c983126514c71e1d2227ec6853db4d0d2b8a5bc58e4a6e84b3701e1fb3e49f0e

Analysis

max time kernel
117s
max time network
137s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f18350094101d8483e78948a3d773030_JC.exe
Size

83KB
MD5

f18350094101d8483e78948a3d773030
SHA1

f92ead1effb052f284125e9162b612aa5200078e
SHA256

c983126514c71e1d2227ec6853db4d0d2b8a5bc58e4a6e84b3701e1fb3e49f0e
SHA512

fe32527b19555558c4c6fdee83f3cb9640ead1e5a887bbedf65467013327bedb71502ca579d5d22679947630e946b1fb31f6c06056c4f482e5f283e4c0aba0be
SSDEEP

1536:5lrsicagdzn8K2ariPOcjk+XQuPVN72NMSejH8G5DPzCDe67uGr:5JjcF8KfCOcjk+guPVjSOpIzz

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2108-0-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/files/0x00070000000167f7-6.dat	upx
behavioral1/memory/2108-34-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	NEAS.f18350094101d8483e78948a3d773030_JC.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\macromd\kill osama bin laden game.exe	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\two studs gangbanging a hot little sluts holes.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\little chicken shy about exposing sweet cunt.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\some twink ass rippers.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\AIM Password Stealer.exe	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\invisible IP.exe	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\candy stripper getting down on sick mans cock.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\this really wild insane groupsex.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\hot anita blonde doing lesbo.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\kitty-cat with horny beaver that needs licking.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\two busty sluts fucked in bathroom.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\cock forced in some slut mouth.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\nurse in pink showing her healthy bone slot.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\showing some hot girls share cock.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\an asian bush getting a cum bath.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\lesbian sex and strapon dildo games.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\winxcfg.exe	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\Lolita preteen sex.mpeg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\two large black bones in a small white box.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\genuine indian slut posing.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\cute blonde cheerleader dancing.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\neighbor boy fucking grandma after mowing her grass.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\amateur slut with a huge gun.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\sexy little bitch playing with dildo.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\OfficeXP Keygen.exe	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\blonde on couch gettin tight anal fucking.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\bottle blonde tramp sucking a dick dry.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\babes getting their tender little asses corked.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\chick weeing in her pants.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\lezbos in pantyhose swapping tongues.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\babes with great lips that knows how suck cock.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\hot tomoli lathering up sexy body for boyfriend's tongue.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe
File created	C:\Windows\SysWOW64\macromd\two teen lesbians with dildo having fun.mpg.pif	NEAS.f18350094101d8483e78948a3d773030_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.f18350094101d8483e78948a3d773030_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f18350094101d8483e78948a3d773030_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\macromd\OfficeXP Keygen.exe

Filesize
85KB

MD5
da92320cc31d139e374b5aae72c3f44f

SHA1
69c35cd2db7842a33c3756d207ed94bd6dc1b9ae

SHA256
fc5c1828e02579c121d6677f8f2800a978b8aa7ac143e4d72986ddda44def7f4

SHA512
1a6958a28457f7db8816ecc0f8fee9d4e51dd23ed1c68d3c8d89ced72cd70a7c93fd108b9fe38a0f49cd046b5a36aeb14e0fdb0a530b5059dfed71969d9fc51a

Download Submit
memory/2108-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2108-34-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads