Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-02-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
-
Size
267KB
-
MD5
b921f1f433015d3780e9c13ab245f2eb
-
SHA1
cbc30251bb9392dc0c47b2b1084273c0aa58a0dc
-
SHA256
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92
-
SHA512
7eef07ca4bf6ba69e56f0dc6420d8af25a50a2aefcfdc72d5718238068076a2794e74282743132537c166ee38864e6bc85fc905e3cf1d98082b94fbb32f8e203
Score
10/10
Malware Config
Signatures
-
suricata: ET MALWARE Gulpix/PlugX Client Request
suricata: ET MALWARE Gulpix/PlugX Client Request
-
suricata: ET MALWARE Possible PlugX Common Header Struct
suricata: ET MALWARE Possible PlugX Common Header Struct
-
Executes dropped EXE 2 IoCs
pid Process 476 Mc.exe 1520 Mc.exe -
Deletes itself 1 IoCs
pid Process 652 svchost.exe -
Loads dropped DLL 6 IoCs
pid Process 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 476 Mc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Mc.exe Mc.exe File created C:\Windows\Mc.exe Mc.exe File opened for modification C:\Windows\McUtil.dll Mc.exe File created C:\Windows\McUtil.dll Mc.exe File opened for modification C:\Windows\McUtil.dll.url Mc.exe File created C:\Windows\McUtil.dll.url Mc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\XXXX svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\XXXX\CLSID = 38003300310046004600300039003500380042004200360033003600430036000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 652 svchost.exe 652 svchost.exe 652 svchost.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 652 svchost.exe 652 svchost.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 652 svchost.exe 652 svchost.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 652 svchost.exe 652 svchost.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 652 svchost.exe 652 svchost.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 836 msiexec.exe 652 svchost.exe 652 svchost.exe 836 msiexec.exe 836 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 652 svchost.exe 836 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 476 Mc.exe Token: SeTcbPrivilege 476 Mc.exe Token: SeDebugPrivilege 1520 Mc.exe Token: SeTcbPrivilege 1520 Mc.exe Token: SeDebugPrivilege 652 svchost.exe Token: SeTcbPrivilege 652 svchost.exe Token: SeDebugPrivilege 836 msiexec.exe Token: SeTcbPrivilege 836 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1940 wrote to memory of 476 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 1940 wrote to memory of 476 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 1940 wrote to memory of 476 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 1940 wrote to memory of 476 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 1940 wrote to memory of 476 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 1940 wrote to memory of 476 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 1940 wrote to memory of 476 1940 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 1520 wrote to memory of 652 1520 Mc.exe 29 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30 PID 652 wrote to memory of 836 652 svchost.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe"C:\Users\Admin\AppData\Local\Temp\6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:476
-
-
C:\Windows\Mc.exeC:\Windows\Mc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Deletes itself
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-