Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-02-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
Resource
win10-20220223-en
windows10_x64
0 signatures
0 seconds
General
-
Target
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
-
Size
267KB
-
MD5
b921f1f433015d3780e9c13ab245f2eb
-
SHA1
cbc30251bb9392dc0c47b2b1084273c0aa58a0dc
-
SHA256
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92
-
SHA512
7eef07ca4bf6ba69e56f0dc6420d8af25a50a2aefcfdc72d5718238068076a2794e74282743132537c166ee38864e6bc85fc905e3cf1d98082b94fbb32f8e203
Malware Config
Signatures
-
PlugX Rat Payload 4 IoCs
resource yara_rule behavioral1/memory/828-76-0x0000000000310000-0x0000000000337000-memory.dmp PlugX behavioral1/memory/1920-78-0x0000000000270000-0x0000000000297000-memory.dmp PlugX behavioral1/memory/1488-80-0x00000000001A0000-0x00000000001C5000-memory.dmp PlugX behavioral1/memory/1316-86-0x0000000000240000-0x0000000000265000-memory.dmp PlugX -
Executes dropped EXE 2 IoCs
pid Process 1920 Mc.exe 828 Mc.exe -
Deletes itself 1 IoCs
pid Process 1488 svchost.exe -
Loads dropped DLL 6 IoCs
pid Process 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 1920 Mc.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\McUtil.dll.url Mc.exe File opened for modification C:\Windows\Mc.exe Mc.exe File created C:\Windows\Mc.exe Mc.exe File opened for modification C:\Windows\McUtil.dll Mc.exe File created C:\Windows\McUtil.dll Mc.exe File opened for modification C:\Windows\McUtil.dll.url Mc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\XXXX svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\XXXX\CLSID = 30003500320046004300300045004400380041003200390041003600340041000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1488 svchost.exe 1488 svchost.exe 1488 svchost.exe 1488 svchost.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1488 svchost.exe 1488 svchost.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1488 svchost.exe 1488 svchost.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1488 svchost.exe 1488 svchost.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1488 svchost.exe 1488 svchost.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1316 msiexec.exe 1488 svchost.exe 1488 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1488 svchost.exe 1316 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1920 Mc.exe Token: SeTcbPrivilege 1920 Mc.exe Token: SeDebugPrivilege 828 Mc.exe Token: SeTcbPrivilege 828 Mc.exe Token: SeDebugPrivilege 1488 svchost.exe Token: SeTcbPrivilege 1488 svchost.exe Token: SeDebugPrivilege 1316 msiexec.exe Token: SeTcbPrivilege 1316 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 948 wrote to memory of 1920 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 948 wrote to memory of 1920 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 948 wrote to memory of 1920 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 948 wrote to memory of 1920 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 948 wrote to memory of 1920 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 948 wrote to memory of 1920 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 948 wrote to memory of 1920 948 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 27 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 828 wrote to memory of 1488 828 Mc.exe 29 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31 PID 1488 wrote to memory of 1316 1488 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe"C:\Users\Admin\AppData\Local\Temp\6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\Mc.exeC:\Windows\Mc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Deletes itself
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-