5aa07e9c16b59f7620a9cb13580516cab38c394d5fc9116bb7897c40972fdb6a

Analysis

max time kernel
142s
max time network
37s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
Size

678KB
MD5

4183cd7947c884749dfb8a0293322cfb
SHA1

10f8f39d2902961cb2a4d46605355048a11faf32
SHA256

5aa07e9c16b59f7620a9cb13580516cab38c394d5fc9116bb7897c40972fdb6a
SHA512

ff3541e9ec64f141858c1ad79883247a775f850bc9d740beefeffe7d882dcd0f9adcf591e731920fa9ca82f3d86d10623097045b16da53feb45601e258a19ff4
SSDEEP

12288:u1bfXi29lFyr93tfgKR7/wSi+Apu6c3U+/3s84Ai9/OW1NbT04/7o4C+yZZT3:u1b/i29lFyr1Ng2/Y+ATcEv8OjbdkR+S

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6415.tmp	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6435.tmp	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX63D5.tmp	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6476.tmp	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX63F5.tmp	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX6455.tmp	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_10511fc47175416acd3bd66c92ac7fc838b8ba2d17d3d49eadfa669d8d54fe76.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\apt.exe

Filesize
104KB

MD5
2f9064b01bd4156346baaa8ac551175e

SHA1
e202f1b3b516f7ce8078695420f448a192fce13b

SHA256
2b0456b418d631a2d5124a4320c27f490944f35e82f4691a1e6885dadb3d09c0

SHA512
e8b295221571c15d4674881be61652f15b58697fc7a50239cf5c253744828183563d20beb8d8e92dfb52e3ec52fff7e635dce76f162dc39dbe068b1e5e366696

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
717KB

MD5
da1791b587c82b1dd787d5e4a8e333f7

SHA1
0a544699a40e4bf0856e85d8716213a18a189deb

SHA256
9457548e080330d13a02b60c48938536cf55e4c99ab7e3e112e230ce59f8f904

SHA512
4e4e92c63dfc4c8845c79228a9e0516f7387933998818ccd03745ec1edd857c199fb6a230a5cad63f6702453dd1fb6e95fe64b2923e12070b41589d564da6ca4

Download Submit
memory/2180-179-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-180-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-175-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-176-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-177-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-178-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-88-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-181-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-182-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-183-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-184-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-185-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2180-186-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download