678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
Size

3.6MB
MD5

9c8dd2fe878d823e04dcc1cb74f8b1da
SHA1

d4d228927bffd818a631be297005128ced74f24f
SHA256

678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1
SHA512

e5394a2d1e1bf942f106667e3422ac02101125ba1b51e24e492ef3bc4249459e60fcbe9d43b8aa4c2676c97f2281e0f8fe338d0ea68850ca7e648da7c28e4c6d
SSDEEP

98304:+RKWxbNFheM2EjMMMMMMMMMMcMMMMMMMMMMMMWMMMMMMMMMMMMOjR5I0k:+RKWxxyDI0k

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe"	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\mIRCmirc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe"	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\SystemSystem.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\VisualStudioRuntime.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\MicrosoftFramework.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\mircmirc.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\mircmirc.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\Windowsmsdasqlr10.0.19041.1.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Systemresources.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\MicrosoftTableTextService10.0.19041.1.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\mIRCmirc6.35.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\mircmIRC.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Windows Media Player\Windowswmlaunch.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\mIRCmirc.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\MicrosoftWindows10.0.19041.1.160101.0800.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Windows Mail\WindowsSystem.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\Systemoledb32.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\WindowsWindows10.0.19041.1.160101.0800.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfoMicrosoft.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginAdobeHunspellPlugin.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\MicrosoftVisualStudio.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\MicrosoftEdge.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\WebViewmirc.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagementMicrosoft.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\juschedPlatform.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate1.3.36.71.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstallerStudio6.35.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{0D3B55D5-C891-4ABD-ADA8-7B4746A87555}\Googlemirc.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\mshtmlStudio.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\ExplorerInternet.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\sqmapiOperating.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\mIRCmirc6.35.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ietoedgestubietoedgestubexe92.0.902.67.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\WindowsWindows.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\mIRCmirc.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\ExplorerInternet.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\mIRCOperating.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\mircUpdate.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado15msadox.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\EmbeddedEmbeddedBrowserWebView.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\widevinecdmDecryption6.35.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\ieinstalInternet.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccmeeccRuntime7.1.1.3403.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\Systemtifffilt.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\WindowsWindows.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\mircmIRC.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\playreadycdmmIRC92.0.902.67.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Acrobat.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPluginmIRC.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setupexeInstaller.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\HMMAPImIRC10.0.19041.1.160101.0800.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\mircmirc6.35.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\Windowsmsader1510.0.19041.1.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\qrcodepmpdatamatrixpmp.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedgeproxypwahelper.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\MicrosoftUpdate1.3.167.21.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\WindowsSystem.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\mircMicrosoft10.0.19041.746.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\Windowsmsdasqlr10.0.19041.1.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\NPPDF32Acrobat.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\WindowsWindows10.0.19041.1.160101.0800.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{18F127B1-7EA9-4BC3-9FD3-434ABBAC765F}\MicrosoftEdgeUpdateSetupUpdate.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\libGLESv2Visual92.0.902.67.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\MicrosoftMicrosoft.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jauregmIRC.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\WindowsMsiProvider10.0.19041.1.exe	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
4964	678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe

C:\Users\Admin\AppData\Local\Temp\678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe
"C:\Users\Admin\AppData\Local\Temp\678e638175437569437f70b98c61abce2ebff0f0e646b5cab73320dd1d2615e1.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...