8cd530a775727320078c315a232d1e189ba916fa68deb39d0e97b863e9b52f0e

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
07/08/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
Size

1.6MB
MD5

a289b0f6389af856a19d7e12c044e284
SHA1

9fcf65b98373cd5f3fb78913d5b4c6980309800e
SHA256

8cd530a775727320078c315a232d1e189ba916fa68deb39d0e97b863e9b52f0e
SHA512

86f0d42afe19449c30ee1c89e8db0ad4a4d025211b18d4159d299d7daa6b623d29b44c74671ac0349a91c67a14ff6b88864cdf5d0404adb93758b4180d0f3ded
SSDEEP

24576:V1bekvpM4ilGs1ePp6Ew+g26GzDr3uLQV7UsC8REtiMfgNbGCQESHX69lOlZ:VBQcs1Ilw+gezvkS7x6s92XRZ

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\xdccPrograms\ConvertInkStore.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\xdccPrograms\mip.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\jar.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\TabTip.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX8E2C.tmp	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\extcheck.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\java.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\idlj.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jarsigner.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javafxpackager.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\OSPPSVC.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\chrome.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX8EF9.tmp	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\javap.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\javaws.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\iexplore.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrmstp.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\apt.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jar.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\javadoc.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javah.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InputPersonalization.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX8ED8.tmp	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\ShapeCollector.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\msinfo32.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MSOXMLED.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\java-rmi.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\javah.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX8F19.tmp	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\RCX8F39.tmp	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\elevation_service.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\setup.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\notification_helper.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\ieinstal.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\jabswitch.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javac.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\xdccPrograms\FlickLearningWizard.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\master_prefere.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\iediagcmd.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\javap.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\DVDMaker.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\chrome_proxy.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File created	C:\Windows\SysWOW64\DC++ Share\ielowutil.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\idlj.exe	Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe

C:\Users\Admin\AppData\Local\Temp\Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe
"C:\Users\Admin\AppData\Local\Temp\Easy_Malicious_2b7bf900a6f5aacd0ffae838ac46ab135f3f1afb24a7a6ce38345f6dfb808eb6.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\DC++ Share\RCX8EF9.tmp

Filesize
62KB

MD5
b126345317624479f78fbf30b3a1fe5a

SHA1
655c966bf7bbf96ee49c83062d30b9dba17d693c

SHA256
8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301

SHA512
d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d

Download Submit
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
1.6MB

MD5
85efc590d183fc1603a57a83291299fd

SHA1
42df5d24e16645e55e7da7c4dcfba609d39b58e9

SHA256
e86d203fc069edb8807cb24e03f1743222ed98f0d4ef9d9635577308500fcc7d

SHA512
ddb29e69a7c4f7c216fb48cf407aa158e2c9c2e14dec0aa776cf18390145de68ff7aba31265f8a98708494877ab78c69ec08c3dc3e4877e5c1bfd91749d19efe

Download Submit
memory/2172-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-168-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-169-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2172-170-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads