a1359d2dc1fb3aa1a69bb1e662684d40b62580243093809941f9277cbddb9b4a

General

Target

easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
Size

1007KB
MD5

283e163906b5f7c41fdf45343793ca8d
SHA1

702d18d6642c128a639ee85d9d52b2afeb4290c1
SHA256

a1359d2dc1fb3aa1a69bb1e662684d40b62580243093809941f9277cbddb9b4a
SHA512

1825e6853028f8b8f8e4363ca4970f3dc0d677e835d8a4674ecec19c94cf54051b0537aec91dea197ecabf26645088a7751059972023ef3461c3579ba2416684
SSDEEP

24576:91b2y/Nf1ve700ETB6Ng8zxsdsNflBd4gx6ImWwsSCU2pxxE:9Ey1fhR8xsdsHBjx6IDXSL2pxxE

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_018c2d98664bd19a40a002f557e955156b83706966a4f162def9f93b6ce47ffe.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
1.0MB

MD5
f6532932507f275edff435110d8ef144

SHA1
67727059aea3170e5b3a35661f3b9b00687433a8

SHA256
5f98694c140b0decb201f60a17b9fd54872c16e98123b4348039a169d50dca5d

SHA512
60abc7d7d0a6eda8a927c295898362e92906f2e28d5bc10df01ec6e3707abf4a6a6efbd4b586dc488c697808de4f613e1720055eb2338b20d3b1f9f87a896c33

Download Submit
memory/4676-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-154-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-168-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4676-169-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing