b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07

General

Target

b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
Size

83KB
MD5

4c894e6781d8bb9507648590a90835b4
SHA1

5aab6291790adf7234dfc0631b79d8fff78d2da1
SHA256

b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07
SHA512

90ce7b2a1bee793dfdf09ca1b5ae65fd9c98c4e07fabea460c7ec4f32f20eab62ddb7b17fbf886023cb0efaeb3ee442460e196bc4afe8895e469ea7bbaef62c7
SSDEEP

1536:y4QQ6NSyM61l19piO+LV8YEoI/EU9RUe4muu6Z6ZUtQFmDPFujvGQx5me:y4X6NSyfnpijeYEoIcq4Pu6Za4RujvGY

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2692-0-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/files/0x000700000002322a-6.dat	upx
behavioral2/memory/2692-28-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winxcfg.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\fetish bondage preteen porno.mpg.pif	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Warcraft 3 battle.net serial generator.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Norton antivirus 2002.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\AOL.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\CKY3 - Bam Margera World Industries Alien Workshop.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\virtua girl - adriana.pif	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\15 year old on beach.mpg.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\GTA3 crack.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\GTA 3 Crack.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Bondage Fetish Foot Cum.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\invisible IP.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Yahoo mail cracker.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Winzip.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\crack.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Flash Golf.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\nude.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Grand theft auto 3 CD1 crack.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Digimon.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\chubby girl bukkake gang banged sucking cock.mpg.pif	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\MSN.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Britney Spears Dance Beat.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\illegal porno - 15 year old raped by two men on boat.mpg.pif	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\password stealer.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\GTA 3 Serial.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\Windows 2000.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
File created	C:\Windows\SysWOW64\macromd\AIM Account Stealer.exe	b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe

C:\Users\Admin\AppData\Local\Temp\b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe
"C:\Users\Admin\AppData\Local\Temp\b8d1076d278ede4932d77616af60eaa3789b08ead2fbcb68daa2e29128385d07.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\macromd\password stealer.exe

Filesize
69KB

MD5
c6d54e8aca7831083119e4891a0f572a

SHA1
6ac45a027ad29f18649fa479494d9e3ad4411f13

SHA256
4f97e8f9b50340cdfea2338a098c14efbf2bc81bbec9ee3e5dc8529d42561c6d

SHA512
dceda3a14cc12efc0c28b13ed30b96e8463757dd68d0e73b840b9e3c10cb7ceeca2e1b198791619537d319c2c0bfddf9646e8c7e585a8de154bb720d41a2cf81

Download Submit
memory/2692-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2692-28-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads