d1583147c6aa294889ed79b46e3fff3150d899b1f19a2040f33ff424a8a32ab3

General

Target

easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
Size

370KB
MD5

3a2f5cfba5491f47ff53e8770d517e21
SHA1

cf7df301c4f7c4879b85d6b1ade25de83a42aff7
SHA256

d1583147c6aa294889ed79b46e3fff3150d899b1f19a2040f33ff424a8a32ab3
SHA512

8e094feda175ddb178038994cb836fbd86dd905578cf5df9b44a3e7051aa954f972d04709c3385ca48b2c8900e706d94e285d7dd540bcc23f3d33d52e46e016a
SSDEEP

6144:s731bdBaBUwO1xptwumit3IYH1CWVTJESdQVP4jL4Hh1boDF1SWBhYYFs2:u1b3wOnEit3IeCWVTJbdKPXHMF1SWBhP

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_13b9849c61e8f920dcaffd714990dee2d0362eece1d6cd59c3e2acb50c13bff2.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:2128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
847KB

MD5
ee055275ce39536733e1d245cc2a228e

SHA1
ba5f4228ae0a0e6740db7da3a1afdeb6142a9aec

SHA256
55a241a78f49effeca4a225c4ca6e08c4abbda13c7c47b9dc3ae2b0ec3ad9236

SHA512
ff4f7551deeadf00b8a3f7f6096a9faa1cfd7307fdcd430af359dc83ad932e6f22c202fd8b2cb6f79352548f25b114cc0e759fcc48343b2dda71142220cf470b

Download Submit
memory/2128-151-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-152-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-154-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2128-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing