5109e264b66b0146e69562bb5aed5d76b5e55dbf2a576cd7d21d46b489c190d3

General

Target

easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
Size

76KB
MD5

7796364b66fb1f95f63d16b9d809cff4
SHA1

ab6e13a5d248d7d82f36b283a0724d886a21590a
SHA256

5109e264b66b0146e69562bb5aed5d76b5e55dbf2a576cd7d21d46b489c190d3
SHA512

a1124b9891506f07e98388efb7c7712e992efc1126c152b09f406fa4a0bbef2f4b3b144d23340eae96d4098617b4cec9e665e097efb839a440362cfa19669d93
SSDEEP

1536:kaiqH1s+kCtrA2UMT0mTFibDKa1XFabc/HKoQgnO:t1B31bdBob2QXkGqoU

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe

C:\Users\Admin\AppData\Local\Temp\easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe
"C:\Users\Admin\AppData\Local\Temp\easy_Malicious_19e53fa3e6e4ce1c3686190ad6a8c561176e39580463cd749cb361e711e4947e.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
458KB

MD5
128d34f42dde348c6b2fbae60c43d624

SHA1
ba3c7275203f335bf1bbe0d8b3db902719d3a6e3

SHA256
78539a6c522229668921d75018f5b4d7e4001354268ffdfa105da8f4e653c855

SHA512
1ef193b92a06838f2b10aee0f2280da165da32e0dbb040664f31be60ca4c1101cdd3c7f7e8b44766ccaf6f260ffbb9e6692a6a1a1c62074dbff5de4df0574835

Download Submit
memory/3820-149-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-153-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-154-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-155-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-156-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-157-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-158-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-159-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-160-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-161-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-162-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-163-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-164-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-165-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3820-166-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing