6e492c9e366fc4343bafe8a0956e6b77c51701980ef5bb898b4f770d10af6818

General

Target

33f89aa54a5a8de62ee8174e9ceb24f0N.exe
Size

85KB
MD5

33f89aa54a5a8de62ee8174e9ceb24f0
SHA1

c00b36ef9017470e27b44f7a93c264f3e6613ccd
SHA256

6e492c9e366fc4343bafe8a0956e6b77c51701980ef5bb898b4f770d10af6818
SHA512

4863747d916dd973e816bb415059aba2cebb4b02923e873995a006ce0e1b3e919bfbc7c2bddefd76f4e1aef042105e2def8754b7292eb140c35472966e72dae6
SSDEEP

1536:y4QQ6NSyM61l19piO+LV8YEoI/EU9RUe4mORdBdwnaIlutwILG6Q:y4X6NSyfnpijeYEoIcq4dR/+naI4wf6Q

Score

7^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1208-0-0x0000000000400000-0x0000000000464000-memory.dmp	upx
behavioral1/files/0x000900000001902b-6.dat	upx
behavioral1/memory/1208-28-0x0000000000400000-0x0000000000464000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winxcfg.exe = "C:\\Windows\\system32\\winxcfg.exe"	33f89aa54a5a8de62ee8174e9ceb24f0N.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\macromd\15 year old webcam.mpg.pif	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\msncracker.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\divx pro.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\winxcfg.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\Another bang bus victim forced rape sex cum.mpg.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\Winzip.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\icqcracker.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\AIM Account Hacker.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\chubby girl bukkake gang banged sucking cock.mpg.pif	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\illegal porno - 15 year old raped by two men on boat.mpg.pif	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\Yahoo mail cracker.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\nude.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\16 year old webcam.mpg.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\Harry Potter and the sorcerors stone.divx.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\AIM Password Stealer.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\GTA 3 Crack.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\GTA 3 Serial.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\aol password cracker.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\invisible IP.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\AIM Account Stealer.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\play station emulator crack.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\fetish bondage preteen porno.mpg.pif	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\yahoo cracker.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\Norton antivirus 2002.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\Teen Violent Forced Gangbang.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\kill osama bin laden game.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe
File created	C:\Windows\SysWOW64\macromd\MSN.exe	33f89aa54a5a8de62ee8174e9ceb24f0N.exe

C:\Users\Admin\AppData\Local\Temp\33f89aa54a5a8de62ee8174e9ceb24f0N.exe
"C:\Users\Admin\AppData\Local\Temp\33f89aa54a5a8de62ee8174e9ceb24f0N.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\macromd\16 year old webcam.mpg.exe

Filesize
82KB

MD5
ed29edb15f5f9c444795e53739c5a8e8

SHA1
1be5776fb2eedb5ab84eac78e3c1d7b0ca327bb1

SHA256
13054f9456a7503d733c08bba011d84fa72574a82042e119bd56fcb89827b33c

SHA512
49b8569b366a9dbc5bb13527a3d1c58277234fee5695b7530dadcaa69af5b82bb1b063cc8fd5a2a5c9c1cf0bd644e56a352bbf25e78787aa3b1da36413ae7054

Download Submit
memory/1208-0-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1208-28-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads