Malware Analysis Report

2025-03-14 22:45

Sample ID 240406-1pzrlacf85
Target 66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02
SHA256 66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02
Tags
upx persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02

Threat Level: Shows suspicious behavior

The file 66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx persistence

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:50

Reported

2024-04-06 21:52

Platform

win7-20240221-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe" C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\macromd\divx pro.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Pamela Anderson And Tommy Lee Home Video (Part 1).mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\AIM Account Hacker.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\virtua girl - adriana.pif C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Counter Strike CD Keygen.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\illgal incest preteen porn cum.mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Grand theft auto 3 CD1 crack.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\pamela anderson naked.mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\nikki nova sex scene huge dick blowjob.mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Want to see a massive horse cock in a tight little teen's pussy.mpg.pif C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Another bang bus victim forced rape sex cum.mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\cute girl giving head.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Pamela Anderson.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\winxcfg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\GTA 3 Serial.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Winzip.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\XXX Porn Passwords.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Britney spears nude.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\preteen snuff sex rape with a stick hardcore.mpg.pif C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\16 year old on beach.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\CKY3 - Bam Margera World Industries Alien Workshop.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\icqcracker.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\porn account cracker.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\teen tied up and raped.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Bondage Fetish Foot Cum.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Digimon.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\16 year old webcam.mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe

"C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe"

Network

N/A

Files

memory/2864-0-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Windows\SysWOW64\macromd\16 year old webcam.mpg.exe

MD5 f3468b4c7a6e2256fa3088cbc1521635
SHA1 7d95946f908d23e0596859d4035fafe4473a248d
SHA256 907ba0de005f3c1206f2f2bb65dbf9d688046bd00738d43b772f7440bcaad1ca
SHA512 ea24b04950a31cfe74c2b4dcf757721aa892c2d7841d34d2fb06d8b1d8e77f488ebd3f0317680ff56714dded42755323a8fdaf28065803d96071a611b4e41861

memory/2864-28-0x0000000000400000-0x0000000000464000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:50

Reported

2024-04-06 21:52

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe" C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\macromd\Napster Clone.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Website Hacker.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Pamela Anderson.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\GTA 3 Serial.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\OfficeXP Keygen.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Digimon.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\aimhacker.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Choke on cum (sodomy, rape).mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\DivX pro key generator.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\hotmailhacker.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\teen tied up and raped.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\preteen snuff sex rape with a stick hardcore.mpg.pif C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\password stealer.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\aol password cracker.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\winxcfg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\15 year old webcam.mpg.pif C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\play station emulator crack.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\yahoo cracker.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\preteen sucking huge cock illegal.mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Universal Game Crack.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\AIM Account Stealer.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Kama Sutra Tetris.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\divx pro.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\ICQ Hackingtools.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Blonde and Japanese girl bukkake.mpg.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\XXX Porn Passwords.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A
File created C:\Windows\SysWOW64\macromd\Microsoft Office XP (english) key generator.exe C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe

"C:\Users\Admin\AppData\Local\Temp\66f53900e586df3a842f2e120ebde534aeed3fd9a56c917a51dbf79d081b7e02.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3528-0-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Windows\SysWOW64\macromd\Kama Sutra Tetris.exe

MD5 7f6cabacfc3e8039a659fd6d2cca276b
SHA1 554b1f7b79789c67bdb27686aa3f2c709891d6a6
SHA256 6e5418326ef5b4ecccaf620a155b0160ca54a97e8668f640322dd14e88f9665b
SHA512 76fe06da25dadfbc3c3a741913989740cb85187c2fa94e420d7823d0ef4171a6e9726a3ed9b7d65b74699965f77adde40a480f563e753ea8dcf2d5439386f941

memory/3528-28-0x0000000000400000-0x0000000000464000-memory.dmp