80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d

Analysis

max time kernel
74s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
Size

502KB
MD5

7701d602308ae8042f4b705947cd8290
SHA1

43294f5ae7b653aa0497e189651251c6bf1e6d68
SHA256

80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d
SHA512

0a0de2c217b517eea33c4a35e9b53fb14f12ff6f92a016b2cc48ee46bdaa732f6faf8e307f3342bf786cf798d115a840678bb467b62484b44bda5c4e182f86dd
SSDEEP

12288:i1bYNubSYFal66R1oDASYEk7lGEbnKuMZUf4:i1bY6ck6foDW7lxrN4

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe

C:\Users\Admin\AppData\Local\Temp\80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe
"C:\Users\Admin\AppData\Local\Temp\80efe5f31d9afd2fba75a8ab50303cd6dd07a900d8e62c52711a89e3d13c161d.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads