Analysis
-
max time kernel
90s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 14:54
Static task
static1
Behavioral task
behavioral1
Sample
Cracking tutorial/Kidux Leecher v1.0.1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Cracking tutorial/Kidux Leecher v1.0.1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Cracking tutorial/Spotify Checker.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
Cracking tutorial/Spotify Checker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Kidux Proxy Scraper v1.0.1.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Kidux Proxy Scraper v1.0.1.exe
Resource
win10v2004-20240426-en
General
-
Target
Kidux Proxy Scraper v1.0.1.exe
-
Size
3.6MB
-
MD5
2d1e1d99099fddf9f1ba1f30d7ff5922
-
SHA1
51ce6348bb301aa4e701948e65576fe84136bf28
-
SHA256
1b01f6bc2ba4416668ed6c1d2d7bbdcdf1b2b40dd16658a2d3f16cdba6c23b71
-
SHA512
7853d7b8cfc848652dfa52929feccb11cdc97f434884eefc28b11c2666bb45b1d654050b1487d6488c5a9329e550caa0f947dd02d0b9c832a396aafeba72e8c0
-
SSDEEP
98304:cviz/27qWGq/TzuqCDl2Ptao7jPqHtr105:cviq75/Tzuf8CL05
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CDS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation CDS.exe -
Executes dropped EXE 2 IoCs
Processes:
CDS.execrypted.exepid process 1720 CDS.exe 2864 crypted.exe -
Loads dropped DLL 1 IoCs
Processes:
CDS.exepid process 1720 CDS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Kidux Proxy Scraper v1.0.1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Kidux Proxy Scraper v1.0.1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CDS.exepid process 1720 CDS.exe 1720 CDS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 4020 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4020 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CDS.exepid process 1720 CDS.exe 1720 CDS.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Kidux Proxy Scraper v1.0.1.exeCDS.exedescription pid process target process PID 3528 wrote to memory of 1720 3528 Kidux Proxy Scraper v1.0.1.exe CDS.exe PID 3528 wrote to memory of 1720 3528 Kidux Proxy Scraper v1.0.1.exe CDS.exe PID 3528 wrote to memory of 1720 3528 Kidux Proxy Scraper v1.0.1.exe CDS.exe PID 1720 wrote to memory of 2864 1720 CDS.exe crypted.exe PID 1720 wrote to memory of 2864 1720 CDS.exe crypted.exe PID 1720 wrote to memory of 2864 1720 CDS.exe crypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kidux Proxy Scraper v1.0.1.exe"C:\Users\Admin\AppData\Local\Temp\Kidux Proxy Scraper v1.0.1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x494 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.pngFilesize
2KB
MD5340b294efc691d1b20c64175d565ebc7
SHA181cb9649bd1c9a62ae79e781818fc24d15c29ce7
SHA25672566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9
SHA5121395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cddFilesize
13KB
MD53e7ecaeb51c2812d13b07ec852d74aaf
SHA1e9bdab93596ffb0f7f8c65243c579180939acb26
SHA256e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96
SHA512635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exeFilesize
6.1MB
MD5424bf196deaeb4ddcafb78e137fa560a
SHA1007738e9486c904a3115daa6e8ba2ee692af58c8
SHA2560963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2
SHA512a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.datFilesize
634KB
MD53a156b50fb51f03b34681c002c788c90
SHA1e8577943fba6d9f20d2866d29a82d2cb8c457196
SHA2560d663caaa695faf32253b4e4c91819702cd92a72691cd62655cfa55adad8e54d
SHA5126c11c12d769ae5c77942315213aa68d8a8a3bc4ea9805b200ab3a7b510e98419d862e1246e80f1fabb2bfaa0d86d99f4803acde5f002fd83d690f1543c5217b3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exeFilesize
634KB
MD59d32692ed19f42e2d98a5544b088a907
SHA17493b20223e64023b4d6cc227bd971135360674a
SHA256435d19a5c5cf8463e4d7d5ed813215140f2f8df9a180caf3f765c5203809ddfd
SHA512257317409d35457af189b1ad0eac6d400d6d66f6269eddbcff2174545e44ce07a1146bea41cb57a70fe6958c57eb3a7dee412e4c1ea028d3739f49d6c0db6b53
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settingsFilesize
5B
MD568934a3e9455fa72420237eb05902327
SHA17cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dllFilesize
322KB
MD5c3256800dce47c14acc83ccca4c3e2ac
SHA19d126818c66991dbc3813a65eddb88bbcf77f30a
SHA256f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866
SHA5126865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25
-
memory/2864-42-0x00000000007D0000-0x0000000000876000-memory.dmpFilesize
664KB
-
memory/2864-43-0x00000000050E0000-0x000000000517C000-memory.dmpFilesize
624KB
-
memory/2864-44-0x0000000005760000-0x0000000005D04000-memory.dmpFilesize
5.6MB
-
memory/2864-45-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/2864-47-0x00000000052F0000-0x0000000005346000-memory.dmpFilesize
344KB
-
memory/2864-46-0x00000000051E0000-0x00000000051EA000-memory.dmpFilesize
40KB