Analysis Overview
SHA256
6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4
Threat Level: Known bad
The file 6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 22:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 22:08
Reported
2024-04-06 22:11
Platform
win10v2004-20240226-en
Max time kernel
199s
Max time network
204s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe | N/A |
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe
"C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/2100-0-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2100-1-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/2100-2-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/2100-4-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
memory/2100-3-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2100-6-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2100-9-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
memory/2100-8-0x0000000001020000-0x0000000001021000-memory.dmp
memory/2100-7-0x0000000001010000-0x0000000001011000-memory.dmp
memory/2100-5-0x0000000001000000-0x0000000001001000-memory.dmp
C:\Windows\SysWOW64\xdccPrograms\7z.exe
| MD5 | 92976b31ca7336df8c3d5bbb4b133e54 |
| SHA1 | f43d4c80f8897f3d59f10aaf51bdf3b2b0cffc94 |
| SHA256 | 24bdf9e06a65cda1507e664461a12b8bc9a33951963c52c98a0ebc540a23a620 |
| SHA512 | 194efa414ecc455d5ca56606d557ccebe6298b4001e6bb8823576fdbcbcdcf06c2e7e338346f687fc319371014c9054443ae5af9f2548ef814a49ec15e903a23 |
memory/2100-31-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2100-32-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2100-33-0x0000000000400000-0x0000000000D43000-memory.dmp
C:\Windows\SysWOW64\DC++ Share\RCX5992.tmp
| MD5 | ffe62649cbbdc2c74ee3961eed9378aa |
| SHA1 | 8d4c1dc8fc6ba6898dd559f6ed2d1469a61fe243 |
| SHA256 | 207e92bbc717799a25106e1f2bb8ff5a96e55584c27fcf9a7d985979880163ba |
| SHA512 | fd2b4dda8ec57962ed2de8ebe33b8c514191237bcbe34262f72e07d0c78ee652b39a3204318ad26658f1bb043aad073f02637db75791b97121c6c514614431d5 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 22:08
Reported
2024-04-06 22:10
Platform
win7-20240220-en
Max time kernel
144s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe | N/A |
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe
"C:\Users\Admin\AppData\Local\Temp\6e587595ff48a59b6693efa740118d080addbe4bf97625d7c23507caf744c9c4.exe"
Network
Files
memory/2356-0-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2356-1-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2356-5-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2356-4-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2356-3-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2356-7-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2356-10-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2356-8-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2356-38-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2356-36-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2356-33-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2356-31-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2356-28-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2356-26-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2356-23-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2356-21-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2356-18-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2356-16-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2356-14-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2356-13-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2356-12-0x0000000077AA0000-0x0000000077AA1000-memory.dmp
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
| MD5 | a3cf5226334f832e4e923895b4b1dc78 |
| SHA1 | 9b11246e3220110b1f76a7881dd0cbe442047b31 |
| SHA256 | 0616ede66ac8698ae3fe6b21f7bd39b8ec9c65bd4baf184c16a032ca23ba8084 |
| SHA512 | 598544955ea4185fd5bea48788250f112d12e1881ed5276c07752e837c4663a428e9453fb89f0e81aa70757e1697ce03b96337fdb67cdae885167230e9c876b1 |
C:\Windows\SysWOW64\DC++ Share\RCX140F.tmp
| MD5 | 4d98dcee1bfaee6b1e48efad371af4b8 |
| SHA1 | dfaf735d8c50c621ef974f9b3f27d85ed24c649d |
| SHA256 | e9fbec5209aa746c6e2a8044172133668eaad214371617ab0dcbc3787b4892b8 |
| SHA512 | 19c4fdab3737e58a8a778ca5514db7e85cc1c15080644707b9e345ea5a4f2ed43891fc994b059adb2ea74e4737e5c25cc2285a6392fd2ecf355197712f312897 |
memory/2356-160-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2356-161-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2356-162-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2356-163-0x0000000000400000-0x0000000000D43000-memory.dmp