69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5f

General

Target

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
Size

556KB
MD5

9fefe35d65820c2497e69ee0b90476e0
SHA1

f947a9823278e5994eba680d9395f733158d4300
SHA256

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5f
SHA512

edcd65be296d1b033889c35d01e36f9cd51264e50016d0e96e61fa7ace500577aeca4c63a4fe2d551539670a527eb937ca28d55782694b9af0903b0e67a8c0a6
SSDEEP

12288:51bHV9kkPX5kAaA2od1sx/9o1BykhXAXxpsVZi0Ee/Y7lspVPgFSHSuxHE:51b1NX5kAaQd1s/oykihpsVcRe/GIVEb

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe"	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

Drops file in System32 directory 20 IoCs

Processes:

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\xdccPrograms\MavInject32.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\appvcleaner.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\InspectorOfficeGadget.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\IntegratedOffice.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\sIRC4.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7z.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\7zFM.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\DC++ Share\OfficeC2RClient.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\sIRC4.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File opened for modification	C:\Windows\SysWOW64\xdccPrograms\7zG.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\Uninstall.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
File created	C:\Windows\SysWOW64\xdccPrograms\AppVShNotify.exe	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe

C:\Users\Admin\AppData\Local\Temp\69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe
"C:\Users\Admin\AppData\Local\Temp\69904793bd64c78325ea3568c01937266f4219e039bb7946d7132bfaf4afac5fN.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xdccPrograms\7zG.exe

Filesize
683KB

MD5
eceb576bb00904a2d2b590d188ee094e

SHA1
94863678bf2087dcf2ca883ef40f1fd27625c3d2

SHA256
e05ac20bb80259d83223f2b4f36d937642c0f9b2975e7a0fab2f2a65d8041fd0

SHA512
6d957a87423ad7f442660bd58bd6cd341101df9da27e5b10ca77c36b8fe3882450dc0664414d24184f8932a26070ef71d5180d0fc57fc02921339bfa79ba8248

Download Submit
memory/780-19-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-21-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-23-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/780-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads