71f8557e598ab77112e5a7f42db238a5b1117bdd50d195bab4b91b499c1358db

Analysis

max time kernel
165s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38454c27a3c8fc048aff87627514b2ef.exe
Size

2.0MB
MD5

38454c27a3c8fc048aff87627514b2ef
SHA1

50ef637c237cc888734c9867d395c83d32d4bc5b
SHA256

71f8557e598ab77112e5a7f42db238a5b1117bdd50d195bab4b91b499c1358db
SHA512

5b5ffde003f0376505ac1faec60943b1a5a66690e4ec251e86b4926c633fb6fd4f892cff23e037b5412970f96bbd60aac7971b9c280ccc6cb0482341397cd320
SSDEEP

49152:2UO5XqloWiZGuTBnak2o5RMfjsTXDRm0a/sVdrhb1FCl+vzXi9V7Y:vuKoWiZGuTokR5RMek9/srr1n+Y

Score

7^/10

evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	38454c27a3c8fc048aff87627514b2ef.exe

Executes dropped EXE 3 IoCs

pid	Process
4592	mirc702.exe
4556	new.exe
2308	mirc702.exe

Loads dropped DLL 8 IoCs

pid	Process
2308	mirc702.exe
2308	mirc702.exe
2308	mirc702.exe
2308	mirc702.exe
2308	mirc702.exe
2308	mirc702.exe
2308	mirc702.exe
2308	mirc702.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mirc702.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000001e0ce-5.dat	nsis_installer_1
behavioral2/files/0x000600000001e0ce-5.dat	nsis_installer_2
behavioral2/files/0x000400000001e7e3-24.dat	nsis_installer_1
behavioral2/files/0x000400000001e7e3-24.dat	nsis_installer_2

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 4592	1064	38454c27a3c8fc048aff87627514b2ef.exe	93
PID 1064 wrote to memory of 4592	1064	38454c27a3c8fc048aff87627514b2ef.exe	93
PID 1064 wrote to memory of 4592	1064	38454c27a3c8fc048aff87627514b2ef.exe	93
PID 1064 wrote to memory of 4556	1064	38454c27a3c8fc048aff87627514b2ef.exe	94
PID 1064 wrote to memory of 4556	1064	38454c27a3c8fc048aff87627514b2ef.exe	94
PID 1064 wrote to memory of 4556	1064	38454c27a3c8fc048aff87627514b2ef.exe	94
PID 4592 wrote to memory of 2308	4592	mirc702.exe	95
PID 4592 wrote to memory of 2308	4592	mirc702.exe	95
PID 4592 wrote to memory of 2308	4592	mirc702.exe	95

C:\Users\Admin\AppData\Local\Temp\38454c27a3c8fc048aff87627514b2ef.exe
"C:\Users\Admin\AppData\Local\Temp\38454c27a3c8fc048aff87627514b2ef.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\mirc702.exe
  "C:\Users\Admin\AppData\Local\mirc702.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\mirc702.exe
    "C:\Users\Admin\AppData\Local\Temp\mirc702.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    PID:2308
- C:\Users\Admin\AppData\Local\new.exe
  "C:\Users\Admin\AppData\Local\new.exe"
  2⤵
  - Executes dropped EXE
  PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mirc702.exe

Filesize
1.7MB

MD5
952a3a92cb412e9674d4ea5c8d81e1da

SHA1
297d3f53ac26851ad925dfc26cf625074cb352d2

SHA256
30292fa7e983d4aef845273d7c5c4eba039f4949a8cdb385558393aef2fbda08

SHA512
2e4c0de7281cdab5e97b10777df549baf161ee04850303af1ebfd0f0022b30c1932baf985f83adcdfb427451a5788e56e6ee154dabf4a1fdbf6335869bad4def

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3CD7.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3CD7.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3CD7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3CD7.tmp\UAC.dll

Filesize
17KB

MD5
88ad3fd90fc52ac3ee0441a38400a384

SHA1
08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

SHA256
e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

SHA512
359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3CD7.tmp\ioSpecial.ini

Filesize
686B

MD5
afad645720a52e54aaaca319588936cc

SHA1
f6234232915249594fb01ee8afa5924291559399

SHA256
cd2283f384b90c5ac732c05bd75146c81cceaddffec4a18116b8b795934e59cd

SHA512
682b2809636e5a918181ccc9159f4e4902cc42d98d4e68fa1a778c1e6c0415c1c093dd62f4c59460c70e92ac4f48b560ecae972d92c3ee64e86ac4e1833aecec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3CD7.tmp\mIRC.dll

Filesize
30KB

MD5
b613862ee5e3f0bd9f16595531d4de33

SHA1
79306cdcd1c1c892ae6dc420174dc0d780861000

SHA256
55cbdb858ca86ac5e4684779702ce958423ef93755b1bdabcb33def1355a0118

SHA512
7b25b7eb4d6a55c7f3ce56cf69df6b8e12c8655a7433238ac0b31adb722c25891e9c06dba09a56016096ed05d1f29e50538fdb2e4014d17ef3697dbbd7bfd9d3

Download Submit
C:\Users\Admin\AppData\Local\mirc702.exe

Filesize
1.8MB

MD5
a776b5e633a401acfc53a3dab01da963

SHA1
0426262addab8691bceb13da76fd391da926a5d4

SHA256
5bec349f25c93825bb36af7117a881175ab7a56d633f104f719e96e0d21401c1

SHA512
79ebc77e24f4883a13d021bef9318ad09b9562b11d6d4630af483dd353c474607d3ca38f099186a4c31751dec1381da24fe2c7212333f2318c8e343e11b37ce4

Download Submit
C:\Users\Admin\AppData\Local\new.exe

Filesize
143KB

MD5
30fadfd7d990bf3afcc6d7f5edd7968b

SHA1
3fcd942c61882afb3fc0263200357c73cd6a804f

SHA256
a46acc938b658fb96acb9187a1d316662ffc55981311bdbfa13d87436c2e4060

SHA512
11e8e164370082a6f05bc83b7d2037eae921f7e6a6bd2a0178f976da4ef81c4be7a389716ddf0acc147a2e1c966a96648e8890c41bd1d5de6c361002c76b4c36

Download Submit
memory/1064-3-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/1064-20-0x0000000000400000-0x0000000000605000-memory.dmp

Filesize
2.0MB

Download
memory/4556-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads