d80dd701e37501c4935cd2f5b5693effb5b620df7704af02f903169d14cf228b

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
Size

33KB
MD5

0d553fc100efa8ee7c5e200f06b289c0
SHA1

8771c1d2c1f727ae2a621c2d9a663f5fb85b907b
SHA256

d80dd701e37501c4935cd2f5b5693effb5b620df7704af02f903169d14cf228b
SHA512

de1054c7bdc37a78df992b7df7962e2bf056a51067aed55f6343eb26339af7c1a43f5a9a7a61de4a80904bed0f525b57b0e4c4b27ffee52c1408a03d195ee9eb
SSDEEP

768:SCIqdH/k1ZVcT194jp46Yi/kQPFVrjQaWkK2rZ:SNqaLV8a66YNYZQLk1rZ

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1936-0-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-3-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-5-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-7-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/files/0x0005000000004ed6-16.dat	upx
behavioral1/memory/1936-119-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-150-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-151-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-152-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-174-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-175-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-176-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-178-0x0000000000800000-0x000000000080D000-memory.dmp	upx
behavioral1/memory/1936-179-0x0000000000800000-0x000000000080D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\Kazaa Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\index.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\Kazaa Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\ICQ 4 Lite.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\Kazaa Lite.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Winamp 5.0 (en) Crack.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\Harry Potter.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\ICQ 4 Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\index.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\index.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\Winamp 5.0 (en).ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\Harry Potter.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\Winamp 5.0 (en) Crack.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\WinRAR.v.3.2.and.key.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Kazaa Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Kazaa Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\WinRAR.v.3.2.and.key.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\Winamp 5.0 (en) Crack.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\index.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\ICQ 4 Lite.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\Harry Potter.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\ICQ 4 Lite.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\index.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\Winamp 5.0 (en) Crack.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Kazaa Lite.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\Winamp 5.0 (en).exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\index.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Winamp 5.0 (en).exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\Harry Potter.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Kazaa Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\Winamp 5.0 (en).exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\Kazaa Lite.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\WinRAR.v.3.2.and.key.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\Winamp 5.0 (en) Crack.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\Winamp 5.0 (en) Crack.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\Winamp 5.0 (en).com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\Harry Potter.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\WinRAR.v.3.2.and.key.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\Kazaa Lite.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\Winamp 5.0 (en).ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\index.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\ICQ 4 Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\Winamp 5.0 (en).exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\Winamp 5.0 (en).exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Winamp 5.0 (en) Crack.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\Winamp 5.0 (en).exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\Harry Potter.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DAO\index.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\Kazaa Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EURO\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Winamp 5.0 (en) Crack.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ICQ 4 Lite.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\ICQ 4 Lite.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\WinRAR.v.3.2.and.key.com	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
File created	C:\Windows\lsass.exe	NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0d553fc100efa8ee7c5e200f06b289c0.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\Harry Potter.ShareReactor.com

Filesize
33KB

MD5
0d553fc100efa8ee7c5e200f06b289c0

SHA1
8771c1d2c1f727ae2a621c2d9a663f5fb85b907b

SHA256
d80dd701e37501c4935cd2f5b5693effb5b620df7704af02f903169d14cf228b

SHA512
de1054c7bdc37a78df992b7df7962e2bf056a51067aed55f6343eb26339af7c1a43f5a9a7a61de4a80904bed0f525b57b0e4c4b27ffee52c1408a03d195ee9eb

Download Submit
memory/1936-150-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-5-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-7-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-3-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-119-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-0-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-151-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-152-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-174-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-175-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-176-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-178-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download
memory/1936-179-0x0000000000800000-0x000000000080D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads