Analysis Overview
SHA256
8bd9dfcfd59b0e2073caf8c0fc8740a01f8c7eabb6239a9b714d3b41a3793b95
Threat Level: Known bad
The file 8bd9d.exe was found to be: Known bad.
Malicious Activity Summary
PlugX
PlugX Rat Payload
Executes dropped EXE
Deletes itself
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-29 08:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-29 08:17
Reported
2022-03-29 08:19
Platform
win7-20220311-en
Max time kernel
4294128s
Max time network
68s
Command Line
Signatures
PlugX
PlugX Rat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Packages\vcredist_x64.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Users\Admin\AppData\Local\Temp\8bd9d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004100430032004500460043004400310033003400340031004400370039000000 | C:\Users\Admin\AppData\Local\Temp\8bd9d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8bd9d.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8bd9d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Packages\vcredist_x64.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Packages\vcredist_x64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8bd9d.exe
"C:\Users\Admin\AppData\Local\Temp\8bd9d.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 100 1956
C:\ProgramData\Packages\vcredist_x64.exe
"C:\ProgramData\Packages\vcredist_x64.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 632 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cxks8.com | udp |
| HK | 103.140.238.72:50000 | cxks8.com | udp |
Files
memory/1956-54-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1956-55-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1956-56-0x0000000000350000-0x000000000036D000-memory.dmp
memory/1956-57-0x0000000074F31000-0x0000000074F33000-memory.dmp
memory/580-58-0x0000000000080000-0x0000000000081000-memory.dmp
memory/580-61-0x00000000000F0000-0x000000000010C000-memory.dmp
memory/580-64-0x0000000000000000-mapping.dmp
memory/1956-66-0x00000000003C0000-0x00000000003EE000-memory.dmp
C:\ProgramData\Packages\vcredist_x64.exe
| MD5 | 99ee1e21a34b0536b120d4a6977fd252 |
| SHA1 | 24c50b507febd6e2b81154d3d80401dd9207e3e1 |
| SHA256 | 8bd9dfcfd59b0e2073caf8c0fc8740a01f8c7eabb6239a9b714d3b41a3793b95 |
| SHA512 | 03cafd628d19cda98db021fb009500105906617ab414c9ba6087c693cacdb36159d1973d21af2b275da136dbb10157f97c243ca1ae7ea198ae99d74427e26408 |
memory/536-69-0x0000000000400000-0x0000000000473000-memory.dmp
memory/632-78-0x0000000000000000-mapping.dmp
memory/536-80-0x00000000002C0000-0x00000000002EE000-memory.dmp
memory/580-81-0x0000000000210000-0x000000000023E000-memory.dmp
memory/632-82-0x00000000003D0000-0x00000000003FE000-memory.dmp
memory/1180-89-0x0000000000000000-mapping.dmp
memory/1180-91-0x0000000000810000-0x000000000083E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-29 08:17
Reported
2022-03-29 08:19
Platform
win10v2004-20220310-en
Max time kernel
60s
Max time network
63s
Command Line
Signatures
PlugX
PlugX Rat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Packages\vcredist_x64.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Users\Admin\AppData\Local\Temp\8bd9d.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 33003400390044003100430032003300310031003600410044004400340046000000 | C:\Users\Admin\AppData\Local\Temp\8bd9d.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8bd9d.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8bd9d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Packages\vcredist_x64.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Packages\vcredist_x64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8bd9d.exe
"C:\Users\Admin\AppData\Local\Temp\8bd9d.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 100 3428
C:\ProgramData\Packages\vcredist_x64.exe
"C:\ProgramData\Packages\vcredist_x64.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 620 1
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | cxks8.com | udp |
| HK | 103.140.238.72:50000 | cxks8.com | udp |
| IE | 20.50.80.210:443 | tcp |
Files
memory/3428-134-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3428-135-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3428-136-0x0000000002250000-0x000000000226D000-memory.dmp
memory/1884-137-0x0000000000000000-mapping.dmp
memory/3428-138-0x00000000022C0000-0x00000000022EE000-memory.dmp
memory/1884-139-0x0000000000CC0000-0x0000000000CEE000-memory.dmp
C:\ProgramData\Packages\vcredist_x64.exe
| MD5 | 99ee1e21a34b0536b120d4a6977fd252 |
| SHA1 | 24c50b507febd6e2b81154d3d80401dd9207e3e1 |
| SHA256 | 8bd9dfcfd59b0e2073caf8c0fc8740a01f8c7eabb6239a9b714d3b41a3793b95 |
| SHA512 | 03cafd628d19cda98db021fb009500105906617ab414c9ba6087c693cacdb36159d1973d21af2b275da136dbb10157f97c243ca1ae7ea198ae99d74427e26408 |
C:\ProgramData\Packages\vcredist_x64.exe
| MD5 | 99ee1e21a34b0536b120d4a6977fd252 |
| SHA1 | 24c50b507febd6e2b81154d3d80401dd9207e3e1 |
| SHA256 | 8bd9dfcfd59b0e2073caf8c0fc8740a01f8c7eabb6239a9b714d3b41a3793b95 |
| SHA512 | 03cafd628d19cda98db021fb009500105906617ab414c9ba6087c693cacdb36159d1973d21af2b275da136dbb10157f97c243ca1ae7ea198ae99d74427e26408 |
memory/2308-143-0x0000000000400000-0x0000000000473000-memory.dmp
memory/620-145-0x0000000000000000-mapping.dmp
memory/2308-146-0x0000000000E40000-0x0000000000E6E000-memory.dmp
memory/620-147-0x00000000015E0000-0x000000000160E000-memory.dmp
memory/3448-148-0x0000000000000000-mapping.dmp
memory/3448-149-0x0000000000C20000-0x0000000000C4E000-memory.dmp