5002b699e91066fb4539a40fca94f7e5aa2a3242c18e6d38e9debf0893c62135

Analysis

max time kernel
149s
max time network
80s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
Size

1.4MB
MD5

43b52bb9ea3b92ebae654f2032ad085f
SHA1

00bf9aaebdf78e04b717e4e8c649862670f83fe0
SHA256

5002b699e91066fb4539a40fca94f7e5aa2a3242c18e6d38e9debf0893c62135
SHA512

13669d3566eb172bdebc23c60093e1db67e070c2f1eef8f5d3772f4534d4c47bf37f702f9f87cab0b8b73435c3f8ded53856c5f5b988b883bd138d4604872061
SSDEEP

24576:91bLmnE+414hGDZ8133i3xTSt/ihgZvVfdBjId1XIF5B1PjR1Z8Dd+cWOZS:9Fd++67M3VK/iQvVfdBw14TPjRPq+cFo

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6972.tmp	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX69B2.tmp	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX68F1.tmp	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX69D2.tmp	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_12d0c11d07300bcc3d373fde65b434f83d78d42fb61c1c9d0112dbbd5e406eb8.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX6931.tmp

Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
1.4MB

MD5
6a10da96e00355f0e15971437324fe3a

SHA1
9dde398e6b8e15c938b62abe2e6c95e793e7459c

SHA256
f4910f6f69eb26a8da6d843d7bb1128d966da6a9880d03a4183dd6d6b1a9ae3a

SHA512
fd8e7741c139eb8c03fb9378e767ec5567e9e126531525201b71ff2bbbac05a5877084689472d0ef0a43277b0438f7729aa5a8c6b8fc68fdcc2bbaca0f1eef20

Download Submit
memory/2952-182-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-183-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-178-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-179-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-180-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-181-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-89-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-177-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-184-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-185-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-186-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-187-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-188-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2952-189-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download