f43f9a09bf08479fecb80cbcbc4787f6b739c2720e1e6265232ccc0f447b341c

Analysis

max time kernel
154s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
Size

34KB
MD5

24352cdc660bc591a06b9506e1e1ad60
SHA1

83e847c080f583485d16c385177ddecb930bb944
SHA256

f43f9a09bf08479fecb80cbcbc4787f6b739c2720e1e6265232ccc0f447b341c
SHA512

f90317ca50d3a76b323587b6edf0772ed7be9d0901612b5afb2b4e820e9c530a34eef90d4fed43a9d35145d046ecb523b6bd13053f09bbfe04fcc7955442363c
SSDEEP

768:SCIqdH/k1ZVcT194jp40udyuX7Y17L5TZ2wc:SNqaLV8a6jhYFFTZu

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4940-0-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-3-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-4-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-6-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-8-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-18-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/files/0x00110000000230bb-19.dat	upx
behavioral2/memory/4940-115-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-124-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-125-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-150-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-209-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-269-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral2/memory/4940-292-0x0000000000800000-0x000000000080D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\index.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\Winamp 5.0 (en).com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\ICQ 4 Lite.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\Winamp 5.0 (en) Crack.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Kazaa Lite.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\Harry Potter.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\Harry Potter.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\WinRAR.v.3.2.and.key.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\Winamp 5.0 (en) Crack.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\index.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\ICQ 4 Lite.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\index.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\index.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\WinRAR.v.3.2.and.key.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Winamp 5.0 (en).com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\ICQ 4 Lite.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\ICQ 4 Lite.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\Kazaa Lite.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\Winamp 5.0 (en).exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\WinRAR.v.3.2.and.key.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\ICQ 4 Lite.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\ICQ 4 Lite.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Harry Potter.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\Winamp 5.0 (en) Crack.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\Harry Potter.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\ICQ 4 Lite.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\Harry Potter.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\index.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WinRAR.v.3.2.and.key.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\Winamp 5.0 (en) Crack.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\Harry Potter.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\WinRAR.v.3.2.and.key.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\Harry Potter.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\Kazaa Lite.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\WinRAR.v.3.2.and.key.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\ICQ 4 Lite.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\Harry Potter.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\Winamp 5.0 (en).exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\Kazaa Lite.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\index.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\Kazaa Lite.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\Kazaa Lite.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\index.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\WinRAR.v.3.2.and.key.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\WinRAR.v.3.2.and.key.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\index.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\Winamp 5.0 (en).com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\Winamp 5.0 (en).exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\Kazaa Lite.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\index.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\Winamp 5.0 (en).exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\Kazaa Lite.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\Winamp 5.0 (en).ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\index.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\WinRAR.v.3.2.and.key.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\Kazaa Lite.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\Harry Potter.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\WinRAR.v.3.2.and.key.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\Kazaa Lite.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\Winamp 5.0 (en).exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\ICQ 4 Lite.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\Kazaa Lite.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\Kazaa Lite.ShareReactor.com	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lsass.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
File opened for modification	C:\Windows\lsass.exe	NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.24352cdc660bc591a06b9506e1e1ad60_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFB84.tmp

Filesize
34KB

MD5
4b9726a25949fad6c806b53de7584f92

SHA1
570db1382ccdb694b1332809d0ddf9b0dd73785d

SHA256
c8d5254d383d7d2b342703000b987cb49ac4a690c8d8e13766e15fb096c9ab25

SHA512
631d467c89858f2ebeed8864bd078c394320eb39f069eb0e7adf71abf80ac43c5f6532b067d5bacb7a29206279fac6e1643a30f22ad489cb3a0b4a2e152e885b

Download Submit
memory/4940-6-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-4-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-0-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-8-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-18-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-3-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-115-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-124-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-125-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-150-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-209-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-269-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/4940-292-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads