20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62

General

Target

20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
Size

63KB
MD5

903bf575c43a3a40dcbb8e385ee283c0
SHA1

ea448d15b812ae6761667e7f21773caca357cb2e
SHA256

20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62
SHA512

9eb819221938120a85e366aef4908cfd75f7148dd4b0168498992996a27b0e8cf35ad850df916d947bb2c1f85da71d4fd3e08867348680879262f9cb177c8140
SSDEEP

1536:Q4QQ6NSyM61l19piO+LV8YEoI/EU9RUe4mfGrnt5b8h:Q4X6NSyfnpijeYEoIcq49J8

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1692-54-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/memory/1692-55-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\macromd\Lolita preteen sex.mpeg.pif	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\jenna jameson - shower scene.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\hot girl on the beach sucking cock and fucking guy.mpg.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\icqcracker.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\winxcfg.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\hotmailhacker.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\illegal porno - 15 year old raped by two men on boat.mpg.pif	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\AOL.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\chubby girl fucked from all angles xxx.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\Hotmail Hacker.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\Blonde and Japanese girl bukkake.mpg.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\XXX Porn Passwords.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\DivX pro key generator.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\jenna jameson sex scene huge dick blowjob.scr	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\Choke on cum (sodomy, rape).mpg.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\Kama Sutra Tetris.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\AIM Password Stealer.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\yahoo cracker.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\Universal Game Crack.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\OfficeXP Keygen.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\16 year old webcam.mpg.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\preteen sucking huge cock illegal.mpg.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\nikki nova sex scene huge dick blowjob.mpg.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\virtua girl - adriana.pif	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\AOL, MSN, Yahoo mail password stealer.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\msncracker.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
File created	C:\Windows\SysWOW64\macromd\crack.exe	20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe

C:\Users\Admin\AppData\Local\Temp\20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe
"C:\Users\Admin\AppData\Local\Temp\20487185967e40fc3bae63d974d3a1affca222c6ce8f2411d0628ae0318bca62.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-54-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1692-55-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing