a9349ce64063f9ca04d9efcaec3947002a9b71876cd863c581ce0528db4c3a69

Analysis

max time kernel
149s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

easyMalicious301a0a4c3657.exe
Size

1.1MB
MD5

6c9ae6a5faca4239a20338baa3b99914
SHA1

fac3a387f9ceea59015838f285267eb8fa7e6172
SHA256

a9349ce64063f9ca04d9efcaec3947002a9b71876cd863c581ce0528db4c3a69
SHA512

396b2e31ef149d12d66c6980eef33467f774731216ac5aa6779e813e11d2bd598cd09c436213a334f0971687e46d988f2b6d8b5f029cb137ddb3552204625c40
SSDEEP

24576:p1b2N67Wx7SsKfSnvgwnc8tbycW7d7u1mxzezX3vErO5eODepB:pwN67q7HJocv1TX3ZEOW

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easyMalicious301a0a4c3657.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaw.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3E5D.tmp	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3E9D.tmp	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX3E1C.tmp	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\setup.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	easyMalicious301a0a4c3657.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	easyMalicious301a0a4c3657.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	easyMalicious301a0a4c3657.exe

C:\Users\Admin\AppData\Local\Temp\easyMalicious301a0a4c3657.exe
"C:\Users\Admin\AppData\Local\Temp\easyMalicious301a0a4c3657.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\extcheck.exe

Filesize
82KB

MD5
9a18bea13b9e0d8018b14ef3ff0d338f

SHA1
b77e4688391105b1d0305967ac9f989888ee7ac9

SHA256
dd2242ec163bd2133b8be89ca28864179c1b2c0a4e2927745820d63c2881d819

SHA512
c9db9820fb6d52be9db5770e9335e9554dd302f3ae7b7e701f542f5c091051dd2f632ae6b420d38383a1ea30dd3e0ec7981af955e5b21335dfc54503e2af0acf

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
1.1MB

MD5
48e8e32cdf87589c9b710806ad485c05

SHA1
55d91f974bf7346bfbed347b770ff85032b9dd61

SHA256
ab8c545e57d231585fc0b949d3ca9a605ec82ceb45c79b030c45d441bf1f8676

SHA512
7545cf38c18e91ec80117e1702f924089a82da413a10e6c2486e1c9fd7a18fab8d3d7a41699d080223a3564c46607ec94d7271aae276bc2a84a84f321e1f8459

Download Submit
memory/2160-171-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-172-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-168-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-169-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-170-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-173-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-174-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-175-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-176-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-177-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2160-178-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download