d1583147c6aa294889ed79b46e3fff3150d899b1f19a2040f33ff424a8a32ab3

Analysis

max time kernel
140s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 15:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
Size

370KB
MD5

3a2f5cfba5491f47ff53e8770d517e21
SHA1

cf7df301c4f7c4879b85d6b1ade25de83a42aff7
SHA256

d1583147c6aa294889ed79b46e3fff3150d899b1f19a2040f33ff424a8a32ab3
SHA512

8e094feda175ddb178038994cb836fbd86dd905578cf5df9b44a3e7051aa954f972d04709c3385ca48b2c8900e706d94e285d7dd540bcc23f3d33d52e46e016a
SSDEEP

6144:s731bdBaBUwO1xptwumit3IYH1CWVTJESdQVP4jL4Hh1boDF1SWBhYYFs2:u1b3wOnEit3IeCWVTJbdKPXHMF1SWBhP

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX870C.tmp	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX87FE.tmp	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX883E.tmp	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX87BD.tmp	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\apt.exe

Filesize
83KB

MD5
21fbae597fa3489001ace4333eca115e

SHA1
f53cde8e1369ab84edf9080a525dce787a5677ab

SHA256
242b80047270c51b76f87a4cb7014fbff1ff69dd8488504d5612ef660d14923c

SHA512
4cef6fd91cadadc48b48e658025b8b202c30fd46607b8940ed8db79f4c1ed4b54ec558585c7557bdb39b90bd8779787b47be6a372a35f4f21eb9771e05946b50

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
568KB

MD5
2b41b045e72d6cfea8418c71428e3ba2

SHA1
ca740f1ebc3d5ce2f94fd7a6df0ac955261c46e7

SHA256
395ca11c0662e9e37b33493ebb3670ce0127666ca5b0475c7318fca027ede357

SHA512
87a19bce5d56477710ff8628e87e0a87c04bc6a1855fda8a6630ae853f85667b7889dca6031f3a05fdb9c4c70557db37419889adef1e3a6bcb0a6897cb7af4ae

Download Submit
memory/1632-196-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-197-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-192-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-193-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-194-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-195-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-90-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-198-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-199-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-200-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-201-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-202-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1632-203-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download