71f8557e598ab77112e5a7f42db238a5b1117bdd50d195bab4b91b499c1358db

Analysis

max time kernel
112s
max time network
30s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38454c27a3c8fc048aff87627514b2ef.exe
Size

2.0MB
MD5

38454c27a3c8fc048aff87627514b2ef
SHA1

50ef637c237cc888734c9867d395c83d32d4bc5b
SHA256

71f8557e598ab77112e5a7f42db238a5b1117bdd50d195bab4b91b499c1358db
SHA512

5b5ffde003f0376505ac1faec60943b1a5a66690e4ec251e86b4926c633fb6fd4f892cff23e037b5412970f96bbd60aac7971b9c280ccc6cb0482341397cd320
SSDEEP

49152:2UO5XqloWiZGuTBnak2o5RMfjsTXDRm0a/sVdrhb1FCl+vzXi9V7Y:vuKoWiZGuTokR5RMek9/srr1n+Y

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2984	mirc702.exe
2980	new.exe
2624	mirc702.exe

Loads dropped DLL 10 IoCs

pid	Process
2004	38454c27a3c8fc048aff87627514b2ef.exe
2004	38454c27a3c8fc048aff87627514b2ef.exe
2004	38454c27a3c8fc048aff87627514b2ef.exe
2984	mirc702.exe
2624	mirc702.exe
2624	mirc702.exe
2624	mirc702.exe
2624	mirc702.exe
2624	mirc702.exe
2624	mirc702.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mirc702.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000012223-2.dat	nsis_installer_1
behavioral1/files/0x0008000000012223-2.dat	nsis_installer_2
behavioral1/files/0x0008000000012223-16.dat	nsis_installer_1
behavioral1/files/0x0008000000012223-16.dat	nsis_installer_2
behavioral1/files/0x002f000000016d3e-22.dat	nsis_installer_1
behavioral1/files/0x002f000000016d3e-22.dat	nsis_installer_2
behavioral1/files/0x002f000000016d3e-24.dat	nsis_installer_1
behavioral1/files/0x002f000000016d3e-24.dat	nsis_installer_2
behavioral1/files/0x002f000000016d3e-19.dat	nsis_installer_1
behavioral1/files/0x002f000000016d3e-19.dat	nsis_installer_2
behavioral1/files/0x0008000000012223-5.dat	nsis_installer_1
behavioral1/files/0x0008000000012223-5.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2624	mirc702.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2984	2004	38454c27a3c8fc048aff87627514b2ef.exe	21
PID 2004 wrote to memory of 2984	2004	38454c27a3c8fc048aff87627514b2ef.exe	21
PID 2004 wrote to memory of 2984	2004	38454c27a3c8fc048aff87627514b2ef.exe	21
PID 2004 wrote to memory of 2984	2004	38454c27a3c8fc048aff87627514b2ef.exe	21
PID 2004 wrote to memory of 2980	2004	38454c27a3c8fc048aff87627514b2ef.exe	20
PID 2004 wrote to memory of 2980	2004	38454c27a3c8fc048aff87627514b2ef.exe	20
PID 2004 wrote to memory of 2980	2004	38454c27a3c8fc048aff87627514b2ef.exe	20
PID 2004 wrote to memory of 2980	2004	38454c27a3c8fc048aff87627514b2ef.exe	20
PID 2984 wrote to memory of 2624	2984	mirc702.exe	19
PID 2984 wrote to memory of 2624	2984	mirc702.exe	19
PID 2984 wrote to memory of 2624	2984	mirc702.exe	19
PID 2984 wrote to memory of 2624	2984	mirc702.exe	19

C:\Users\Admin\AppData\Local\Temp\38454c27a3c8fc048aff87627514b2ef.exe
"C:\Users\Admin\AppData\Local\Temp\38454c27a3c8fc048aff87627514b2ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\new.exe
  "C:\Users\Admin\AppData\Local\new.exe"
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Users\Admin\AppData\Local\mirc702.exe
  "C:\Users\Admin\AppData\Local\mirc702.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2984

C:\Users\Admin\AppData\Local\Temp\mirc702.exe
"C:\Users\Admin\AppData\Local\Temp\mirc702.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mirc702.exe

Filesize
23KB

MD5
e47c940a19a229951bd62f797d2ee657

SHA1
8db1201848dfa5ad20fb1205f47949fc11f244e4

SHA256
286c0db912123c8b77d806f31a87344800a69315004dcf9a9b2544882dc4089d

SHA512
c5ac728671f3bbb16c0c52d5351a24beaf69dd881836944a68998b0783212f0140b5f9309eb768c56958cdb9db2edfc096a4a25dfb02033a89d36a3fa0bf14a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mirc702.exe

Filesize
63KB

MD5
506ffd5754dd26aee0fc0196aa54781c

SHA1
aff4cda819ae09193f2f58a060f170f7ac15688c

SHA256
dd2065dd30a9c7b7c0eee1939fab56900eb814e0c08a1b59ab142f5f0efe8e2d

SHA512
5aaf7c3830d94a449c0c549b8d6fdb6525a9247e1f0a32631794127defc5794bb91d668d48ec15e81b62c70b2429d1e714662e9e4f028a554de9382a87452ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseE3DC.tmp\ioSpecial.ini

Filesize
686B

MD5
abbfe6bcec2db75154882338bbc0cad9

SHA1
f4acd138a1a44b32fb63c43557e349745116e9ca

SHA256
2b7937bff2c5ff0be3a5c2defc17d62068b197d7ead3d746c446f9c29b3741a5

SHA512
c96cb9a936ff613f38098bd20d09bd4f62b9911af8a7831852512b7924fc21949e952d9c32f5fcef65849e61df7e974496e9921543b014265f3149ca056a64c9

Download Submit
C:\Users\Admin\AppData\Local\mirc702.exe

Filesize
29KB

MD5
279f581acf86eca0fc9a23f760a2c16d

SHA1
79db1d8be418a38b2630c330017f3e8c3b533079

SHA256
9253185dddf65046a4051848cd83a5ce8bcbd7abe4afd926cb396579ba8bb4ef

SHA512
7bd4176325c1605cb1a772e81e70bae8fe670d07e7fbb1c0bdd3eee19356c3dbc27385bb13ce202bbb0d21fba24c5f7518bf2a7bd96b3bf48d896ad5df86cb27

Download Submit
C:\Users\Admin\AppData\Local\mirc702.exe

Filesize
68KB

MD5
1911216fa4dcc1415e3de5a6aaa1c732

SHA1
96b90d3c44ff39eba2a12e251cbed0a0c1632fcd

SHA256
79594cf53e1f9cbaabff77db911ac8b8f499f6508a04e66f2b7943e71e8bd6a6

SHA512
63378b679a79418737dfe16579be5660ce41e59b20e51f6cc0f802e97cbeef4922c4507cee593c5f1dcab4308357855f2da7a2e6e66add767080fa6244906bb3

Download Submit
C:\Users\Admin\AppData\Local\new.exe

Filesize
44KB

MD5
7ac61540484ba3a13860013db3b2c509

SHA1
9b1d2a9f0190619591e956b7f5c996278e57bb4f

SHA256
c9625d10ce553de41c4e62f2cf5155b5d081ec9c97d731611e2fcdd3bc33bd2b

SHA512
bbb5495f8f853381075ae0cd1dc9b349c336251db888e00655929d5c88e8680672ce0173a8da76acada44a3ceef8f0b205a01a3af9b019b04ef1efb4bf223999

Download Submit
C:\Users\Admin\AppData\Local\new.exe

Filesize
32KB

MD5
193e5a02fb90bb93252c77c8132f9afb

SHA1
781b71c09f9e156643157ce95dc200a4d87f1e52

SHA256
560f558c11b62e0b8656a2403f6a2c30ecc25d06a16eb8d15b7b3d18b6d92700

SHA512
6b555183f8f9a3468a7d0fe007cec80317db2913f53aef2992ebdd7fb302daed97d25ab6d968f0aac96930ab3e7bfa4a6e009e99043f663dbbec9892a0142f0d

Download Submit
\Users\Admin\AppData\Local\Temp\mirc702.exe

Filesize
106KB

MD5
ac515cd3d603ccdc768c89a01000821f

SHA1
109810d71f5ec0985394dbff04cc55d9e09e424e

SHA256
1bd16e2c1444866f36ac351dc0047e603e8daab77ab7e1142a8dc6838b4a4576

SHA512
3b994eafa816926708446c0ac7288a3593e8d2dd785f46108233342feb6321a02b496ae90da6880f8ae2ee470f397d77d6115432b7996cc099c0eeadcc077588

Download Submit
\Users\Admin\AppData\Local\Temp\nseE3DC.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
\Users\Admin\AppData\Local\Temp\nseE3DC.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
\Users\Admin\AppData\Local\Temp\nseE3DC.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseE3DC.tmp\UAC.dll

Filesize
17KB

MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
\Users\Admin\AppData\Local\Temp\nseE3DC.tmp\mIRC.dll

Filesize
30KB

MD5
b613862ee5e3f0bd9f16595531d4de33

SHA1
79306cdcd1c1c892ae6dc420174dc0d780861000

SHA256
55cbdb858ca86ac5e4684779702ce958423ef93755b1bdabcb33def1355a0118

SHA512
7b25b7eb4d6a55c7f3ce56cf69df6b8e12c8655a7433238ac0b31adb722c25891e9c06dba09a56016096ed05d1f29e50538fdb2e4014d17ef3697dbbd7bfd9d3

Download Submit
\Users\Admin\AppData\Local\mirc702.exe

Filesize
44KB

MD5
9c4784ba0a3590a65a75a3045ced4099

SHA1
c8da08e34b3f12dd5b31bad94725e3ff3fe8b2a6

SHA256
617a3fe4edca02be5fecc28d525f7dfffbff6955c2c9a87f369b5c85ee64a102

SHA512
79b5f3e73279d38e387f9cecce997e300b085b6f802d6af3c692ba0e8f46e986ad27b96725ff0e73039d63bf8cf121898bad53cea1095998278d63f112e4e56a

Download Submit
\Users\Admin\AppData\Local\new.exe

Filesize
31KB

MD5
28cd434f04ebbdf04275c7c822a8426b

SHA1
7eccc91ddabc573d412aa06d2d9ff923b1d7722a

SHA256
f36548baa37bdafbe989edab1247237a0d0cdae55756578257e49fe01cf0c304

SHA512
b300c2e96b92adf3b460970da8e065471a1e948199d890a30533dbe0594eb7fe82d0169485974b295bac9a11220927793c5ea9df18146fba5ebc7b0b8af6ce48

Download Submit
\Users\Admin\AppData\Local\new.exe

Filesize
9KB

MD5
9f449fda5202e508e9679fab9f625a54

SHA1
af5e959dfd05b60662688e7af3651ac9ab52c319

SHA256
6fa2728777943fd1fb82aa1de2e80fa2c6bfd7aedf73edede9db801ed52df929

SHA512
7f4385777bb3b6bcc6015f1d379df5e99abc3434025ea1c5b083c6577feb8692799336ce5787b2d8f308d4713623294f187939449f24a983a27739719ad7451b

Download Submit
memory/2004-15-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/2980-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download