cbeb459e3bf48d1e3e940cade5da3c4b25b736d438537b70be01694557dfeb73

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
Size

293KB
MD5

6b829656d61a753eaf0245365227af50
SHA1

b1fd0f223b092f89b0e83035317d865d42bd31c2
SHA256

cbeb459e3bf48d1e3e940cade5da3c4b25b736d438537b70be01694557dfeb73
SHA512

99143497d50c20c28047d00a834b86c226ccd5db3e0684e2fd6a87fd84f3225bb524f6727e055ce22ec7c69216f3be11625f0e91d13d9f18931f453449cc0117
SSDEEP

6144:s731bdBaBIMMTQxbDAmGtcWztwjJsrIJ0p92NWukgkivel/KHRmZDT7W7:u1bqDAlq9lgsstgkiWpKKXe

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9ECF.tmp	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9EAF.tmp	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{23CB782A-F884-4FD9-A86E-FF050DB0921F}.catalogItem	svchost.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9E8F.tmp	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9E6F.tmp	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1444ca88dcb00e3736815e06454a2468b035556ba359ac917980a13530a8f792.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX9E8F.tmp

Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
847KB

MD5
6ffefa6e43221a0b7040f6d50147a91f

SHA1
756c783c1b811067c62634d0637bb43e779609a8

SHA256
870c644b651c84a2d292a8ca6a43f8aceead3decb40a5d901e10925b18522658

SHA512
f907f3a93549cbde8d53059bd6cb1d5c7167daa25fd2577abfe5ec3a051ce7f4866b784106d2019f60267d5eb436aee4d7842bdf629ecdc8b592ee00f85501c0

Download Submit
memory/4772-262-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-263-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-186-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-191-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-261-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-264-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-265-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-266-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-267-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-268-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-269-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4772-270-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads