Analysis Overview
SHA256
9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97
Threat Level: Known bad
The file 9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in System32 directory
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-06 23:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-06 23:48
Reported
2024-04-06 23:51
Platform
win7-20240220-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97.exe
"C:\Users\Admin\AppData\Local\Temp\9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97.exe"
Network
Files
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
| MD5 | 5573f96d3c23968606c258194af6a404 |
| SHA1 | 8f3cd3cc90c3096970527916efc0362bcff6aff7 |
| SHA256 | 8d709e1645f67414684acbadcfd4730580978c9379a2fd8a65d2e7da14f5e12e |
| SHA512 | 9832e51387d6a0b1015d18e53d20a636d6f3e8bc4fd2a6dd014e5e697e3df4edd8e60112ed8e50cdba6f03eb6c5a77d091f6b8cec598538c2fe6bb1771de57af |
C:\Windows\SysWOW64\DC++ Share\RCX30F2.tmp
| MD5 | b126345317624479f78fbf30b3a1fe5a |
| SHA1 | 655c966bf7bbf96ee49c83062d30b9dba17d693c |
| SHA256 | 8723d2d97d52f6d3b63968594c93bf2c5b5300b306c9670be4616cb134964301 |
| SHA512 | d0be6d608b5f4e482287d16e6587e00be1b4390f78efc3ce63008f99be7358e65f0eef9eba330d845462b64fa7a86cc3f1395b863ad0f8d01c0b790fc2f4c02d |
memory/1028-98-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-99-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-100-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-101-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-102-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-103-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-104-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-105-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-106-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-107-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-108-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-109-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-110-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1028-111-0x0000000000400000-0x0000000000417000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-06 23:48
Reported
2024-04-06 23:51
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97.exe
"C:\Users\Admin\AppData\Local\Temp\9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe
| MD5 | 47dc7504950387f4e79683a4d3d66582 |
| SHA1 | 893aa80b56b18ec0f7e761e4254abd0be33cd9c0 |
| SHA256 | 9e40220b080bb8b72d4d428b2aaaf1ad1aa76db501a0bf26f18fe74187b12f97 |
| SHA512 | 4cfc1e1e0b0670fafedc579d54dd1eb7967c312f012d756e70fa98b3e2147751e3b6b1e981d393a76c9dfde44ea3d99f1139a2bd510a14c3da2e7cb8918896ad |
memory/1808-19-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-48-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Windows\SysWOW64\DC++ Share\idlj.exe
| MD5 | c8151ca3b753ec2b564b2d2be6139514 |
| SHA1 | 576c56d335b3fae08668b6028ac7356ae4c3ed44 |
| SHA256 | 2974520e375c0d58661ac6ca68bdae5a86b8a365846fe32f4843328b47dc44f8 |
| SHA512 | a901d5c70ec8fba0e7c7fbfcc2c51c39c4b53104a9d0f73277f6bc0834631f25af5a3fde4874778545b5a5896dcbdb5a957e524d091d15ab8fb4dea4d136fba0 |
memory/1808-99-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-100-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-101-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-102-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-103-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-104-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-105-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-106-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-107-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-108-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-109-0x0000000000400000-0x0000000000417000-memory.dmp
memory/1808-110-0x0000000000400000-0x0000000000417000-memory.dmp