6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd

General

Target

6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
Size

390KB
MD5

445d1d2683ebbd04e4e537251dc37cbc
SHA1

d01c7bf821ee6d8ac071eff8380dc1cfd980a7bf
SHA256

6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd
SHA512

b06b99e133944701f418a7d7281d6b61a41c285343694d0a0fb316132a5a500ebe8a59b57f7d52b790f4a2a3751df1c76adcf622ef5b5451f6f393a7a6df2416
SSDEEP

6144:oA6e1x61iBa0ZBJed/0jURl+LDI7xqzM0vIrMgi7NhrWAU7/feMwdOc3NUDc3WX:ew61ybe90jqlQ4rMvYHzfJw+Dc3WX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7z.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe

C:\Users\Admin\AppData\Local\Temp\6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe
"C:\Users\Admin\AppData\Local\Temp\6ea11665c757552aa848e8b2858823962bc98ea7e196e8b393355021c87f60bd.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zFM.exe

Filesize
930KB

MD5
91df03cc2c0b6a77321e42ad8ce78941

SHA1
f7c57d5fc9794d1becfc0ea2e7d2749216d0daa2

SHA256
0e4b804d4e1ab108e738cc0eab0e70f5fc798859158d2b73a1b73601cd7879ac

SHA512
27c9e2e719464b6074b97fe209bb431ee1eece06e200541d51f4fb1b04cab915727b8e038cfb6e8f81fb6032fde4b5b064c36eeee0758bf874fc26aa7f057bde

Download Submit
memory/212-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/212-33-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads