Analysis Overview
SHA256
65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf
Threat Level: Known bad
The file 65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in System32 directory
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 21:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 21:48
Reported
2024-04-06 21:50
Platform
win7-20240221-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf.exe
"C:\Users\Admin\AppData\Local\Temp\65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | uk.undernet.org | udp |
Files
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
| MD5 | ea92e20edf2dd029e4a5b147bafc01ed |
| SHA1 | 668c0f969455cf876c36513d519bf25c2a9798a7 |
| SHA256 | b1905944bb3c5120b4fe434fb2815218307a20e5bb184f6be97baaf0fe901ce3 |
| SHA512 | 1a91e798e2d4e14dfcaed6310a677d54456898149e51eaa7f1bd5ac8fb6b3de152e990250fd4c7cc176b14820989b4f2875104dbd99a09ce4609034102c47992 |
memory/2776-30-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2776-31-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2776-32-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Windows\SysWOW64\DC++ Share\RCXEBB8.tmp
| MD5 | 6254099ef9ad7f739f50d65903937255 |
| SHA1 | b13870e37d62a929ea8ce0c6213476f2a57fa3c0 |
| SHA256 | cdd2cfe0f5bf927556acc79333f9423c1690d0e50656aea0457ceaf4b2b17a1f |
| SHA512 | f36b68d03e4b539490455a4f43e6dfd74a82e2ab247027f7ca2bb467221ea57d476f5fb6f26dab27a749359a537a09a42f8569386442d308f8a34632422733f4 |
memory/2776-109-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2776-110-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2776-111-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2776-112-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2776-113-0x0000000000400000-0x0000000000425000-memory.dmp
memory/2776-119-0x0000000000400000-0x0000000000425000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 21:48
Reported
2024-04-06 21:51
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf.exe
"C:\Users\Admin\AppData\Local\Temp\65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe
| MD5 | 8605dbcecf23003f4e250bdcbb9623c0 |
| SHA1 | 7f4435a25c869625c30e0c3faa0f1211b4ccd3a9 |
| SHA256 | 65d85b73ffdd29950e4df554ab009c26a649af59bf4d14c0db2b17ce7a8f2ecf |
| SHA512 | c3bd9a679372dc31c3bbf11005f757699d2a60d4b4e07b15355729ca54dced8d178fa3e35189a2b30e124dad8101832aa5c8ecc653ca3014d706cb0319a1b5b1 |
memory/680-8-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-20-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-25-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-42-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-57-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Windows\SysWOW64\DC++ Share\RCX3DE1.tmp
| MD5 | 6254099ef9ad7f739f50d65903937255 |
| SHA1 | b13870e37d62a929ea8ce0c6213476f2a57fa3c0 |
| SHA256 | cdd2cfe0f5bf927556acc79333f9423c1690d0e50656aea0457ceaf4b2b17a1f |
| SHA512 | f36b68d03e4b539490455a4f43e6dfd74a82e2ab247027f7ca2bb467221ea57d476f5fb6f26dab27a749359a537a09a42f8569386442d308f8a34632422733f4 |
memory/680-107-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-108-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-109-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-111-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-112-0x0000000000400000-0x0000000000425000-memory.dmp
memory/680-114-0x0000000000400000-0x0000000000425000-memory.dmp