Analysis Overview
SHA256
9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5
Threat Level: Known bad
The file 9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:44
Reported
2024-04-06 23:46
Platform
win7-20240221-en
Max time kernel
138s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe | N/A |
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe
"C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe"
Network
Files
memory/2304-0-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2304-1-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2304-10-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2304-11-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2304-8-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2304-13-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2304-15-0x00000000773F0000-0x00000000773F1000-memory.dmp
memory/2304-14-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2304-6-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2304-5-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2304-3-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2304-17-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2304-37-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2304-35-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2304-32-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2304-30-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2304-27-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2304-25-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2304-22-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2304-20-0x0000000000250000-0x0000000000251000-memory.dmp
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
| MD5 | 22a114976f0d97cd1bf3fa74823a0fc2 |
| SHA1 | a91087aee60687e884ad656e7f92a711322b1eed |
| SHA256 | 9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5 |
| SHA512 | 2a14bef3a60635c686c4cafff434eb4e676379a287bf7ba7144ccb9694069f26cb1123cb8d4c4ad194d585b057f8e81dbc012f7a4cd2b62bb06e6999fbc7d860 |
memory/2304-115-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2304-116-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2304-117-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2304-118-0x0000000000400000-0x0000000000D43000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:44
Reported
2024-04-06 23:46
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe | N/A |
Drops file in System32 directory
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe
"C:\Users\Admin\AppData\Local\Temp\9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uk.undernet.org | udp |
| US | 8.8.8.8:53 | uk | udp |
| US | 8.8.8.8:53 | uk | udp |
| US | 8.8.8.8:53 | eu | udp |
| US | 8.8.8.8:53 | eu.pipe.aria.microsoft.com | udp |
| IE | 20.50.80.210:6667 | eu.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | eu.pipe.aria.microsoft.com | udp |
| NL | 13.69.116.108:6667 | eu.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | uk.undernet.org | udp |
| US | 8.8.8.8:53 | uk | udp |
| US | 8.8.8.8:53 | uk | udp |
| US | 8.8.8.8:53 | eu | udp |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/2408-0-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2408-1-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/2408-3-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2408-2-0x0000000001000000-0x0000000001001000-memory.dmp
memory/2408-5-0x0000000001040000-0x0000000001041000-memory.dmp
memory/2408-4-0x0000000001010000-0x0000000001011000-memory.dmp
memory/2408-7-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2408-8-0x0000000001060000-0x0000000001061000-memory.dmp
memory/2408-6-0x0000000001050000-0x0000000001051000-memory.dmp
memory/2408-9-0x0000000001070000-0x0000000001071000-memory.dmp
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
| MD5 | 22a114976f0d97cd1bf3fa74823a0fc2 |
| SHA1 | a91087aee60687e884ad656e7f92a711322b1eed |
| SHA256 | 9c1567c83e424c00cf68579faa920439c11686157a8c6c7012c63f9ab6aaaab5 |
| SHA512 | 2a14bef3a60635c686c4cafff434eb4e676379a287bf7ba7144ccb9694069f26cb1123cb8d4c4ad194d585b057f8e81dbc012f7a4cd2b62bb06e6999fbc7d860 |
C:\Windows\SysWOW64\DC++ Share\idlj.exe
| MD5 | 19890d3505493f25b3d707e3c1f5cdd8 |
| SHA1 | 91b17f5f69604d1522eea683bc901eee625f7121 |
| SHA256 | 7ca651ab5b869d764be6e08ab1ae589a1f634f46b3049605413c45f934aefaf5 |
| SHA512 | 2a4b93a13cf6ec7ed28e81d73290a683d31830486c8cff10120bf21bbf0ca36e2a01a43ad0507f6c4455095b87cce88ddaa4b2630fb8f165ebc6838252375a9e |
memory/2408-114-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2408-113-0x0000000000400000-0x0000000000D43000-memory.dmp
memory/2408-115-0x0000000000400000-0x0000000000D43000-memory.dmp