7ea0f123fdf5f4856cfb01a04a4a5ca05dd556884fbedefee84174c782b4b94e

Analysis

max time kernel
131s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
Size

86KB
MD5

97687265e5bfae2cb6e96f59b807ce41
SHA1

03e2f687bf976344915b446230933a13c1b01a50
SHA256

7ea0f123fdf5f4856cfb01a04a4a5ca05dd556884fbedefee84174c782b4b94e
SHA512

ebdfc4595876e98fe3c3cf0bcf0750408400ac22b8f6aabf8cbbfcf176ecfaf381bdabc5be4d1f93fbab354a9082b5e75e16f8bdcc21526b97e79ba7c8ad581d
SSDEEP

1536:kaiqH1s+kCtrA2UMT0mTFibDKa1XFgRuA8QcP8+Mk/G/8Te3en:t1B31bdBob2QX2nCp/E93en

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_04ff1b051eceda9219e1e6dce62a2ed9e9a8782e1acf851aef66fe6a5e573861.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
457KB

MD5
8062ed63519d47e05e1c6682ca0a7f8d

SHA1
d5d920662906ce2a74ea8d6d07ccb969f439f264

SHA256
5fea054cfb0aae66b24e4c1f12ced26b7c5b0c30f7840447ae5b1fe61c6f3905

SHA512
5b1203b95082366fb766ca86a0e54c5f7addfb5335c2ec99a16d5d43013e900261ccd0cad51d20da227deedbe3590c5f4082766a82d50e9c48080a09824ca1de

Download Submit
memory/4468-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-176-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-179-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-180-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-184-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-220-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4468-221-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download