cfe0d0b1f576014c2563bd9acc2bda7b81e217f43cb01ef7c270725ee2f43ad6

Analysis

max time kernel
157s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a99ff0f6cac1172328ded6d74c54b8d.exe
Size

1.9MB
MD5

5a99ff0f6cac1172328ded6d74c54b8d
SHA1

27e1b5424d90b9f0c008f18f99113efa3f8e1a6a
SHA256

cfe0d0b1f576014c2563bd9acc2bda7b81e217f43cb01ef7c270725ee2f43ad6
SHA512

c98199ff774a3b13bc280e0805f34b6d9a6a42f20cb21234ae72cc7b6348805e970843573e6d1b292abe6413989f307ac2e22ece50f025ccfa75859d4284297c
SSDEEP

24576:da2DsXeCbUZ7XRlql33ZMLLNLkqJhIG7go8W+D6GSEhMiPX6NSSJ/tc5VL3ltAbR:UXoDGL3gzSlyUmLFqT

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "Mirc"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "Mirc"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a99ff0f6cac1172328ded6d74c54b8d.exe\" -noconnect"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a99ff0f6cac1172328ded6d74c54b8d.exe\" -noconnect"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a99ff0f6cac1172328ded6d74c54b8d.exe\""	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5a99ff0f6cac1172328ded6d74c54b8d.exe\""	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	5a99ff0f6cac1172328ded6d74c54b8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	5a99ff0f6cac1172328ded6d74c54b8d.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1480	5a99ff0f6cac1172328ded6d74c54b8d.exe
1480	5a99ff0f6cac1172328ded6d74c54b8d.exe

C:\Users\Admin\AppData\Local\Temp\5a99ff0f6cac1172328ded6d74c54b8d.exe
"C:\Users\Admin\AppData\Local\Temp\5a99ff0f6cac1172328ded6d74c54b8d.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mirc.ini

Filesize
890B

MD5
57c998745149a1356e8c97cfee3582f6

SHA1
6d1265107a04dbb3432c1ace82ecbe9562829537

SHA256
fcc077c895f5bfd5fe22708c13eb193f14f8288a8df8a668c72b8a82cb6342c5

SHA512
3cbdc3f943222571eb3f9f272c9c5bf11e7185ea3fb7464d39bf6cccc8fb797c5caf5dc9186340021700683c6840d482a6926743149d329d27cb881c692836e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mirc.ini

Filesize
161B

MD5
e0e1a58b12d00107bd82448c851f050a

SHA1
53f5505002bf715149e795cb2e7e7cebc42efb50

SHA256
28ec5033ce8704a968415797ed0ee910f2a99f1dc1d18cfc2dd1ec3572c83513

SHA512
2851f566112a6023a8136d4e46486aa385df6db92312e9f30e851f56a95f46a1e826f1f2e798486b57670e8f6c1418970187bde6e3d58e536f571ddcf5d8a134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mirc.ini

Filesize
629B

MD5
927d5fc9d900a0f0a2b32108199714fa

SHA1
2ff3d466de36773d3f33deeae21646e9cff1f688

SHA256
3e758533739a72ff3ba20d507f97963b886ae4712b4323ba8e7ac0a4dd7c19f9

SHA512
64582ca86a84cdfa8f10bd4b25c5902288f5ef9e7ebdb31394b680d59acf8c90ab10f5dfb745a7f59681a9fab9d599f79a276dba3fca06704996223b7e70dd59

Download Submit