da6c74cb0fdf12898b9240f2df30c96724a0dca8ee90320177fa0b74ca70925a

General

Target

NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
Size

79KB
MD5

08b41e1a7ace2b460f2de24eb16e32e0
SHA1

94745a70cb4aa07e0c07bcf3cda12edb69d19a09
SHA256

da6c74cb0fdf12898b9240f2df30c96724a0dca8ee90320177fa0b74ca70925a
SHA512

0c1f4fb25ae469005ea5a1b2ea6b9069cbd56876295feeff7d861ff49cb714041b25929c648d2acca05a3796930776d0c0570e0885c3b5af3b7cdbaf3682645b
SSDEEP

1536:Q4QQ6NSyM61l19piO+LV8YEoI/EU9RUe4m2n94RmDWQzjoCoE:Q4X6NSyfnpijeYEoIcq4l94RPCoE

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1200-0-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/files/0x0007000000014a93-6.dat	upx
behavioral1/memory/1200-28-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\macromd\girls gone wild.mpg.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\crack.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\OfficeXP Keygen.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\nude.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Website Hacker.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\preteen sucking huge cock illegal.mpg.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Yahoo mail cracker.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Britney Spears Dance Beat.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\msncracker.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Microsoft Office XP (english) key generator.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\aol password cracker.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\winxcfg.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\DivX pro key generator.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\jenna jameson - shower scene.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\aimcracker.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\15 year old on beach.mpg.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\invisible IP.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Free Porn.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Counter Strike CD Keygen.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\porn account cracker.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Harry Potter and the sorcerors stone.divx.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Want to see a massive horse cock in a tight little teen's pussy.mpg.pif	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\icqcracker.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\pamela anderson naked.mpg.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Another bang bus victim forced rape sex cum.mpg.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\Napster Clone.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
File created	C:\Windows\SysWOW64\macromd\14 year old on beach.mpg.exe	NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.08b41e1a7ace2b460f2de24eb16e32e0_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\macromd\Britney Spears Dance Beat.exe

Filesize
87KB

MD5
39b5c427d54f7a9e558a8071fe2759fb

SHA1
b4dcb296b132a591113c48bc7f5c32576bc9c64a

SHA256
5959d20f4d0646b331e2fbb0471fcb0042e0574bc819cb109e3f0316904740a5

SHA512
670767e3b78d0b59e050e1e8781de489f7616eee90b8038a82f600b391cb6075bca106884dc1d6ba7bfa9b912d249389e21ff1ac9b2ea2146285007e25174ee0

Download Submit
memory/1200-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1200-28-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads