7a4cbd4d3b5c89ac4d5cfa2f0430e52b8983e94b5411f68eed7c17783a0c098a

Analysis

max time kernel
152s
max time network
36s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious1817a49a1c1c.exe
Size

495KB
MD5

1af2b2b681e801198758a70a944ff884
SHA1

d2816af76e8f1dd7a8feac17129fc59a82118eb9
SHA256

7a4cbd4d3b5c89ac4d5cfa2f0430e52b8983e94b5411f68eed7c17783a0c098a
SHA512

d098b6a787be3ca9db5085385730918b2684b5525498df37bb903b98d1cd522fceb397dbed164c0e5b5b61f5561eb5ea72f46b4835bf18529bfc70c8deb3500a
SSDEEP

12288:51bJOjfO6mc1ig+7HTP1pGmMpUBsuQAV5psZ:51bJObVigOTfDQUjnVu

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious1817a49a1c1c.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easyMalicious1817a49a1c1c.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious1817a49a1c1c.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easyMalicious1817a49a1c1c.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious1817a49a1c1c.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious1817a49a1c1c.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
536KB

MD5
017e3ea9b921ee291c92442d1cf4538c

SHA1
a7fd50173bea13a13e7257d1aa30c8772b206f38

SHA256
04cc4b668ab6d79dee7ebbbe1409f74c332e79851edc9b21342732807b38ec85

SHA512
7433ac6b7e2225f0eef4c218bca59640f38513ccdc6e1ecefd35eec34c1c6cfcf17506f10342f587f9f9f611132d9983c3a38e1a0227062da8fb8bbc44c893f3

Download Submit
memory/2052-81-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-85-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-130-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-131-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-133-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-134-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-135-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-137-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-139-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-140-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2052-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download