Malware Analysis Report

2025-06-16 01:03

Sample ID 221123-x5p1jsha35
Target 67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209
SHA256 67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209

Threat Level: Known bad

The file 67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Modifies WinLogon for persistence

Xtremerat family

Detect XtremeRAT payload

XtremeRAT

Adds policy Run key to start application

UPX packed file

Modifies Installed Components in the registry

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-23 19:26

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xtremerat family

xtremerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 19:26

Reported

2022-11-23 22:05

Platform

win7-20221111-en

Max time kernel

159s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EPN7AS00-1R0D-K47C-E2K5-0DKM312VCSX6} C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EPN7AS00-1R0D-K47C-E2K5-0DKM312VCSX6}\StubPath = "C:\\Windows\\WIN 7\\HACKO.exe restart" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EPN7AS00-1R0D-K47C-E2K5-0DKM312VCSX6} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EPN7AS00-1R0D-K47C-E2K5-0DKM312VCSX6}\StubPath = "C:\\Windows\\WIN 7\\HACKO.exe restart" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WIN 7\HACKO.exe C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
File created C:\Windows\WIN 7\HACKO.exe C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
File opened for modification C:\Windows\WIN 7\ C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe

"C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 oudy.no-ip.biz udp

Files

memory/1076-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

memory/1076-55-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/1104-56-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/1104-58-0x0000000000000000-mapping.dmp

C:\Windows\WIN 7\HACKO.exe

MD5 3ed737aa806679a8f967360abe8cdcfd
SHA1 7ebd7c27d3b3de22e4717d6722f2092897942d52
SHA256 67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209
SHA512 c6f44e2bcea50eebd0052e6c0a978c2aad35aa22d8dd3ac17f81240557f4a3fac6d170a2b9ff7b9365d78a54e35004b50066a5e750f11ec852bf3e432b6dc0de

memory/332-63-0x0000000000000000-mapping.dmp

memory/1104-65-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/332-66-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/1076-67-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/332-68-0x0000000000C80000-0x0000000000CA5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 19:26

Reported

2022-11-23 22:05

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A

XtremeRAT

persistence spyware rat xtremerat

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EPN7AS00-1R0D-K47C-E2K5-0DKM312VCSX6} C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EPN7AS00-1R0D-K47C-E2K5-0DKM312VCSX6}\StubPath = "C:\\Windows\\WIN 7\\HACKO.exe restart" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EPN7AS00-1R0D-K47C-E2K5-0DKM312VCSX6} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EPN7AS00-1R0D-K47C-E2K5-0DKM312VCSX6}\StubPath = "C:\\Windows\\WIN 7\\HACKO.exe restart" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchost = "C:\\Windows\\WIN 7\\HACKO.exe" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WIN 7\HACKO.exe C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
File created C:\Windows\WIN 7\HACKO.exe C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A
File opened for modification C:\Windows\WIN 7\ C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe

"C:\Users\Admin\AppData\Local\Temp\67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
N/A 8.248.3.254:80 tcp
N/A 8.248.3.254:80 tcp
N/A 8.248.3.254:80 tcp
N/A 8.8.8.8:53 oudy.no-ip.biz udp
N/A 93.184.220.29:80 tcp

Files

memory/5004-132-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/1308-133-0x0000000000000000-mapping.dmp

C:\Windows\WIN 7\HACKO.exe

MD5 3ed737aa806679a8f967360abe8cdcfd
SHA1 7ebd7c27d3b3de22e4717d6722f2092897942d52
SHA256 67ded0a6cc387c821388f74c3a7feffda231bfb23c40b7f7aacc3d6a2c107209
SHA512 c6f44e2bcea50eebd0052e6c0a978c2aad35aa22d8dd3ac17f81240557f4a3fac6d170a2b9ff7b9365d78a54e35004b50066a5e750f11ec852bf3e432b6dc0de

memory/1412-135-0x0000000000000000-mapping.dmp

memory/1308-136-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/1412-137-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/5004-138-0x0000000000C80000-0x0000000000CA5000-memory.dmp

memory/1412-139-0x0000000000C80000-0x0000000000CA5000-memory.dmp