e40113b6c21a2b6592c0b9794e6488035e4a6914afb90905446aac003da26b7a

Analysis

max time kernel
140s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
Size

1007KB
MD5

d0088c67444868f95555a7e3b0dd9e2f
SHA1

52d610ac5eee53d556332d7d2ca740bee9d842f0
SHA256

e40113b6c21a2b6592c0b9794e6488035e4a6914afb90905446aac003da26b7a
SHA512

bb2fd229e6fd946802240c0ec8a966dcf4085853cc02a279c1f2d7abbd57f3b843de2b3fa9162ffded365f21dddc53d9e661fa74d21e829b4c3e720405e62952
SSDEEP

24576:V1b3pKEscHK8ZbGaEUMUEwBgKJaK3Dt53Vt:V7wcq8HMUEIgqagt

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX481E.tmp	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX47FD.tmp	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX477D.tmp	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_0d237030b5ea4ca1f6318357f3f0b4a7eaabb475baca27f297fe40b6eea437f7.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\java-rmi.exe

Filesize
85KB

MD5
8ce41a42eaf7bce92c5d9ef4e32d1a7d

SHA1
da125f4fd73b6b28e787a1007336d92906df4433

SHA256
c0f1fd61851371e795851eb10b68ea9f0ff0b63a8373576308c17ed12ef8d977

SHA512
74e6b243bcc9340b5f03ba69ec2c1a62c52bda8682b4837d7c71ddb14180dabc52b2a9b25d9270a5ad506d84c35e9e88c83abb8cc8ce8485c85d15fd75b08af6

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
1007KB

MD5
d0088c67444868f95555a7e3b0dd9e2f

SHA1
52d610ac5eee53d556332d7d2ca740bee9d842f0

SHA256
e40113b6c21a2b6592c0b9794e6488035e4a6914afb90905446aac003da26b7a

SHA512
bb2fd229e6fd946802240c0ec8a966dcf4085853cc02a279c1f2d7abbd57f3b843de2b3fa9162ffded365f21dddc53d9e661fa74d21e829b4c3e720405e62952

Download Submit
memory/1320-172-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-173-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-168-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-169-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-170-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-171-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-175-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-176-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-177-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-178-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1320-179-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download