bcce91d859d190f7010335132cba38d693fb09c12fd3bc56d7113e11eb98c153

General

Target

easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
Size

103KB
MD5

2c4a5bbad70896d8e6bd1f19bc2c58d7
SHA1

241fc6f370c44d7b01774140e8a032e8d8a19e23
SHA256

bcce91d859d190f7010335132cba38d693fb09c12fd3bc56d7113e11eb98c153
SHA512

4da36686511e94a0fd15e2dbbe86d8d6757265bd646ad7af8e4c8b18f6fc0e79454e4138ae165b3f6770b842166eb1110be40ea8a552ae911d278ed37210f2b1
SSDEEP

1536:kaiqH1s+kCtrA2UMT0mTFibDKa1XjVNgks30UIf+8D/zGNZ4Xl9/kgY80AP:t1B31bdBob2QXHgkP+6RlwAP

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_1bdfe96ba74b30dfb939b2d112734d308210f57593812c6b8c461f8f7baf99db.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
457KB

MD5
80bf29712e185c80278cde25f0fe53ff

SHA1
46f20473f248bbf8e32c1d11973dc1815bd68ae8

SHA256
f1c293e8b27634a63f8357d45796281c45adf145d7cbde50f480415eb1c3b114

SHA512
e70926bb631e95a10c07f485b9b8c8905522038a6434d633caa341c231438a2d9480b857ce0a1b453d13ac87213a7746519b82a1f705a2a504fa3a850c5ae067

Download Submit
memory/1212-151-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-167-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing