Analysis Overview
SHA256
80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967
Threat Level: Known bad
The file 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.bin was found to be: Known bad.
Malicious Activity Summary
PlugX Rat Payload
PlugX
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-03-10 15:58
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-28 15:52
Reported
2022-02-28 15:55
Platform
win10-en-20211208
Max time kernel
150s
Max time network
151s
Command Line
Signatures
PlugX
PlugX Rat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| N/A | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| N/A | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\KET.FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 38003600330032004600300042004200340036003900410033004300410036000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| Token: SeTcbPrivilege | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"
\??\c:\windows\temp\AROTutorial.exe
c:\windows\temp\AROTutorial.exe
C:\ProgramData\ARO\AROTutorial.exe
"C:\ProgramData\ARO\AROTutorial.exe" 600 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 601 0
C:\Windows\SysWOW64\userinit.exe
C:\Windows\system32\userinit.exe 609 2552
Network
| Country | Destination | Domain | Proto |
| JP | 108.61.182.34:443 | tcp | |
| N/A | 10.127.255.255:63 | udp | |
| US | 52.109.8.20:443 | tcp | |
| JP | 108.61.182.34:443 | tcp | |
| JP | 108.61.182.34:443 | udp | |
| JP | 108.61.182.34:80 | tcp | |
| JP | 108.61.182.34:80 | tcp | |
| JP | 108.61.182.34:80 | udp | |
| JP | 108.61.182.34:8080 | tcp | |
| JP | 108.61.182.34:8080 | tcp |
Files
C:\Windows\Temp\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
\??\c:\windows\temp\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
\??\c:\windows\temp\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
\??\c:\windows\temp\aross.dat
| MD5 | 60e04d5b3dae8bcd3cfa82d492088869 |
| SHA1 | 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b |
| SHA256 | c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4 |
| SHA512 | 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb |
\Windows\Temp\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
memory/1792-120-0x00000000005C0000-0x00000000005E5000-memory.dmp
memory/1792-121-0x0000000002100000-0x000000000213F000-memory.dmp
C:\ProgramData\ARO\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
C:\ProgramData\ARO\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
C:\ProgramData\ARO\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
\ProgramData\ARO\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
C:\ProgramData\ARO\aross.dat
| MD5 | 60e04d5b3dae8bcd3cfa82d492088869 |
| SHA1 | 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b |
| SHA256 | c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4 |
| SHA512 | 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb |
memory/2176-127-0x0000000000DA0000-0x0000000000DDF000-memory.dmp
memory/2552-128-0x0000000000670000-0x0000000000672000-memory.dmp
memory/2552-129-0x0000000002C50000-0x0000000002C8F000-memory.dmp
memory/2712-130-0x0000000000940000-0x0000000000942000-memory.dmp
memory/2712-131-0x0000000000F50000-0x0000000000F8F000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-02-28 15:52
Reported
2022-02-28 15:55
Platform
win10v2004-en-20220113
Max time kernel
150s
Max time network
153s
Command Line
Signatures
PlugX
PlugX Rat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| N/A | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| N/A | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\KET.FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 30003300360033003700450039003500360045004200370031004400430045000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| Token: SeTcbPrivilege | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"
\??\c:\windows\temp\AROTutorial.exe
c:\windows\temp\AROTutorial.exe
C:\ProgramData\ARO\AROTutorial.exe
"C:\ProgramData\ARO\AROTutorial.exe" 600 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 601 0
C:\Windows\SysWOW64\userinit.exe
C:\Windows\system32\userinit.exe 609 4172
Network
| Country | Destination | Domain | Proto |
| JP | 108.61.182.34:443 | tcp | |
| N/A | 10.127.255.255:63 | udp | |
| JP | 108.61.182.34:443 | tcp | |
| US | 8.247.211.254:80 | tcp | |
| US | 8.247.211.254:80 | tcp | |
| JP | 108.61.182.34:443 | udp | |
| JP | 108.61.182.34:80 | tcp | |
| JP | 108.61.182.34:80 | tcp | |
| JP | 108.61.182.34:80 | udp | |
| JP | 108.61.182.34:8080 | tcp | |
| JP | 108.61.182.34:8080 | tcp |
Files
C:\Windows\Temp\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
\??\c:\windows\temp\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
\??\c:\windows\temp\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
C:\Windows\Temp\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
\??\c:\windows\temp\aross.dat
| MD5 | 60e04d5b3dae8bcd3cfa82d492088869 |
| SHA1 | 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b |
| SHA256 | c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4 |
| SHA512 | 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb |
C:\ProgramData\ARO\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
C:\ProgramData\ARO\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
C:\ProgramData\ARO\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
C:\ProgramData\ARO\aross.dat
| MD5 | 60e04d5b3dae8bcd3cfa82d492088869 |
| SHA1 | 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b |
| SHA256 | c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4 |
| SHA512 | 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb |
memory/3600-140-0x00000000005A0000-0x00000000005C5000-memory.dmp
C:\ProgramData\ARO\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
memory/3600-141-0x0000000000760000-0x000000000079F000-memory.dmp
memory/4172-142-0x0000000000C70000-0x0000000000C72000-memory.dmp
memory/4172-143-0x0000000001340000-0x000000000137F000-memory.dmp
memory/3492-144-0x0000000000E10000-0x0000000000E4F000-memory.dmp
memory/2452-145-0x0000000000FF0000-0x0000000000FF2000-memory.dmp
memory/2452-146-0x00000000014D0000-0x000000000150F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-28 15:52
Reported
2022-02-28 15:55
Platform
win7-20220223-en
Max time kernel
4294211s
Max time network
144s
Command Line
Signatures
PlugX
PlugX Rat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| N/A | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe | N/A |
| N/A | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| N/A | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\KET.FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 44004500360034003600440035003300330030003600380038003900420033000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| Token: SeTcbPrivilege | N/A | \??\c:\windows\temp\AROTutorial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\ARO\AROTutorial.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\userinit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe
"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"
\??\c:\windows\temp\AROTutorial.exe
c:\windows\temp\AROTutorial.exe
C:\ProgramData\ARO\AROTutorial.exe
"C:\ProgramData\ARO\AROTutorial.exe" 600 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 601 0
C:\Windows\SysWOW64\userinit.exe
C:\Windows\system32\userinit.exe 609 1524
Network
| Country | Destination | Domain | Proto |
| JP | 108.61.182.34:443 | tcp | |
| N/A | 10.127.255.255:63 | udp | |
| JP | 108.61.182.34:443 | tcp | |
| JP | 108.61.182.34:443 | tcp | |
| JP | 108.61.182.34:443 | udp | |
| JP | 108.61.182.34:80 | tcp | |
| JP | 108.61.182.34:80 | tcp | |
| JP | 108.61.182.34:80 | tcp |
Files
\Windows\Temp\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
C:\Windows\Temp\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
\??\c:\windows\temp\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
\Windows\Temp\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
\??\c:\windows\temp\aross.dat
| MD5 | 60e04d5b3dae8bcd3cfa82d492088869 |
| SHA1 | 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b |
| SHA256 | c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4 |
| SHA512 | 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb |
memory/840-59-0x0000000075CC1000-0x0000000075CC3000-memory.dmp
\??\c:\windows\temp\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
C:\ProgramData\ARO\AROTutorial.exe
| MD5 | 64ff0a8730472e36e62ce29a20f61529 |
| SHA1 | 6e8165999acf896e27db0da266a96189efd335e8 |
| SHA256 | 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c |
| SHA512 | 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d |
C:\ProgramData\ARO\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
\ProgramData\ARO\aross.dll
| MD5 | 9b05caf01254dbd3389ab74d9932ed37 |
| SHA1 | 7fe8de80c04124b84b800cd284173d86aabedb5e |
| SHA256 | f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab |
| SHA512 | 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b |
C:\ProgramData\ARO\aross.dat
| MD5 | 60e04d5b3dae8bcd3cfa82d492088869 |
| SHA1 | 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b |
| SHA256 | c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4 |
| SHA512 | 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb |
memory/840-65-0x0000000000230000-0x0000000000255000-memory.dmp
memory/1152-66-0x0000000000360000-0x000000000039F000-memory.dmp
memory/840-67-0x00000000003B0000-0x00000000003EF000-memory.dmp
memory/1524-69-0x0000000000080000-0x0000000000082000-memory.dmp
memory/1524-70-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/1524-71-0x00000000000E0000-0x0000000000102000-memory.dmp
memory/1524-74-0x0000000000080000-0x0000000000082000-memory.dmp
memory/1524-75-0x0000000000410000-0x000000000044F000-memory.dmp
memory/1936-81-0x00000000002F0000-0x000000000032F000-memory.dmp