2807b0352a05a46e97872a589532ff0b5eabd763c335d88c29cc41543c7eb47c

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious257ad68ecb72.exe
Size

847KB
MD5

cb42e6d5228ff4dff9927599032b4acd
SHA1

6b788ca1eb918aba3effc2531fc31fde09970847
SHA256

2807b0352a05a46e97872a589532ff0b5eabd763c335d88c29cc41543c7eb47c
SHA512

e372d5ed6ae381ba62487282cb3d611b8e607a989eebe16805629a92ca47d0cfa96855bf643f147cd71d4f3705e77c75d6e2f2129dc2c352e7168e740e8ba0ca
SSDEEP

24576:91bVl10+FrG6nlnnSyrQrHQDSqYJD6a2pspV+STK:9X75rNnSDUlass7LK

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious257ad68ecb72.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCXC479.tmp	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCX108.tmp	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCXCCB7.tmp	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\RCXD572.tmp	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easyMalicious257ad68ecb72.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easyMalicious257ad68ecb72.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easyMalicious257ad68ecb72.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious257ad68ecb72.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious257ad68ecb72.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
847KB

MD5
cb42e6d5228ff4dff9927599032b4acd

SHA1
6b788ca1eb918aba3effc2531fc31fde09970847

SHA256
2807b0352a05a46e97872a589532ff0b5eabd763c335d88c29cc41543c7eb47c

SHA512
e372d5ed6ae381ba62487282cb3d611b8e607a989eebe16805629a92ca47d0cfa96855bf643f147cd71d4f3705e77c75d6e2f2129dc2c352e7168e740e8ba0ca

Download Submit
C:\Windows\SysWOW64\xdccPrograms\RCXCCB7.tmp

Filesize
269.8MB

MD5
a9a5aa5e03f56159e35b091d26e04770

SHA1
0c920bbacabe042d5425dc3d5852c86b6fb90326

SHA256
b1164deff8cee29a58a61e6843ca368cd4e0ce0c1a34be423d510dbf7446051c

SHA512
64f012176e4089eba49b1335f852967b740c24580ee93f748354f85d637412493a0e392087deec48526cb2dd76975af38423ab481c5f40421f0f44f78a47ccb6

Download Submit
memory/3040-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-175-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-176-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-177-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-178-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-179-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-180-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-181-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-182-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-183-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-184-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-185-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3040-186-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download