e4af6dae63f8483e802f4455005faf7c2c343b2da3f5bd984fbe955d678d434d

Analysis

max time kernel
149s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious088b0fbd2928.exe
Size

77KB
MD5

0c067fa28dee834e3156e71e2627f94f
SHA1

c5e801d059af8d6697f40703f4a91ed23950e9cf
SHA256

e4af6dae63f8483e802f4455005faf7c2c343b2da3f5bd984fbe955d678d434d
SHA512

fe59ee256d72523953596db5fc309b5c13ad1c373bca5a7063811dc9df95a5d709d0db184dd47e0c11ff3baf99c76d3ae484224266752fb294b8b5472614acb7
SSDEEP

1536:caiqH1s+kCtrA2UMT0mTFibDKa1XEIHE/hHMGP8i:11B31bdBob2QXvHMBMGki

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious088b0fbd2928.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easyMalicious088b0fbd2928.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious088b0fbd2928.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious088b0fbd2928.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe

Filesize
87KB

MD5
c8a62f9cac6271a7b0d6c48a445b3724

SHA1
70bff533660c31fe35458a12b651d9e47d78250a

SHA256
77764743cde807429da671c8c5ec7321060e60001aa801f458217f884253468e

SHA512
5b49c09aac513f7cc345b2b34e40b27d04c10e23caa7f933d1de4b99dc2ae3294acc2950ee98c21ef876ba7c5a5488c25d1052156461686d3ffd914de618f80e

Download Submit
memory/2372-98-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-139-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-140-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-141-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-142-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-143-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-144-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-145-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-146-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-147-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-148-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-149-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-150-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2372-151-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download