dd25384c03364b0d932907212add7baed36ef13cac80c2a184820cb11ab2c14a

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 15:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
Size

719KB
MD5

7a1a7f8e585735b8e1f29d1d97d74d4e
SHA1

15350473c1fcb978e304c146483987541185e0ad
SHA256

dd25384c03364b0d932907212add7baed36ef13cac80c2a184820cb11ab2c14a
SHA512

3baf0cf4919b1f2f40c0c320036268ecc8131f4fc82e19bcb1782c0313e2c4e47d4c73509ab279ed6e8401dc178c18d2de658360af8e0714bbff757c9395d7ab
SSDEEP

12288:91bgEuBXEDkAjC82IGvvNqUUTIDAijaDLv2vDSknp/uR+DC5J6m1BzMTLSK:91bgZB0DkAjC82IG9fUTS+e3npFDC5UV

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3B4D.tmp	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_2e28c0b40334e75ec1b7b44108076c5d8864da8f0e82813d8f1612ddd33e5960.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
847KB

MD5
fd673dbba6e34b3180ca7f3b2019c8a7

SHA1
22fcf6de505231f5793e9a66c82a6cc5b26f1d91

SHA256
4aa7b73ed3c4b39de16d34bd4c699afded7595c26c3d9923e166c8b0224dcd08

SHA512
381007215d0970140c15e9fc76d21971222d059dd12f3e1b9fa78c24f2449192b68844a2e45adbfa4a423a47c7fe5a2a2592aba99606dab7446b155d53e9dcc6

Download Submit
memory/2172-148-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-149-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-150-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-151-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-152-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-154-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download