f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1

Analysis

max time kernel
151s
max time network
161s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
Size

33KB
MD5

844fdb4bc51b8ab2b3ba89c4e53578a7
SHA1

01111b6a00f16ad64c6f835c2f731c25e1358cca
SHA256

f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1
SHA512

32f3b95c78116fcd457b158a15ac23517eec5019b983c133600a6274fe8092e87d2e8eed16b8fac036b75eda875e2f60a81e2f437180b62f0fd7e3190921dfd0
SSDEEP

768:SCIqdH/k1ZVcT194jp4e3j/bbzXPivCYa:SNqaLV8a6ernbPiS

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1712-55-0x0000000000800000-0x000000000080D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\Harry Potter.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\WinRAR.v.3.2.and.key.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\ICQ 4 Lite.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\Kazaa Lite.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Harry Potter.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\Winamp 5.0 (en).exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Winamp 5.0 (en) Crack.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ICQ 4 Lite.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\ICQ 4 Lite.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\index.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\index.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\WinRAR.v.3.2.and.key.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\WinRAR.v.3.2.and.key.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\Winamp 5.0 (en) Crack.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Kazaa Lite.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\Harry Potter.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\Winamp 5.0 (en) Crack.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\Harry Potter.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\Harry Potter.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\WinRAR.v.3.2.and.key.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\Winamp 5.0 (en).com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\ICQ 4 Lite.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\ICQ 4 Lite.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\Harry Potter.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\WinRAR.v.3.2.and.key.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\Kazaa Lite.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\ICQ 4 Lite.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\Winamp 5.0 (en) Crack.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\WinRAR.v.3.2.and.key.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Winamp 5.0 (en).com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\Harry Potter.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\WinRAR.v.3.2.and.key.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\Winamp 5.0 (en).ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\Winamp 5.0 (en).com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\WinRAR.v.3.2.and.key.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\Harry Potter.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\Kazaa Lite.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\Kazaa Lite.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Harry Potter.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\WinRAR.v.3.2.and.key.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\index.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\WinRAR.v.3.2.and.key.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\WinRAR.v.3.2.and.key.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\index.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\index.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Winamp 5.0 (en).exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\WinRAR.v.3.2.and.key.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Kazaa Lite.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\Harry Potter.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\Winamp 5.0 (en) Crack.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\Harry Potter.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\index.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\index.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\index.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\WinRAR.v.3.2.and.key.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\Kazaa Lite.ShareReactor.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\WinRAR.v.3.2.and.key.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en) Crack.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VC\WinRAR.v.3.2.and.key.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\index.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\ICQ 4 Lite.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\Kazaa Lite.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\WinRAR.v.3.2.and.key.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\Kazaa Lite.com	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
File created	C:\Windows\lsass.exe	f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe

C:\Users\Admin\AppData\Local\Temp\f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe
"C:\Users\Admin\AppData\Local\Temp\f50b46e626691aea81997a4c9be0e97de04a1841e80ccc608986c5f16b4829f1.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1712-55-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download