Malware Analysis Report

2024-11-13 14:24

Sample ID 220326-zqnkaahda5
Target 0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819
SHA256 0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819
Tags
echelon collection discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819

Threat Level: Known bad

The file 0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819 was found to be: Known bad.

Malicious Activity Summary

echelon collection discovery persistence spyware stealer

Echelon

Echelon log file

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Program crash

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-26 20:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-26 20:55

Reported

2022-03-28 06:44

Platform

win7-20220311-en

Max time kernel

4294179s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe"

Signatures

Echelon

stealer spyware echelon

Echelon log file

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1604 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1604 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1604 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1604 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1604 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 1604 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
PID 692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 692 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
PID 1600 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\system32\WerFault.exe
PID 1600 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\system32\WerFault.exe
PID 1600 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\system32\WerFault.exe
PID 1600 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\system32\WerFault.exe
PID 1600 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe C:\Windows\system32\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe

"C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1600 -s 1736

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 52.20.78.240:443 api.ipify.org tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.12:443 g.api.mega.co.nz tcp

Files

memory/1604-54-0x0000000076851000-0x0000000076853000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

memory/692-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5 3e7ecaeb51c2812d13b07ec852d74aaf
SHA1 e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256 e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5 340b294efc691d1b20c64175d565ebc7
SHA1 81cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA256 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA512 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5 48236f6b51945bd0ae9afb44ca5bedba
SHA1 6f63d6cca8f3bfc3b5b64903586806a49b8b4b30
SHA256 c868718e08abf10befc3af7fbee6ecade1171978d2c029c26aeccb8ff868c4fd
SHA512 3f977aefcbf33137ce4c63754c9cef9d2ce3a3a6682fbdf7dada51657571a6fa65fd682ffe02f12dfb25105b56751f99d42c8b079cab5480c05ab672c0c7dfb9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5 b326b5062b2f0e69046810717534cb09
SHA1 5ffe533b830f08a0326348a9160afafc8ada44db
SHA256 b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b
SHA512 9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 7efa42ec3c0c9cbb4e92d6d2748def05
SHA1 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5
SHA256 d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1
SHA512 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 7efa42ec3c0c9cbb4e92d6d2748def05
SHA1 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5
SHA256 d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1
SHA512 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 7efa42ec3c0c9cbb4e92d6d2748def05
SHA1 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5
SHA256 d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1
SHA512 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754

\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 7efa42ec3c0c9cbb4e92d6d2748def05
SHA1 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5
SHA256 d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1
SHA512 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754

memory/1600-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 7efa42ec3c0c9cbb4e92d6d2748def05
SHA1 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5
SHA256 d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1
SHA512 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 7efa42ec3c0c9cbb4e92d6d2748def05
SHA1 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5
SHA256 d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1
SHA512 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754

memory/1600-75-0x0000000000D30000-0x0000000000E58000-memory.dmp

memory/1600-76-0x000000001CA20000-0x000000001CA22000-memory.dmp

memory/676-77-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-26 20:55

Reported

2022-03-28 06:44

Platform

win10v2004-en-20220113

Max time kernel

132s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe"

Signatures

Echelon

stealer spyware echelon

Echelon log file

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe

"C:\Users\Admin\AppData\Local\Temp\0f4dd1c10186f8682986732134e6f33f440fbdd999aff471aa82a782e6886819.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f8 0x3f4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"

Network

Country Destination Domain Proto
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 gfs270n077.userstorage.mega.co.nz udp
LU 89.44.168.218:80 gfs270n077.userstorage.mega.co.nz tcp
NL 104.110.191.140:80 tcp
GB 92.123.143.240:80 tcp

Files

memory/2296-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

MD5 424bf196deaeb4ddcafb78e137fa560a
SHA1 007738e9486c904a3115daa6e8ba2ee692af58c8
SHA256 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512 a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

MD5 c3256800dce47c14acc83ccca4c3e2ac
SHA1 9d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256 f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA512 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

MD5 3e7ecaeb51c2812d13b07ec852d74aaf
SHA1 e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256 e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

MD5 340b294efc691d1b20c64175d565ebc7
SHA1 81cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA256 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA512 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

MD5 48236f6b51945bd0ae9afb44ca5bedba
SHA1 6f63d6cca8f3bfc3b5b64903586806a49b8b4b30
SHA256 c868718e08abf10befc3af7fbee6ecade1171978d2c029c26aeccb8ff868c4fd
SHA512 3f977aefcbf33137ce4c63754c9cef9d2ce3a3a6682fbdf7dada51657571a6fa65fd682ffe02f12dfb25105b56751f99d42c8b079cab5480c05ab672c0c7dfb9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

MD5 b326b5062b2f0e69046810717534cb09
SHA1 5ffe533b830f08a0326348a9160afafc8ada44db
SHA256 b5bea41b6c623f7c09f1bf24dcae58ebab3c0cdd90ad966bc43a45b44867e12b
SHA512 9120cd5faef07a08e971ff024a3fcbea1e3a6b44142a6d82ca28c6c42e4f852595bcf53d81d776f10541045abdb7c37950629415d0dc66c8d86c64a5606d32de

memory/2700-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 7efa42ec3c0c9cbb4e92d6d2748def05
SHA1 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5
SHA256 d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1
SHA512 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

MD5 7efa42ec3c0c9cbb4e92d6d2748def05
SHA1 4e3f7fba4daa3fa94a625b1131fa9628f164f1d5
SHA256 d52ffe1202a06f4172e9e25514ce27c425d1f1cb0176dba3de9920ea08e3bad1
SHA512 9bd51c591fbd8a8128bf4d500dcca8c642959fff28ae0721e5039fda3ba7800718df66784b145ae972062513d3b387e67ea4d15ff084ab3014e2f31cc495d754

memory/2700-142-0x00000000007F0000-0x0000000000918000-memory.dmp

memory/2700-143-0x00007FFA9D6A0000-0x00007FFA9E161000-memory.dmp

memory/2700-144-0x0000000000F30000-0x0000000000FED000-memory.dmp

memory/2700-145-0x000000001CE10000-0x000000001CE32000-memory.dmp