f37b2a3c2adfca709193587c064dceaa615a159f753bbe4c2f604f509040f40e

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2023 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
Size

452KB
MD5

b6fc2047a3a1ecd5fc9bd64d407f1780
SHA1

dbc0555278dfa8a68d80c9dcd58ba533ec37d5bd
SHA256

f37b2a3c2adfca709193587c064dceaa615a159f753bbe4c2f604f509040f40e
SHA512

65039d371f869a0b9111cb41e96198f11e1726a4d9ebe93f1c30d692c96f377a8a50e4a87c89b8783844fbe4afcfdaab51227b354229a541ae0e1f38cbd0e790
SSDEEP

12288:I1btn2aP6/h1IKhk+3detKEp8GPOwyw3QwIFE:I1bx2aP6Z1zzcp8GPOwl3Qe

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DC++ Share\MavInject32.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\office2016setup.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe

C:\Users\Admin\AppData\Local\Temp\b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\b6fc2047a3a1ecd5fc9bd64d407f1780_exe32.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7z.exe

Filesize
457KB

MD5
557f09ae9c3a327d92eafecbd902d28f

SHA1
ebf074b6c8bddb7ad5c4835db788f3ec6cebfc4a

SHA256
b91480c240a5129af93761ac4e3351950a61cc2419787656492ecb720e0eaee9

SHA512
300531830379922fd51ae5a2b3e8816bbda97e74e36c4f5a56e1967525e21f0a279387768e7cfce90a9d4fcf227e19c67f14bdadf75c6276b4de2d45f86fa424

Download Submit
memory/3380-13-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-21-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-22-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-24-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-25-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-27-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-28-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-31-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3380-32-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads