698e88b494bf8522fc9ae4af0cd0f031b29c47cabde96a5ca5fe0157229bcdef

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
Size

111KB
MD5

b4634653b44ec169337d2cc79f34f99e
SHA1

7ff60ff2dfff5f8d4440d68d3a15fdfec023f948
SHA256

698e88b494bf8522fc9ae4af0cd0f031b29c47cabde96a5ca5fe0157229bcdef
SHA512

51c9452a55b01e86bbcf4ba3e52a4908d3bb6481cebd638b29283c82e4c1dbef31cc56a6fb111891825a38bb7868684d92e79643dcc288a61abfc00c7633bce3
SSDEEP

1536:kaiqH1s+kCtrA2UMT0mTFibDKa1XTWmh2AgOv3BWf4tVjeXY52UOglXM:t1B31bdBob2QX6mh2t4BTVjeoUUOgl8

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX13C3.tmp	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX13B2.tmp	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_070ce55d0627a56ea50232535643302537fcb64e023028733b75d1e1a689a81c.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\jabswitch.exe

Filesize
81KB

MD5
21546b2558b724614e7fa604c771011a

SHA1
f445914bff48dd61d86029e494b795dd55a12cb8

SHA256
132d8fd8a25af69fcb3a3bd40a224f8b620482ccf5294135a843a4dd4a541ee5

SHA512
b90591b28b04c099ad24b9b597c130febf46bc65bc719b476e0f00cf17b037fb11e5325c8cadb803998bf3247b3a5d9e59133205036fe873698f5285ed029e07

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
428KB

MD5
67923109418be2c9ef84d21542b7c5df

SHA1
b6375960db123d728b240e89aa125f98361c9227

SHA256
178f49a4219f1c5bf2872932a3ed117ad94b007daa7c70f8f1dcd01a8dd441bc

SHA512
5d8abf4ddf7369dbe440cac0f595e030d8d7c33ed899446740c743118da55001c49fb0d4424bbbd65119295b3686e9279f5d70be545850a184f115aa21e19d4e

Download Submit
memory/3108-234-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-235-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-231-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-232-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-233-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-236-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-237-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-238-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-239-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-240-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3108-241-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download