bd596b7c49cb63c8b73a815c4eceb0149ccaee34d124dc9cf5e5c5304dde7a5f

Analysis

max time kernel
77s
max time network
20s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mirc.exe
Size

3.1MB
MD5

912dfaee60f144853a33231688312686
SHA1

5e6c5a2c8860fb74d34ed1e6208f78d731f34ef9
SHA256

13a73d14f028af648394002fc483a60c4f93beaf55eecfcdbc5364331b7dd5e0
SHA512

3d9ccf47dba83b484dea530f730bc30b044d92dec0f50469f11726af1fa964613c6231fdfa3cd4039cbee723c53188d630a069be9741347b06c05e5b2a53b858
SSDEEP

49152:JjfkX4IMjEzU//67yweAk5HPdug0TVxNYRf:Jg4IMZ+ywOPduTnYt

Score

7^/10

evasion

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine\Debug	mirc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc	mirc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\ = "URL:IRC Protocol"	mirc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\EditFlags = 02000000	mirc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\URL Protocol	mirc.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\Shell	mirc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\Shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mirc.exe\" %1"	mirc.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\DefaultIcon	mirc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mirc.exe\""	mirc.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\Shell\open\command	mirc.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\irc\Shell\open	mirc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1048	mirc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1048	mirc.exe
1048	mirc.exe

C:\Users\Admin\AppData\Local\Temp\mirc.exe
"C:\Users\Admin\AppData\Local\Temp\mirc.exe"
1⤵
- Identifies Wine through registry keys
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads