87ec1bb9311f6b5a7f7e31791a250b1ffff63139254de19650d37d898aca2f32

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 14:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
Size

1.6MB
MD5

cf7260573230211caac9d5b0e9623c84
SHA1

eb6b1080d25fde2bdefd8ac3fba0451147cb9db0
SHA256

87ec1bb9311f6b5a7f7e31791a250b1ffff63139254de19650d37d898aca2f32
SHA512

2125ad1a79d3bc610bfcea88f3a3c8e148b447376bca777ff90f11571b9ecd82c43a4c9f46d6949b59554692838dfdc9fc7c5e851a983d94ef118c9ccedf47c9
SSDEEP

49152:SLTR/kHkzvESF7cGXQmLuQdXMhuh1pt5isgf:W/kHkjfcGXvLu637pt5bgf

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ConvertDebug.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB0DA.tmp	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB089.tmp	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXB0B9.tmp	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_20612695e35c9c1b4a20623854025afae2f2e5d4d4fe681327901f3374afd79c.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCXB0B9.tmp

Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
1.6MB

MD5
7160bcb49340c7ab14d439a9e4b26cf6

SHA1
d1cead281a69b24fb3a6d335f5a0868b3f03cb97

SHA256
3f6ffefa4bc99d7dccd1178554cba75fc2a896e2ba7f41d89e12cabf0c09a4cb

SHA512
e2bc38e3753e4bea9102a2c1ed80e279d6b1469c1e71f7259c31ded547874940e983d3eb33de51ee09a3cfb67f94d76ca02047aead3b7ff94447416f033c0931

Download Submit
memory/3688-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-168-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-188-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3688-154-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download