bcce91d859d190f7010335132cba38d693fb09c12fd3bc56d7113e11eb98c153

Analysis

max time kernel
140s
max time network
77s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
Size

103KB
MD5

2c4a5bbad70896d8e6bd1f19bc2c58d7
SHA1

241fc6f370c44d7b01774140e8a032e8d8a19e23
SHA256

bcce91d859d190f7010335132cba38d693fb09c12fd3bc56d7113e11eb98c153
SHA512

4da36686511e94a0fd15e2dbbe86d8d6757265bd646ad7af8e4c8b18f6fc0e79454e4138ae165b3f6770b842166eb1110be40ea8a552ae911d278ed37210f2b1
SSDEEP

1536:kaiqH1s+kCtrA2UMT0mTFibDKa1XjVNgks30UIf+8D/zGNZ4Xl9/kgY80AP:t1B31bdBob2QXHgkP+6RlwAP

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX2FE7.tmp	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3027.tmp	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3067.tmp	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX3027.tmp

Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
137KB

MD5
eb43200a7192f0f9a883975cbb19fe5b

SHA1
6ddca97f10ab558e2f8f0ee65c67fd2b824aa0a1

SHA256
42a86e8692ff4adb5fe486a716d2bf5683cb4860fcb958b7a304acb8944c3dcb

SHA512
3a0325ebaec747adb7662d02a4c90173947a34eee01a060e7b3cced935b042992ff9d8b4ac75a54de61a3f99a254a7ab0ce5b15b86da22196db1ff0119328460

Download Submit
memory/2868-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-91-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-88-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2868-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download