Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
24-02-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
Resource
win10-20220223-en
windows10_x64
0 signatures
0 seconds
General
-
Target
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe
-
Size
267KB
-
MD5
b921f1f433015d3780e9c13ab245f2eb
-
SHA1
cbc30251bb9392dc0c47b2b1084273c0aa58a0dc
-
SHA256
6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92
-
SHA512
7eef07ca4bf6ba69e56f0dc6420d8af25a50a2aefcfdc72d5718238068076a2794e74282743132537c166ee38864e6bc85fc905e3cf1d98082b94fbb32f8e203
Malware Config
Signatures
-
PlugX Rat Payload 4 IoCs
resource yara_rule behavioral2/memory/3612-124-0x0000000000590000-0x00000000005B7000-memory.dmp PlugX behavioral2/memory/1356-125-0x0000000000550000-0x0000000000577000-memory.dmp PlugX behavioral2/memory/3576-127-0x00000000029A0000-0x00000000029C5000-memory.dmp PlugX behavioral2/memory/3852-131-0x0000000002DC0000-0x0000000002DE5000-memory.dmp PlugX -
Executes dropped EXE 2 IoCs
pid Process 1356 Mc.exe 3612 Mc.exe -
Deletes itself 1 IoCs
pid Process 3576 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 1356 Mc.exe -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\McUtil.dll.url Mc.exe File created C:\Windows\McUtil.dll.url Mc.exe File opened for modification C:\Windows\Mc.exe Mc.exe File created C:\Windows\Mc.exe Mc.exe File opened for modification C:\Windows\McUtil.dll Mc.exe File created C:\Windows\McUtil.dll Mc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\XXXX svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\XXXX\CLSID = 36003200320034003400350043003000330030003700420036004300320032000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3576 svchost.exe 3576 svchost.exe 3576 svchost.exe 3576 svchost.exe 3576 svchost.exe 3576 svchost.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3576 svchost.exe 3576 svchost.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3576 svchost.exe 3576 svchost.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3576 svchost.exe 3576 svchost.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3576 svchost.exe 3576 svchost.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe 3852 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3576 svchost.exe 3852 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1356 Mc.exe Token: SeTcbPrivilege 1356 Mc.exe Token: SeDebugPrivilege 3612 Mc.exe Token: SeTcbPrivilege 3612 Mc.exe Token: SeDebugPrivilege 3576 svchost.exe Token: SeTcbPrivilege 3576 svchost.exe Token: SeDebugPrivilege 3852 msiexec.exe Token: SeTcbPrivilege 3852 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3936 wrote to memory of 1356 3936 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 42 PID 3936 wrote to memory of 1356 3936 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 42 PID 3936 wrote to memory of 1356 3936 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe 42 PID 3612 wrote to memory of 3576 3612 Mc.exe 44 PID 3612 wrote to memory of 3576 3612 Mc.exe 44 PID 3612 wrote to memory of 3576 3612 Mc.exe 44 PID 3612 wrote to memory of 3576 3612 Mc.exe 44 PID 3612 wrote to memory of 3576 3612 Mc.exe 44 PID 3612 wrote to memory of 3576 3612 Mc.exe 44 PID 3612 wrote to memory of 3576 3612 Mc.exe 44 PID 3612 wrote to memory of 3576 3612 Mc.exe 44 PID 3576 wrote to memory of 3852 3576 svchost.exe 45 PID 3576 wrote to memory of 3852 3576 svchost.exe 45 PID 3576 wrote to memory of 3852 3576 svchost.exe 45 PID 3576 wrote to memory of 3852 3576 svchost.exe 45 PID 3576 wrote to memory of 3852 3576 svchost.exe 45 PID 3576 wrote to memory of 3852 3576 svchost.exe 45 PID 3576 wrote to memory of 3852 3576 svchost.exe 45 PID 3576 wrote to memory of 3852 3576 svchost.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe"C:\Users\Admin\AppData\Local\Temp\6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1356
-
-
C:\Windows\Mc.exeC:\Windows\Mc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Deletes itself
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-