cfe0d0b1f576014c2563bd9acc2bda7b81e217f43cb01ef7c270725ee2f43ad6

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a99ff0f6cac1172328ded6d74c54b8d.exe
Size

1.9MB
MD5

5a99ff0f6cac1172328ded6d74c54b8d
SHA1

27e1b5424d90b9f0c008f18f99113efa3f8e1a6a
SHA256

cfe0d0b1f576014c2563bd9acc2bda7b81e217f43cb01ef7c270725ee2f43ad6
SHA512

c98199ff774a3b13bc280e0805f34b6d9a6a42f20cb21234ae72cc7b6348805e970843573e6d1b292abe6413989f307ac2e22ece50f025ccfa75859d4284297c
SSDEEP

24576:da2DsXeCbUZ7XRlql33ZMLLNLkqJhIG7go8W+D6GSEhMiPX6NSSJ/tc5VL3ltAbR:UXoDGL3gzSlyUmLFqT

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a99ff0f6cac1172328ded6d74c54b8d.exe\" -noconnect"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "Mirc"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a99ff0f6cac1172328ded6d74c54b8d.exe\" -noconnect"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a99ff0f6cac1172328ded6d74c54b8d.exe\""	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "Mirc"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a99ff0f6cac1172328ded6d74c54b8d.exe\""	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	5a99ff0f6cac1172328ded6d74c54b8d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2332	5a99ff0f6cac1172328ded6d74c54b8d.exe
2332	5a99ff0f6cac1172328ded6d74c54b8d.exe

C:\Users\Admin\AppData\Local\Temp\5a99ff0f6cac1172328ded6d74c54b8d.exe
"C:\Users\Admin\AppData\Local\Temp\5a99ff0f6cac1172328ded6d74c54b8d.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mirc.ini

Filesize
184B

MD5
f1b4ec8c68dfe5a68d8c53461367a5cc

SHA1
71b80b0bc1832720117830883803342cb2b89042

SHA256
c3a7de0358a04ec267b7677ef3aceee7078eefa793e16a4dd4fad1f5bd672d41

SHA512
840d4b5cd53c1e3c3b5c233fc006f9b2f5065bd9b15403798af9bc13c2259e537f6de5bc84efbcd15a6a6dd9dc9adbfd19de54d777308d8272f759b6987577ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mirc.ini

Filesize
94B

MD5
b0fc128d0e698ed00aacb7031fb21d5a

SHA1
2e28d666f89895e7ace125acf5fd9b3c09821b59

SHA256
af7db6e7d003e9961b0c09af2b6eb9253409eca18adc098d02f20b2575a082bb

SHA512
3633ff898c3cb3f7aede5d553fe24fcea0c4b97c948849b2f8e7ad6f9c0c865a01346369e5c778845ffacb92f5c989476c7b926c908462d485e9d15348431068

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mirc.ini

Filesize
890B

MD5
57c998745149a1356e8c97cfee3582f6

SHA1
6d1265107a04dbb3432c1ace82ecbe9562829537

SHA256
fcc077c895f5bfd5fe22708c13eb193f14f8288a8df8a668c72b8a82cb6342c5

SHA512
3cbdc3f943222571eb3f9f272c9c5bf11e7185ea3fb7464d39bf6cccc8fb797c5caf5dc9186340021700683c6840d482a6926743149d329d27cb881c692836e9

Download Submit