bec81bcd8a5f9f00f481fa566e9c05e474bef8c93f078b8766fb2199174becdb

General

Target

easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
Size

1.1MB
MD5

07a2da33ffdc26207181ae7dda643663
SHA1

8fc2d3f9bb348f9213d108d0940f302953198e64
SHA256

bec81bcd8a5f9f00f481fa566e9c05e474bef8c93f078b8766fb2199174becdb
SHA512

a85739fd9a76d2db77d4b2b98eb635196c02f66306f221b0b859213264ae816990d8b2d546b93d8fb4b00cc30b4c9428d71d5fe887594d3cc42204a3208f1881
SSDEEP

24576:51b8gbsMomO56u59CCvoS9I9/XdTK/EOQsxBDxR0jwxInW6gt4ekzQw3:5GgbsMo9ky91vo99/XdTGEQxBD30jvLh

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1de6af35b6a09b8194964e0a095b1523b5b48e853c8cc0d389b34c3156d774b3.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
1.1MB

MD5
07a2da33ffdc26207181ae7dda643663

SHA1
8fc2d3f9bb348f9213d108d0940f302953198e64

SHA256
bec81bcd8a5f9f00f481fa566e9c05e474bef8c93f078b8766fb2199174becdb

SHA512
a85739fd9a76d2db77d4b2b98eb635196c02f66306f221b0b859213264ae816990d8b2d546b93d8fb4b00cc30b4c9428d71d5fe887594d3cc42204a3208f1881

Download Submit
memory/4304-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-159-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-161-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-162-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-165-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4304-168-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing