f42ec4b33cda3202f0d500013211665bd3e04a2c5e93eb9a

Download Submit
memory/4824-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4824-20-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads