e4af6dae63f8483e802f4455005faf7c2c343b2da3f5bd984fbe955d678d434d

Analysis

max time kernel
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious088b0fbd2928.exe
Size

77KB
MD5

0c067fa28dee834e3156e71e2627f94f
SHA1

c5e801d059af8d6697f40703f4a91ed23950e9cf
SHA256

e4af6dae63f8483e802f4455005faf7c2c343b2da3f5bd984fbe955d678d434d
SHA512

fe59ee256d72523953596db5fc309b5c13ad1c373bca5a7063811dc9df95a5d709d0db184dd47e0c11ff3baf99c76d3ae484224266752fb294b8b5472614acb7
SSDEEP

1536:caiqH1s+kCtrA2UMT0mTFibDKa1XEIHE/hHMGP8i:11B31bdBob2QXvHMBMGki

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious088b0fbd2928.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easyMalicious088b0fbd2928.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easyMalicious088b0fbd2928.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious088b0fbd2928.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious088b0fbd2928.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious088b0fbd2928.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
458KB

MD5
29e85702193b299863b002ddc0a732d6

SHA1
621bceb26e286988ef2a5813bddaf903ef9d42fa

SHA256
f4f922cc9b062e3b07b8a674e44818e916297018f0811118134abf63242098dd

SHA512
beb589bda435b1b9a496f2f00c6285b00aca93da46a4a428ac6aa4bed578b6eab759e5ab8a3fbc374f152a0be4590f58847f8fa74c1057dfb6d157cdff752948

Download Submit
memory/2172-149-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-154-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download