f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
Size

84KB
MD5

941e89f5fced425e3b9d4ed2b95616ec
SHA1

ed33e1cc3b1435289b833376e2d01a4af4fe97ae
SHA256

f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236
SHA512

624c5fb268af97a01546bd17890cc274f3f2fdfa68df036f943227fefe34b704c1426dcc8c6413cdce64658d224d31a2700ac949a21fb7fb06134a4479ebe084
SSDEEP

1536:4aiqH1s+kCtrA2UMT0mTFibDKa1XohQrKXLirpdgHvqp4n:51B31bdBob2QXof+v0C4n

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXC1BA.tmp	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe

C:\Users\Admin\AppData\Local\Temp\f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe
"C:\Users\Admin\AppData\Local\Temp\f7974150eb8a388318dbfb617a15d5b15101035d057a2ed9e9a1784bcc9c5236.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
930KB

MD5
4669a83f0e8f3ad8a8813e5e69292ce8

SHA1
53bbb4c63f023a51bf330beb254cbd602090128b

SHA256
ae0e51e14eb94ce5090661fdc56d5f2919566b458a68929f01c906dca412a938

SHA512
a79d73c266df4592d2e1b6e76a830c38ee5de96198b1a7737e185bad83aa2ca09f7355420e5bd8e1f8d34872648e5f97c77bc72f9581866fa523554b49a3e693

Download Submit
memory/3000-90-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-91-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-92-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-93-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-95-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-96-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-97-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-98-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-99-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-100-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-101-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-102-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3000-103-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads