Analysis Overview
SHA256
54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780
Threat Level: Known bad
The file 54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
AutoIT Executable
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-12 23:32
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-12 23:32
Reported
2023-06-12 23:34
Platform
win7-20230220-en
Max time kernel
139s
Max time network
152s
Command Line
Signatures
RevengeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe
"C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
| MD5 | f2650ed50b160d20271da3f488aaeb8f |
| SHA1 | c95baa1c6ce91f87b83b90a7988f5acffa97ff48 |
| SHA256 | 4b7724ca163a433c88b0c02a6974c3db55b4374688bcf6c7d396bccba582eb74 |
| SHA512 | f597ede97af90e08ab1ff4cae3d978337a13977874472b05218f99ecfa96d15f74201c3ecd98d496c19a8cb57bd0e9a6063380042bbb53e0b00dd74208973305 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
| MD5 | f2650ed50b160d20271da3f488aaeb8f |
| SHA1 | c95baa1c6ce91f87b83b90a7988f5acffa97ff48 |
| SHA256 | 4b7724ca163a433c88b0c02a6974c3db55b4374688bcf6c7d396bccba582eb74 |
| SHA512 | f597ede97af90e08ab1ff4cae3d978337a13977874472b05218f99ecfa96d15f74201c3ecd98d496c19a8cb57bd0e9a6063380042bbb53e0b00dd74208973305 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
| MD5 | f2650ed50b160d20271da3f488aaeb8f |
| SHA1 | c95baa1c6ce91f87b83b90a7988f5acffa97ff48 |
| SHA256 | 4b7724ca163a433c88b0c02a6974c3db55b4374688bcf6c7d396bccba582eb74 |
| SHA512 | f597ede97af90e08ab1ff4cae3d978337a13977874472b05218f99ecfa96d15f74201c3ecd98d496c19a8cb57bd0e9a6063380042bbb53e0b00dd74208973305 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
| MD5 | f2650ed50b160d20271da3f488aaeb8f |
| SHA1 | c95baa1c6ce91f87b83b90a7988f5acffa97ff48 |
| SHA256 | 4b7724ca163a433c88b0c02a6974c3db55b4374688bcf6c7d396bccba582eb74 |
| SHA512 | f597ede97af90e08ab1ff4cae3d978337a13977874472b05218f99ecfa96d15f74201c3ecd98d496c19a8cb57bd0e9a6063380042bbb53e0b00dd74208973305 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
| MD5 | f2650ed50b160d20271da3f488aaeb8f |
| SHA1 | c95baa1c6ce91f87b83b90a7988f5acffa97ff48 |
| SHA256 | 4b7724ca163a433c88b0c02a6974c3db55b4374688bcf6c7d396bccba582eb74 |
| SHA512 | f597ede97af90e08ab1ff4cae3d978337a13977874472b05218f99ecfa96d15f74201c3ecd98d496c19a8cb57bd0e9a6063380042bbb53e0b00dd74208973305 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
| MD5 | 3e7ecaeb51c2812d13b07ec852d74aaf |
| SHA1 | e9bdab93596ffb0f7f8c65243c579180939acb26 |
| SHA256 | e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96 |
| SHA512 | 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
| MD5 | 340b294efc691d1b20c64175d565ebc7 |
| SHA1 | 81cb9649bd1c9a62ae79e781818fc24d15c29ce7 |
| SHA256 | 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9 |
| SHA512 | 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
| MD5 | 82cc7a20bb593d452746289a0e5bdcd0 |
| SHA1 | 9d22a3f397f3f8dcc317c283397522797424c363 |
| SHA256 | f2af4ad18effcbf7e523b043a8c4e5ea6eec305f133509dac3865c9da38e02f7 |
| SHA512 | 55ae051e412dc7491e177857c60bfc3db6b4375de68c5d00156b1dd280231e97d891934c15aaa7e3e51a35c9435fcdf2ead931c2593750879ec714a8d6cd05c2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
| MD5 | 68934a3e9455fa72420237eb05902327 |
| SHA1 | 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04 |
| SHA256 | fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa |
| SHA512 | 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
memory/1448-120-0x0000000000770000-0x00000000007B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-12 23:32
Reported
2023-06-12 23:34
Platform
win10v2004-20230220-en
Max time kernel
130s
Max time network
148s
Command Line
Signatures
RevengeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe
"C:\Users\Admin\AppData\Local\Temp\54d4cd535c5555a2e1292817639001549782a097d8f1ec2a734ea00f57e2d780.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x3f8
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
Network
| Country | Destination | Domain | Proto |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| NL | 20.50.201.200:443 | tcp | |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| NL | 8.238.21.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.21.126:80 | tcp | |
| NL | 8.238.21.126:80 | tcp | |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| US | 8.8.8.8:53 | marcelotatuape.ddns.net | udp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
| FR | 141.255.153.147:333 | marcelotatuape.ddns.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\aut6BFD.tmp
| MD5 | f2650ed50b160d20271da3f488aaeb8f |
| SHA1 | c95baa1c6ce91f87b83b90a7988f5acffa97ff48 |
| SHA256 | 4b7724ca163a433c88b0c02a6974c3db55b4374688bcf6c7d396bccba582eb74 |
| SHA512 | f597ede97af90e08ab1ff4cae3d978337a13977874472b05218f99ecfa96d15f74201c3ecd98d496c19a8cb57bd0e9a6063380042bbb53e0b00dd74208973305 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
| MD5 | f2650ed50b160d20271da3f488aaeb8f |
| SHA1 | c95baa1c6ce91f87b83b90a7988f5acffa97ff48 |
| SHA256 | 4b7724ca163a433c88b0c02a6974c3db55b4374688bcf6c7d396bccba582eb74 |
| SHA512 | f597ede97af90e08ab1ff4cae3d978337a13977874472b05218f99ecfa96d15f74201c3ecd98d496c19a8cb57bd0e9a6063380042bbb53e0b00dd74208973305 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
| MD5 | f2650ed50b160d20271da3f488aaeb8f |
| SHA1 | c95baa1c6ce91f87b83b90a7988f5acffa97ff48 |
| SHA256 | 4b7724ca163a433c88b0c02a6974c3db55b4374688bcf6c7d396bccba582eb74 |
| SHA512 | f597ede97af90e08ab1ff4cae3d978337a13977874472b05218f99ecfa96d15f74201c3ecd98d496c19a8cb57bd0e9a6063380042bbb53e0b00dd74208973305 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
| MD5 | c3256800dce47c14acc83ccca4c3e2ac |
| SHA1 | 9d126818c66991dbc3813a65eddb88bbcf77f30a |
| SHA256 | f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866 |
| SHA512 | 6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
| MD5 | 424bf196deaeb4ddcafb78e137fa560a |
| SHA1 | 007738e9486c904a3115daa6e8ba2ee692af58c8 |
| SHA256 | 0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2 |
| SHA512 | a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
| MD5 | 3e7ecaeb51c2812d13b07ec852d74aaf |
| SHA1 | e9bdab93596ffb0f7f8c65243c579180939acb26 |
| SHA256 | e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96 |
| SHA512 | 635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
| MD5 | 340b294efc691d1b20c64175d565ebc7 |
| SHA1 | 81cb9649bd1c9a62ae79e781818fc24d15c29ce7 |
| SHA256 | 72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9 |
| SHA512 | 1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
| MD5 | 82cc7a20bb593d452746289a0e5bdcd0 |
| SHA1 | 9d22a3f397f3f8dcc317c283397522797424c363 |
| SHA256 | f2af4ad18effcbf7e523b043a8c4e5ea6eec305f133509dac3865c9da38e02f7 |
| SHA512 | 55ae051e412dc7491e177857c60bfc3db6b4375de68c5d00156b1dd280231e97d891934c15aaa7e3e51a35c9435fcdf2ead931c2593750879ec714a8d6cd05c2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
| MD5 | 68934a3e9455fa72420237eb05902327 |
| SHA1 | 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04 |
| SHA256 | fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa |
| SHA512 | 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
| MD5 | 85273904caddf9308a9be66225b89b29 |
| SHA1 | 515dc3eb5441051a24789a2383fa79bfe023db0a |
| SHA256 | 3109283533a011c6b1e99019f42eef658a86619c226f89190669eb77fc93c45a |
| SHA512 | 3dd1a543a15c1705296a0343220aaa0b30c8d4dc868c10dc109eb257a551019fe8371a2044ae5a450e16fb5a765e4b2c7d2a528943a637de8f1af66e5a79eef0 |
memory/4880-185-0x0000000000680000-0x0000000000690000-memory.dmp
memory/4880-186-0x0000000000680000-0x0000000000690000-memory.dmp