84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024

General

Target

84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
Size

73KB
MD5

7651738697a08dda753914f0791c1d22
SHA1

697f0d47ffdfdf64ff44661c45dd0ad3e72d3a64
SHA256

84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024
SHA512

e5ef9cdd2303e05d539a4de6bada69ea1a6f9d8e87111d05094e257f4ad85c6ca4ff3cd29fc58a79842ef4b5ec6cfee86942cf437aa5d4d007c7f5ed07c0c4d7
SSDEEP

1536:y4QQ6NSyM61l19piO+LV8YEoI/EU9RUe4m//TC9ZKI1CGDt:y4X6NSyfnpijeYEoIcq4Q/TCTKI1nt

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4968-7-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral2/files/0x0007000000023422-5.dat	upx
behavioral2/memory/4968-28-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\macromd\Lolita preteen sex.mpeg.pif	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\yahoo cracker.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\illgal incest preteen porn cum.mpg.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\icqcracker.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Britney spears nude.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\teen tied up and raped.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Grand theft auto 3 CD1 crack.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\AIM Account Hacker.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\invisible IP.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Want to see a massive horse cock in a tight little teen's pussy.mpg.pif	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\hotmailhacker.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Harry Potter and the sorcerors stone.divx.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\aol password cracker.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Kama Sutra Tetris.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\password stealer.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\GTA 3 Serial.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\winxcfg.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\nikki nova sex scene huge dick blowjob.mpg.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\porn account cracker.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Bondage Fetish Foot Cum.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Universal Game Crack.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\jenna jameson - xxx nurse scene.mpg.pif	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\chubby girl fucked from all angles xxx.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Britney Spears Dance Beat.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\16 year old webcam.mpg.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\siemens unlocker.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
File created	C:\Windows\SysWOW64\macromd\Pamela Anderson.exe	84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe

C:\Users\Admin\AppData\Local\Temp\84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe
"C:\Users\Admin\AppData\Local\Temp\84be7f89367c35eab38b819e9266e1969b560437e632e3ba9db9c3298e2df024.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\macromd\Kama Sutra Tetris.exe

Filesize
63KB

MD5
e4332d3f3b38a20681e93653706f81bb

SHA1
a6eefe760b3b06dd14e4b640c1a53c6c5ac9ff83

SHA256
6522a459435163fa3f77e3110a9b37d52b40b95324c242728cc01e061b05e35e

SHA512
868166a3099480edc528e62dca86279ed22e6e8b9f1c4604d66e82ca2fcddc79e91c455d46000e3b5dc8292d481b73813106140a71747cd00897cdc89db1a2dc

Download Submit
memory/4968-7-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4968-28-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads