455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74

Analysis

max time kernel
237s
max time network
251s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
Size

500KB
MD5

03be5277accfe5a0f5a10f5e0f341313
SHA1

5608a6aac40795831f6c27c341e8c67645605a28
SHA256

455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74
SHA512

2b01691e7adf787835e48084e16fca770ba71a018ab6d9b2b66f73eeeba54e94f803e59e4f0d083c37ccb579b8bc0a8af6f4698a07f0db87424c0a64e2916991
SSDEEP

12288:N1bArjO/iGeniDJvxJmxycsqLSNIqycPdQ:N1bArYiGeniDpx1cdLSN6cPO

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe

C:\Users\Admin\AppData\Local\Temp\455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe
"C:\Users\Admin\AppData\Local\Temp\455262e44199acda0f14f8625da2dcb05b683dea94ac7174167c50f7eed32e74.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads