447e3bb9182607934c78bda4335ae44404281f32dc580a738c1270fbf8154bf6

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious2f877375ec4a.exe
Size

191KB
MD5

e06f7d345112749138d42a7fd06f08d7
SHA1

ffdcda481ab79e58d2900b5810f5f1e612cd0a33
SHA256

447e3bb9182607934c78bda4335ae44404281f32dc580a738c1270fbf8154bf6
SHA512

ea1b773659bbb5711dcd7032c86aceeb2e29983d637a1170ff5a1dfbe440d6c41adb695fd65d3433adb616928434b3978e562e01a4f54902120cea3dc66476a3
SSDEEP

3072:t1B31bdBob2QXD4w9hcdrTQ8O2p74s77Cg2IOM6AjsRI65EatQgTB755Q:t731bdBaBDHhcddOe74s1raIlatQwBtq

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious2f877375ec4a.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\mip.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\mip.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\LICLUA.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeClickToRun.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\InputPersonalization.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSE.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easyMalicious2f877375ec4a.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easyMalicious2f877375ec4a.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious2f877375ec4a.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious2f877375ec4a.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious2f877375ec4a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
457KB

MD5
0a26b39e719e984baec032308f15e87e

SHA1
f79a0eaacb8da29e8fc11abab66ced080acafb4b

SHA256
8defcaee82f6db46726b5d70d779f467e1a10e8ca51bd733881af226541be238

SHA512
8327141ffc9ab33075b1a3a7fbe5b7647abb44a46da43c69e9d1cb6c517a186f0127207fd54fd8586f3291ff62fb0cc85f0cd27746a5bfbc65a76d5164e8ab73

Download Submit
memory/4164-152-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-154-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4164-186-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download