69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5f

General

Target

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
Size

556KB
MD5

9fefe35d65820c2497e69ee0b90476e0
SHA1

f947a9823278e5994eba680d9395f733158d4300
SHA256

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5f
SHA512

edcd65be296d1b033889c35d01e36f9cd51264e50016d0e96e61fa7ace500577aeca4c63a4fe2d551539670a527eb937ca28d55782694b9af0903b0e67a8c0a6
SSDEEP

12288:51bHV9kkPX5kAaA2od1sx/9o1BykhXAXxpsVZi0Ee/Y7lspVPgFSHSuxHE:51b1NX5kAaQd1s/oykihpsVcRe/GIVEb

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

Drops file in System32 directory 64 IoCs

Processes:

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3A52.tmp	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3AB3.tmp	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3A72.tmp	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3A92.tmp	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

C:\Users\Admin\AppData\Local\Temp\69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
"C:\Users\Admin\AppData\Local\Temp\69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\jar.exe

Filesize
84KB

MD5
581fe95be196358bc5392c4aca4e2556

SHA1
4e72cad424ea73e456cc61587c2c133dbd1415fb

SHA256
42b9a62511eabb414f4228798ddfd531e7bc17f5aeea88db3f0f3a520646a101

SHA512
95dd9ea712181d589a1b1de8aa88212d9d6ab01128b79f7e8ff0ec089aa8d419013d3863aa48efd216b3eaed8a37e09fc004bbb51f39ff68fe6e1478c1c1a0a5

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
556KB

MD5
9fefe35d65820c2497e69ee0b90476e0

SHA1
f947a9823278e5994eba680d9395f733158d4300

SHA256
69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5f

SHA512
edcd65be296d1b033889c35d01e36f9cd51264e50016d0e96e61fa7ace500577aeca4c63a4fe2d551539670a527eb937ca28d55782694b9af0903b0e67a8c0a6

Download Submit
memory/1932-109-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-38-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-107-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-108-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-110-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-111-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-112-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-113-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-114-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1932-115-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads