0c6f7e003ed5add84aa19b302bd09cad797583261c952acc59b8aff9aeac632b

Analysis

max time kernel
158s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2023, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
Size

34KB
MD5

4842f4f8c48566b717d7e2387589ff30
SHA1

02722eafd2fff4d7e0e17c6d4c9fa94764fb055b
SHA256

0c6f7e003ed5add84aa19b302bd09cad797583261c952acc59b8aff9aeac632b
SHA512

ed389fa6492b3c6336c86b34a365fb9f1c8e676d44ff4c89c3e9f0e932b15043466cbef1a3c80c5a69f12fc6c3e4a6644985fc45db7e35bd81482a393529bc4b
SSDEEP

768:pwy7luXqnKZ3URe/cqhVnjBsuC1bfeFb1RbfrFFr:aypnKZ3Ulchtsl1bfw/frFh

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1384-0-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-3-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-5-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-7-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/files/0x000a000000022e19-12.dat	upx
behavioral2/memory/1384-52-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-111-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-136-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-187-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-255-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-282-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-283-0x0000000000800000-0x000000000080E200-memory.dmp	upx
behavioral2/memory/1384-286-0x0000000000800000-0x000000000080E200-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Traybar = "C:\\Windows\\lsass.exe"	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\VC\Winamp 5.0 (en) Crack.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\Kazaa Lite.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\ICQ 4 Lite.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\29308177-86EB-4A1A-AB36-C24BEDF03AC8\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\ICQ 4 Lite.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\Harry Potter.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\Winamp 5.0 (en) Crack.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\Winamp 5.0 (en).com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\Winamp 5.0 (en).exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\Harry Potter.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\Winamp 5.0 (en) Crack.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\29308177-86EB-4A1A-AB36-C24BEDF03AC8\root\ICQ 4 Lite.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\index.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\ICQ 4 Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\29308177-86EB-4A1A-AB36-C24BEDF03AC8\root\vfs\Windows\assembly\Winamp 5.0 (en) Crack.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\ICQ 4 Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\Winamp 5.0 (en).ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\WinRAR.v.3.2.and.key.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Kazaa Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\Winamp 5.0 (en).com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ICQ 4 Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\DEEPBLUE\index.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\Winamp 5.0 (en).com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\Harry Potter.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\index.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\Winamp 5.0 (en) Crack.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\WinRAR.v.3.2.and.key.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\Kazaa Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\Winamp 5.0 (en).exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\index.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\ICQ 4 Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\Kazaa Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\index.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\29308177-86EB-4A1A-AB36-C24BEDF03AC8\root\vfs\Windows\assembly\GAC_MSIL\WinRAR.v.3.2.and.key.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\Kazaa Lite.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\index.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\Kazaa Lite.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\Winamp 5.0 (en).ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\Harry Potter.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\index.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\ICQ 4 Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\Winamp 5.0 (en).ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\index.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\WinRAR.v.3.2.and.key.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\WinRAR.v.3.2.and.key.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\Harry Potter.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\WinRAR.v.3.2.and.key.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\Winamp 5.0 (en) Crack.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\Harry Potter.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\Winamp 5.0 (en).exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\index.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\Winamp 5.0 (en) Crack.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\Kazaa Lite.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\WinRAR.v.3.2.and.key.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\ICQ 4 Lite.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nb-NO\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\WinRAR.v.3.2.and.key.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\Winamp 5.0 (en).ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\ICQ 4 Lite.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\WinRAR.v.3.2.and.key.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\ICQ 4 Lite.ShareReactor.com	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lsass.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
File opened for modification	C:\Windows\lsass.exe	NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4842f4f8c48566b717d7e2387589ff30_JC.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC128.tmp

Filesize
34KB

MD5
547a4dc128d1e2da6282df1f112b7039

SHA1
340ee3041272de04ce58991144c4b6038a9491e9

SHA256
2d031c4307974dc69f160a0311b1ffb1c075aa745b7418587ec1d952f25afdcc

SHA512
64e8af4bb8929d8516d3486171b45ee1bdd1ee3f58ac79229ad5b080906daa8747dbe63abe3e8488d502fb2f1778eb8c70ebbaf804e3b47d97e2b39343806580

Download Submit
memory/1384-111-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-5-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-7-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-3-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-52-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-0-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-136-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-187-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-255-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-282-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-283-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download
memory/1384-286-0x0000000000800000-0x000000000080E200-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads