f4c9450208b5fe805a5bda89af3308e17b512f693893c120b8eea617fd03f77f

Analysis

max time kernel
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious290f005eb89a.exe
Size

583KB
MD5

c5432a72571b96840cceb1a9f3632e44
SHA1

00502b61a8221841057934d8df2d567fcae75112
SHA256

f4c9450208b5fe805a5bda89af3308e17b512f693893c120b8eea617fd03f77f
SHA512

e3bad37276be2762ee462a92b41c1e8ab114b8e2e40c2b383f2d765212436c93778269e5957d8731b45fefc9c036911e6916514cc64c4f63ece91406b0e8035d
SSDEEP

12288:51bz5/JrM6qJyGt9GO0S0QSoFohsMdXZ0aOHvw1mC/9:51bz5Rr/uyQt0SW5dXtjl

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious290f005eb89a.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCCBC.tmp	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCBDB.tmp	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCC5B.tmp	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCBFC.tmp	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXCC1C.tmp	easyMalicious290f005eb89a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easyMalicious290f005eb89a.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easyMalicious290f005eb89a.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious290f005eb89a.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious290f005eb89a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\idlj.exe

Filesize
76KB

MD5
8afb771e427e43a2159cab9729d05e85

SHA1
7c0bcc5fc7deec99f1be8ff83b7e64ec4bec244f

SHA256
173379c50b52da74e6e860f26e9f73012dbced09739d1b55c24306ea27f3a92c

SHA512
dc1ef915e7a3f7193224ec71ed11bcbcd62d1bf198a930fef83e313b2a40758216c5e71b280829a69dd460164a7b4889ae35443f4b9bca138013078bbcaf4092

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
631KB

MD5
b0c0f5e242dc2fa4bb8c6e5de5d4f47a

SHA1
6e819fabb7eee3d9e53bce642de4f37de8858078

SHA256
ef65e3f5e82b3e9907438e1a829aa7c01b815eb14f0177d31355f59f06022eee

SHA512
590de3177b7faf4b296cd5baec44aa77d3c46f86762a87ac66e5c0a385a8fb39b031af9b8cdac6c52498e5767a7894749bb35ca2dddcb362c0ee6990e67c72c2

Download Submit
memory/1708-247-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-248-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-243-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-244-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-245-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-246-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-249-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-250-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-251-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-252-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-253-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download