60e0de242f42c9c28a16c2332ea6cac08aa466205e0552d43da0c70b5963398b

Analysis

max time kernel
150s
max time network
35s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04/07/2023, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious2c4bec049e18.exe
Size

209KB
MD5

0347b13051b45974a978b6b7caa52755
SHA1

c0ac1e90ed6d0e798e9e38bcd61befd607581d7f
SHA256

60e0de242f42c9c28a16c2332ea6cac08aa466205e0552d43da0c70b5963398b
SHA512

3474b2ae290cf890af3de47857c4733bcf6e7326e6cdc8affd31e2efbc9dd7da450abcf6f6b0fb0a658b21bf4ddd791fe042a4dbd6de97fb8cf9c250b6670ca9
SSDEEP

6144:g731bdBaBp8A3zzYSqJulcLxUyGYGx1UB3/hlM6eX:S1bNAjc7mcVUc21UB56LX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious2c4bec049e18.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7D1E.tmp	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX809C.tmp	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7CBF.tmp	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7EE4.tmp	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX7F63.tmp	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious2c4bec049e18.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easyMalicious2c4bec049e18.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious2c4bec049e18.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious2c4bec049e18.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious2c4bec049e18.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\extcheck.exe

Filesize
73KB

MD5
e8e1ba71ff480db5c5aa9501eff638f3

SHA1
9089bd3bbaedb8e786750e6684393f8f5ffbb6b7

SHA256
177526f9b184b925c471c4e3bb0ad63673c1bb3505aadd42cfb447515818dbcd

SHA512
d59a58c17080d791fa8f613c65efdf2f81d878d4efc6296cb0b06d595d9e0a68e7bac3406ba882b1dcf2d974cc59cdb77fb45f0cc29ef598e167f0b75869b081

Download Submit
C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe

Filesize
230KB

MD5
d0b62c4101590ffa37744498c5de4053

SHA1
f911a922d4c471319bae62c1f21fedd070cab418

SHA256
da40929077b50fe97ed3bf4f7bc5723eba7a45aee31306b860bb71f3a90ac01c

SHA512
89494928b9ddfd088714ec19a0931631f60af48d19a53f39fd9dc7a2826d8d510e21e5b456951fa03c970f9502838bf6ce25ea0cca011ffe3ce09fb45dec13a7

Download Submit
memory/1100-175-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-176-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-154-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-172-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-173-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-81-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-88-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-177-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-178-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-179-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-180-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-181-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1100-182-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download