Analysis Overview
SHA256
0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78
Threat Level: Known bad
The file 0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Drops file in System32 directory
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 18:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 18:34
Reported
2024-04-07 18:37
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
133s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78.exe
"C:\Users\Admin\AppData\Local\Temp\0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uk.undernet.org | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uk.undernet.org | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uk.undernet.org | udp |
| US | 8.8.8.8:53 | uk.undernet.org | udp |
Files
C:\Windows\SysWOW64\xdccPrograms\7zFM.exe
| MD5 | 5d3742158bc380256efdc65b815e71bf |
| SHA1 | 1c36c27749e5cf272a5f5b2cdacb7f422b0c6494 |
| SHA256 | 0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78 |
| SHA512 | c1bbe7f169e2f5fba3698433a210fdf5e5f463e041ba1d805eb8b5a8ba7bae1b58d6b72166637285a5e94efd2526e48ceb2708147da21b920dc9b5e7ee8f6156 |
memory/720-16-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Windows\SysWOW64\DC++ Share\RCXBF69.tmp
| MD5 | 6254099ef9ad7f739f50d65903937255 |
| SHA1 | b13870e37d62a929ea8ce0c6213476f2a57fa3c0 |
| SHA256 | cdd2cfe0f5bf927556acc79333f9423c1690d0e50656aea0457ceaf4b2b17a1f |
| SHA512 | f36b68d03e4b539490455a4f43e6dfd74a82e2ab247027f7ca2bb467221ea57d476f5fb6f26dab27a749359a537a09a42f8569386442d308f8a34632422733f4 |
memory/720-86-0x0000000000400000-0x0000000000425000-memory.dmp
memory/720-87-0x0000000000400000-0x0000000000425000-memory.dmp
memory/720-88-0x0000000000400000-0x0000000000425000-memory.dmp
memory/720-94-0x0000000000400000-0x0000000000425000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 18:34
Reported
2024-04-07 18:37
Platform
win7-20240220-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe sIRC4.exe" | C:\Users\Admin\AppData\Local\Temp\0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78.exe | N/A |
Drops file in System32 directory
Processes
C:\Users\Admin\AppData\Local\Temp\0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78.exe
"C:\Users\Admin\AppData\Local\Temp\0d8ab77c7504889559b5e24169dc233892710d2ff2f8f59de4335d157598ba78.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | uk.undernet.org | udp |
Files
C:\Windows\SysWOW64\xdccPrograms\7zG.exe
| MD5 | 0c4d68c3b0866e1b9b72cb94ba3d9fd5 |
| SHA1 | 22947a3bb20edbb2a32ec4372abcab2039a0e25c |
| SHA256 | 707406135141420e979faec83106961e96f8d0972be374ceb203936aa8d0ccbe |
| SHA512 | 71f02966ad41d99c64863960cd20ba555cfac139b567b58c062d73719867fa2f7e60f6f259d32b6ee3622183bc56f9ea8336ec13f7715d25f42b9b87c04f6ca9 |
memory/1640-84-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1640-85-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1640-91-0x0000000000400000-0x0000000000425000-memory.dmp