ca81d13c6064c5c175d0e44d73491e02e48c1a7a6ea10e414692ab827cc4430c

General

Target

attachment.pif.exe
Size

21KB
MD5

d2c7cd3140152b1eb684aa028f96957a
SHA1

fa501db500a93791eb6800bac3ed3cfedb3ab97e
SHA256

0b4abb1352622d7003e7bda97ef3a6f66d999297ed1918709be5e69b52fa7f01
SHA512

19404d48482e03860729aae3592c31b7128a294443370302dce1ad8efb15d336ec957eb2866f56e5af0a5ead2e1e216cf653c47a5a559dcc957fd1e3fa063ab6

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

attachment.pif.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	attachment.pif.exe

Drops file in Program Files directory 64 IoCs

Processes:

attachment.pif.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Winamp 5.0 (en) Crack.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\WinRAR.v.3.2.and.key.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\Winamp 5.0 (en) Crack.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\index.exe	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\Winamp 5.0 (en) Crack.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\index.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Kazaa Lite.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\Winamp 5.0 (en).ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\WinRAR.v.3.2.and.key.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\Winamp 5.0 (en).com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\Winamp 5.0 (en) Crack.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\ICQ 4 Lite.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\WinRAR.v.3.2.and.key.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\Kazaa Lite.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\Harry Potter.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\index.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\Winamp 5.0 (en) Crack.exe	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\Harry Potter.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Kazaa Lite.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\Winamp 5.0 (en) Crack.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\index.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\Harry Potter.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\Winamp 5.0 (en).ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ICQ 4 Lite.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\index.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Harry Potter.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\Kazaa Lite.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\Harry Potter.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Winamp 5.0 (en) Crack.exe	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\WinRAR.v.3.2.and.key.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\index.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\Harry Potter.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\ICQ 4 Lite.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\WinRAR.v.3.2.and.key.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\ICQ 4 Lite.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Kazaa Lite.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\Winamp 5.0 (en).com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\ICQ 4 Lite.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ICQ 4 Lite.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\Harry Potter.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\WinRAR.v.3.2.and.key.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\index.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\WinRAR.v.3.2.and.key.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Harry Potter.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\Harry Potter.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\Winamp 5.0 (en).ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\Winamp 5.0 (en) Crack.exe	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Kazaa Lite.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\WinRAR.v.3.2.and.key.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Winamp 5.0 (en).ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\WinRAR.v.3.2.and.key.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\WinRAR.v.3.2.and.key.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Winamp 5.0 (en).ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\ICQ 4 Lite.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\Winamp 5.0 (en).ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\index.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\WinRAR.v.3.2.and.key.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\WinRAR.v.3.2.and.key.ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\ICQ 4 Lite.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\Winamp 5.0 (en).ShareReactor.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\ICQ 4 Lite.exe	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\Kazaa Lite.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\ICQ 4 Lite.com	attachment.pif.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\index.ShareReactor.com	attachment.pif.exe

Drops file in Windows directory 2 IoCs

Processes:

attachment.pif.exe

description ioc process

File opened for modification C:\Windows\lsass.exe attachment.pif.exe
File created C:\Windows\lsass.exe attachment.pif.exe

description	ioc	process
File opened for modification	C:\Windows\lsass.exe	attachment.pif.exe
File created	C:\Windows\lsass.exe	attachment.pif.exe

C:\Users\Admin\AppData\Local\Temp\attachment.pif.exe
"C:\Users\Admin\AppData\Local\Temp\attachment.pif.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing