17e7aa11283dddc5a20b17829aa27c8dd324b48b460ec7041ec8baaa712b2b8c

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07/08/2023, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
Size

1.1MB
MD5

9252afd7fcf35aa700e124a81bcfc1dc
SHA1

6e9eb1b1419033896f0f66437fb0d633c3a2d29a
SHA256

17e7aa11283dddc5a20b17829aa27c8dd324b48b460ec7041ec8baaa712b2b8c
SHA512

430adb692158d95f953af32adc99ebe6b18eb6b372ae3e94073b406f0d54287bb0812111be159720779969f2e4d38e55cf55ae7c25cd5f547e6be55de69b86e2
SSDEEP

24576:51bdeLEmijnqfNsuByMjX3bomFXaD2mWzVHUELRCvM1W+GeXkV3y2aEA:5+LFiUH0s3bJXYdWhHUSRCv9fVfbA

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXC7B8.tmp	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaw.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\appletviewer.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\mip.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXC6F7.tmp	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXC758.tmp	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCXC778.tmp	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_pwa_launcher.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InkWatson.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\VSTOInstaller.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\apt.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\javac.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javaws.exe	Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe

C:\Users\Admin\AppData\Local\Temp\Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe
"C:\Users\Admin\AppData\Local\Temp\Easy_Malicious_0701fa6937e2174db273842841121dcaf8fc5231dc067c5b97b62de9b5eae7ce.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCXC718.tmp

Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
1.1MB

MD5
488bc3b13cf750fdeb3a56c6f1b68841

SHA1
a1d9eb9e2636cdcaec23a718b2b262827519fa1e

SHA256
00e26040992bfa294dc68ce56f6ca9164886193a5a7b63698dc5376ec96b16d7

SHA512
daab2fafd59618cd014ede9d66d78cfa8c7acbcad1a31fe53f4aaa8ba4181c43275241751e8dd4377cbd747a6a9d032abae017c4e0626a9d1efe85b53483a439

Download Submit
memory/2204-175-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-176-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-171-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-172-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-173-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-174-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-170-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-177-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-178-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-179-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-180-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-181-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2204-182-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads