321c11c2402e6731f42633720164c58ac608442ea7dc58587d469ab6bcad2989

General

Target

easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
Size

209KB
MD5

3366514c8ba009e3141cf13ea8f84830
SHA1

fd09d0746465ef33e2074f26f45607e19bd48f9b
SHA256

321c11c2402e6731f42633720164c58ac608442ea7dc58587d469ab6bcad2989
SHA512

276474ac29a0f07ac3018c45783249b8e5a1079485a2e813021b73a316bec9269a68dd4c7a2d8fb13b10a0e3f9cdc7e4aa94610c57411c4aa59478fd293bde44
SSDEEP

6144:5731bdBaBsHr8xUYmi8TH3dYdBic4vMno:51bVHrHxpTHqiTvp

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_32fa60f0388042d84bd2e09adaf4eeaa9ccafee04ba78cd6f79c097486869760.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
568KB

MD5
240aad64e7d99cdd1ad314cc6dd53466

SHA1
81144da7b87d1c3a2b5e6d3505af8d1deceeaa13

SHA256
4293d0f2e5dee39a5cb4670afa563b4ce0e801d8b5176350627b73686962632a

SHA512
8317dad6db2d653685979c6ecd89c69f0e9135797dd92a853c75f10c7a4314746ad796ec9b423ec852123acbc585ec44e5ee6d6adadcccef87174c58ab34fa40

Download Submit
memory/3416-151-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-152-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-153-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-154-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-155-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-156-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-157-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-158-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-159-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-160-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-161-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-162-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-163-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-164-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3416-165-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing