Analysis Overview
SHA256
0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819
Threat Level: Known bad
The file 0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819 was found to be: Known bad.
Malicious Activity Summary
Echelon
Echelon log file
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Enumerates physical storage devices
Program crash
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-26 20:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-26 20:55
Reported
2022-03-28 06:44
Platform
win7-20220311-en
Max time kernel
4294179s
Max time network
124s
Command Line
Signatures
Echelon
Echelon log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe
"C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1600 -s 1736
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 52.20.78.240:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
Files
memory/1604-54-0x0000000076851000-0x0000000076853000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
memory/692-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
| MD5 | 3e7ecaeb51c2812d13b07ec852d74aaf |
| SHA1 | e9bdab93596ffb0f7f8c65243c579180939acb26 |
| SHA256 | e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96 |
| SHA512 | 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
| MD5 | 340b294efc691d1b20c64175d565ebc7 |
| SHA1 | 81cb9649bd1c9a62ae79e781818fc24d15c29ce7 |
| SHA256 | 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9 |
| SHA512 | 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
| MD5 | 48236f6b51945bd0ae9afb44ca5bedba |
| SHA1 | 6f63d6cca8f3bfc3b5b64903586806a49b8b4b30 |
| SHA256 | c868718e08abf10befc3af7fbee6ecade1171978d2c029c26aeccb8ff868c4fd |
| SHA512 | 3f977aefcbf33137ce4c63754c9cef9d2ce3a3a6682fbdf7dada51657571a6fa65fd682ffe02f12dfb25105b56751f99d42c8b079cab5480c05ab672c0c7dfb9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
| MD5 | b326b5062b2f0e69046810717534cb09 |
| SHA1 | 5ffe533b830f08a0326348a9160afafc8ada44db |
| SHA256 | b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b |
| SHA512 | 9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 7efa42ec3c0c9cbb4e92d6d2748def05 |
| SHA1 | 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5 |
| SHA256 | d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1 |
| SHA512 | 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 7efa42ec3c0c9cbb4e92d6d2748def05 |
| SHA1 | 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5 |
| SHA256 | d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1 |
| SHA512 | 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 7efa42ec3c0c9cbb4e92d6d2748def05 |
| SHA1 | 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5 |
| SHA256 | d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1 |
| SHA512 | 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 7efa42ec3c0c9cbb4e92d6d2748def05 |
| SHA1 | 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5 |
| SHA256 | d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1 |
| SHA512 | 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754 |
memory/1600-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 7efa42ec3c0c9cbb4e92d6d2748def05 |
| SHA1 | 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5 |
| SHA256 | d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1 |
| SHA512 | 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 7efa42ec3c0c9cbb4e92d6d2748def05 |
| SHA1 | 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5 |
| SHA256 | d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1 |
| SHA512 | 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754 |
memory/1600-75-0x0000000000D30000-0x0000000000E58000-memory.dmp
memory/1600-76-0x000000001CA20000-0x000000001CA22000-memory.dmp
memory/676-77-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-26 20:55
Reported
2022-03-28 06:44
Platform
win10v2004-en-20220113
Max time kernel
132s
Max time network
161s
Command Line
Signatures
Echelon
Echelon log file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3868 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe |
| PID 3868 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe |
| PID 3868 wrote to memory of 2296 | N/A | C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe |
| PID 2296 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe |
| PID 2296 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe
"C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8 0x3f4
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
Network
| Country | Destination | Domain | Proto |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs270n077.userstorage.mega.co.nz | udp |
| LU | 89.44.168.218:80 | gfs270n077.userstorage.mega.co.nz | tcp |
| NL | 104.110.191.140:80 | tcp | |
| GB | 92.123.143.240:80 | tcp |
Files
memory/2296-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
| MD5 | 3e7ecaeb51c2812d13b07ec852d74aaf |
| SHA1 | e9bdab93596ffb0f7f8c65243c579180939acb26 |
| SHA256 | e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96 |
| SHA512 | 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
| MD5 | 340b294efc691d1b20c64175d565ebc7 |
| SHA1 | 81cb9649bd1c9a62ae79e781818fc24d15c29ce7 |
| SHA256 | 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9 |
| SHA512 | 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
| MD5 | 48236f6b51945bd0ae9afb44ca5bedba |
| SHA1 | 6f63d6cca8f3bfc3b5b64903586806a49b8b4b30 |
| SHA256 | c868718e08abf10befc3af7fbee6ecade1171978d2c029c26aeccb8ff868c4fd |
| SHA512 | 3f977aefcbf33137ce4c63754c9cef9d2ce3a3a6682fbdf7dada51657571a6fa65fd682ffe02f12dfb25105b56751f99d42c8b079cab5480c05ab672c0c7dfb9 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
| MD5 | b326b5062b2f0e69046810717534cb09 |
| SHA1 | 5ffe533b830f08a0326348a9160afafc8ada44db |
| SHA256 | b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b |
| SHA512 | 9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de |
memory/2700-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 7efa42ec3c0c9cbb4e92d6d2748def05 |
| SHA1 | 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5 |
| SHA256 | d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1 |
| SHA512 | 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 7efa42ec3c0c9cbb4e92d6d2748def05 |
| SHA1 | 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5 |
| SHA256 | d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1 |
| SHA512 | 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754 |
memory/2700-142-0x00000000007F0000-0x0000000000918000-memory.dmp
memory/2700-143-0x00007FFA9D6A0000-0x00007FFA9E161000-memory.dmp
memory/2700-144-0x0000000000F30000-0x0000000000FED000-memory.dmp
memory/2700-145-0x000000001CE10000-0x000000001CE32000-memory.dmp