01e345551fef9d33fed5e81d4de9214c9ba2c1683f34ffef46894910d4445c02

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 16:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious2a7c02824744.exe
Size

1.2MB
MD5

35405f1a967852328da9966d92a13238
SHA1

f6ec26f5f8bfb615aaacd8ed32d630d0dd555a56
SHA256

01e345551fef9d33fed5e81d4de9214c9ba2c1683f34ffef46894910d4445c02
SHA512

443581caf279dc6d867d0109ac981b5e9a8a07984c3164e4b50d1916fc6ce17b3303aa9d80b2bffa74cbc114635d784b5ff62fe289cd5633e9d3c8068c560ead
SSDEEP

24576:c1bpLiBaNHyPmiDmEsuo3FCVikQ9cDdcs8EKfygmWAutuSofVXw6Khs:cbLAaQueuVKPDdLNgmWFtujdXw6f

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious2a7c02824744.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9CB6.tmp	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9D16.tmp	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX9C56.tmp	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\DC++ Share\ExtExport.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easyMalicious2a7c02824744.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easyMalicious2a7c02824744.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easyMalicious2a7c02824744.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious2a7c02824744.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious2a7c02824744.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\idlj.exe

Filesize
79KB

MD5
f0d66862ca364cb366e7ec008f973770

SHA1
4ef48a8d5f267652ba81230034e667c8e1e27f30

SHA256
ea85c9bf7850df234da93ff8aed454d4699ac4f0ae86efa7fc5f32273f294e1f

SHA512
15556d5444f8689c870e434c9b209e4d675f45b54ddbeaca37fd606602d9c7893a0166a745a392ee7a21839c8caa40bab121db9329b306568f936d3234698a46

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
1.2MB

MD5
b018e3d37478d41fbd12bb39c005ccf7

SHA1
0b026398d918d1fd411db23640b6ab82fca110df

SHA256
6afce5551580aa3e62d7bd168548e466c4b7995c1eac0e8e09b4f704abcbc71e

SHA512
255be394cc82ad4493969e45e9f8932366e6caa6a4a98f8035e7c9445fdbf5b9ead59357e7da9d2696dcf645b75a21d6cff581f5693b4fffc3ad50e1f2613d2d

Download Submit
memory/4800-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-159-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-188-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-151-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4800-254-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download