Malware Analysis Report

2024-10-19 02:31

Sample ID 220426-3lkvdaegb6
Target 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.bin
SHA256 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967
Tags
plugx trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967

Threat Level: Known bad

The file 80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.bin was found to be: Known bad.

Malicious Activity Summary

plugx trojan upx

Detects PlugX Payload

PlugX

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Executes dropped EXE

Unexpected DNS network traffic destination

Loads dropped DLL

Drops file in System32 directory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-26 23:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-26 23:36

Reported

2022-04-26 23:40

Platform

win7-20220414-en

Max time kernel

266s

Max time network

263s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"

Signatures

Detects PlugX Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\temp\AROTutorial.exe N/A
N/A N/A C:\ProgramData\ARO\AROTutorial.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\62-be-27-1e-f8-7a C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-be-27-1e-f8-7a\WpadDecisionTime = 2092b2cbd759d801 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5} C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\WpadDecisionTime = 2092b2cbd759d801 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-be-27-1e-f8-7a C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-be-27-1e-f8-7a\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-be-27-1e-f8-7a\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6F03467A-F5C4-4683-B8E7-6E3DCE6855C5}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\KET.FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 33003900380038004100310031003400380033003500360031003900320044000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\temp\AROTutorial.exe N/A
Token: SeTcbPrivilege N/A \??\c:\windows\temp\AROTutorial.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\ARO\AROTutorial.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\ARO\AROTutorial.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\userinit.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\userinit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 1052 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 1052 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 1052 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 328 wrote to memory of 1728 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 328 wrote to memory of 1728 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 328 wrote to memory of 1728 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 328 wrote to memory of 1728 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 328 wrote to memory of 1728 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 328 wrote to memory of 1728 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 328 wrote to memory of 1728 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 328 wrote to memory of 1728 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1728 wrote to memory of 584 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1728 wrote to memory of 584 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1728 wrote to memory of 584 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1728 wrote to memory of 584 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1728 wrote to memory of 584 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1728 wrote to memory of 584 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1728 wrote to memory of 584 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1728 wrote to memory of 584 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe

"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"

\??\c:\windows\temp\AROTutorial.exe

c:\windows\temp\AROTutorial.exe

C:\ProgramData\ARO\AROTutorial.exe

"C:\ProgramData\ARO\AROTutorial.exe" 600 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 601 0

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe 609 1728

Network

Country Destination Domain Proto
JP 108.61.182.34:443 tcp
N/A 10.127.255.255:63 udp
JP 108.61.182.34:443 tcp
JP 108.61.182.34:443 tcp
JP 108.61.182.34:443 udp
JP 108.61.182.34:80 tcp
JP 108.61.182.34:80 tcp
JP 108.61.182.34:80 tcp
JP 108.61.182.34:80 udp
JP 108.61.182.34:8080 tcp
JP 108.61.182.34:8080 tcp
JP 108.61.182.34:8080 tcp
JP 108.61.182.34:8080 udp

Files

memory/1064-55-0x0000000000000000-mapping.dmp

\Windows\Temp\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

C:\Windows\Temp\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

\??\c:\windows\temp\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

\Windows\Temp\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

\??\c:\windows\temp\aross.dat

MD5 60e04d5b3dae8bcd3cfa82d492088869
SHA1 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b
SHA256 c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4
SHA512 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

memory/1064-60-0x0000000076C81000-0x0000000076C83000-memory.dmp

\??\c:\windows\temp\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

C:\ProgramData\ARO\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

C:\ProgramData\ARO\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

\ProgramData\ARO\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

C:\ProgramData\ARO\aross.dat

MD5 60e04d5b3dae8bcd3cfa82d492088869
SHA1 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b
SHA256 c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4
SHA512 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

memory/1728-67-0x00000000000A0000-0x00000000000C2000-memory.dmp

memory/1728-69-0x0000000000000000-mapping.dmp

memory/328-71-0x0000000000230000-0x0000000000255000-memory.dmp

memory/328-72-0x0000000000420000-0x000000000045F000-memory.dmp

memory/1064-73-0x0000000000460000-0x000000000049F000-memory.dmp

memory/1728-74-0x0000000000080000-0x0000000000082000-memory.dmp

memory/1728-75-0x0000000000290000-0x00000000002CF000-memory.dmp

memory/584-78-0x0000000000000000-mapping.dmp

memory/584-80-0x0000000000650000-0x000000000068F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-26 23:36

Reported

2022-04-26 23:40

Platform

win10-20220414-en

Max time kernel

272s

Max time network

273s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"

Signatures

Detects PlugX Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\temp\AROTutorial.exe N/A
N/A N/A C:\ProgramData\ARO\AROTutorial.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\temp\AROTutorial.exe N/A
N/A N/A C:\ProgramData\ARO\AROTutorial.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 108.61.182.34 N/A N/A
Destination IP 108.61.182.34 N/A N/A
Destination IP 108.61.182.34 N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\KET.FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 45003500420034004200420030003300390033003900310039003300370031000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\temp\AROTutorial.exe N/A
Token: SeTcbPrivilege N/A \??\c:\windows\temp\AROTutorial.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\ARO\AROTutorial.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\ARO\AROTutorial.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\userinit.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\userinit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 1492 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 1492 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 1076 wrote to memory of 1324 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1324 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1324 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1324 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1324 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1324 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1076 wrote to memory of 1324 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1324 wrote to memory of 3932 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1324 wrote to memory of 3932 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1324 wrote to memory of 3932 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1324 wrote to memory of 3932 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1324 wrote to memory of 3932 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1324 wrote to memory of 3932 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 1324 wrote to memory of 3932 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe

"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"

\??\c:\windows\temp\AROTutorial.exe

c:\windows\temp\AROTutorial.exe

C:\ProgramData\ARO\AROTutorial.exe

"C:\ProgramData\ARO\AROTutorial.exe" 600 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 601 0

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe 609 1324

Network

Country Destination Domain Proto
JP 108.61.182.34:443 tcp
N/A 10.127.255.255:63 udp
JP 108.61.182.34:443 tcp
US 104.208.16.88:443 tcp
JP 108.61.182.34:443 udp
JP 108.61.182.34:80 tcp
JP 108.61.182.34:80 tcp
JP 108.61.182.34:80 udp
JP 108.61.182.34:8080 tcp
JP 108.61.182.34:8080 tcp
JP 108.61.182.34:8080 udp
JP 108.61.182.34:53 tcp
JP 108.61.182.34:53 tcp
JP 108.61.182.34:53 udp
JP 108.61.182.34:443 tcp
JP 108.61.182.34:443 tcp

Files

memory/3148-119-0x0000000000000000-mapping.dmp

C:\Windows\Temp\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

\??\c:\windows\temp\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

\??\c:\windows\temp\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

\Windows\Temp\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

\??\c:\windows\temp\aross.dat

MD5 60e04d5b3dae8bcd3cfa82d492088869
SHA1 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b
SHA256 c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4
SHA512 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

C:\ProgramData\ARO\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

C:\ProgramData\ARO\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

C:\ProgramData\ARO\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

\ProgramData\ARO\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

C:\ProgramData\ARO\aross.dat

MD5 60e04d5b3dae8bcd3cfa82d492088869
SHA1 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b
SHA256 c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4
SHA512 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

memory/1324-130-0x0000000000000000-mapping.dmp

memory/1076-131-0x0000000000DD0000-0x0000000000E0F000-memory.dmp

memory/3148-133-0x0000000000510000-0x000000000065A000-memory.dmp

memory/1324-134-0x00000000034D0000-0x000000000350F000-memory.dmp

memory/3148-132-0x0000000002120000-0x000000000215F000-memory.dmp

memory/3932-135-0x0000000000000000-mapping.dmp

memory/3932-136-0x0000000000B60000-0x0000000000B9F000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-04-26 23:36

Reported

2022-04-26 23:40

Platform

win10v2004-20220414-en

Max time kernel

276s

Max time network

277s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"

Signatures

Detects PlugX Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\temp\AROTutorial.exe N/A
N/A N/A C:\ProgramData\ARO\AROTutorial.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\temp\AROTutorial.exe N/A
N/A N/A C:\ProgramData\ARO\AROTutorial.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 108.61.182.34 N/A N/A
Destination IP 108.61.182.34 N/A N/A
Destination IP 108.61.182.34 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\KET.FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\KET.FAST\CLSID = 34004100360035003700410039003000420034004500430031003400320037000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\userinit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\temp\AROTutorial.exe N/A
Token: SeTcbPrivilege N/A \??\c:\windows\temp\AROTutorial.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\ARO\AROTutorial.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\ARO\AROTutorial.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\userinit.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\userinit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 4796 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 4796 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe \??\c:\windows\temp\AROTutorial.exe
PID 1148 wrote to memory of 2672 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1148 wrote to memory of 2672 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1148 wrote to memory of 2672 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1148 wrote to memory of 2672 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1148 wrote to memory of 2672 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1148 wrote to memory of 2672 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 1148 wrote to memory of 2672 N/A C:\ProgramData\ARO\AROTutorial.exe C:\Windows\SysWOW64\svchost.exe
PID 2672 wrote to memory of 4908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 2672 wrote to memory of 4908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 2672 wrote to memory of 4908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 2672 wrote to memory of 4908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 2672 wrote to memory of 4908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 2672 wrote to memory of 4908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe
PID 2672 wrote to memory of 4908 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\userinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe

"C:\Users\Admin\AppData\Local\Temp\80deed939a520696968335d1bb2a9fcce7053c0156f679ba261824d0a2d44967.exe"

\??\c:\windows\temp\AROTutorial.exe

c:\windows\temp\AROTutorial.exe

C:\ProgramData\ARO\AROTutorial.exe

"C:\ProgramData\ARO\AROTutorial.exe" 600 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 601 0

C:\Windows\SysWOW64\userinit.exe

C:\Windows\system32\userinit.exe 609 2672

Network

Country Destination Domain Proto
JP 108.61.182.34:443 tcp
N/A 10.127.255.255:63 udp
JP 108.61.182.34:443 tcp
US 20.42.65.85:443 tcp
JP 108.61.182.34:443 udp
US 8.253.208.112:80 tcp
JP 108.61.182.34:80 tcp
US 8.253.208.112:80 tcp
US 204.79.197.203:80 tcp
JP 108.61.182.34:80 tcp
JP 108.61.182.34:80 udp
JP 108.61.182.34:8080 tcp
JP 108.61.182.34:8080 tcp
JP 108.61.182.34:8080 udp
JP 108.61.182.34:53 tcp
JP 108.61.182.34:53 tcp
JP 108.61.182.34:53 udp
JP 108.61.182.34:443 tcp
JP 108.61.182.34:443 tcp

Files

C:\Windows\Temp\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

memory/1560-130-0x0000000000000000-mapping.dmp

\??\c:\windows\temp\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

\??\c:\windows\temp\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

\??\c:\windows\temp\aross.dat

MD5 60e04d5b3dae8bcd3cfa82d492088869
SHA1 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b
SHA256 c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4
SHA512 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

C:\Windows\Temp\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

C:\ProgramData\ARO\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

C:\ProgramData\ARO\AROTutorial.exe

MD5 64ff0a8730472e36e62ce29a20f61529
SHA1 6e8165999acf896e27db0da266a96189efd335e8
SHA256 18a98c2d905a1da1d9d855e86866921e543f4bf8621faea05eb14d8e5b23b60c
SHA512 46375849a493445f3ac1e757321a02d19822d79e866fac6ab19a99c01f0ec38e70b5c8eb6bf32ddef8d86f046b22a036ded4929a6a0b5b123261d9828b675c6d

C:\ProgramData\ARO\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

C:\ProgramData\ARO\aross.dat

MD5 60e04d5b3dae8bcd3cfa82d492088869
SHA1 4ccb79d805fd92db08269c2a5cbf40dd94fb1f3b
SHA256 c5dcd3073904fad5d9a8fe1026141a832e05c9ca03a88fee96587921f42773d4
SHA512 0b45cba9df6ec8e355ce412793d900142ee90c7bdc9d5a6e4d33dd48de40f027646344c70501ca914b250ca42a766c2d035152bf29d07bf913915a93f23312cb

C:\ProgramData\ARO\aross.dll

MD5 9b05caf01254dbd3389ab74d9932ed37
SHA1 7fe8de80c04124b84b800cd284173d86aabedb5e
SHA256 f78bf6711b6f3f24573f2a22804f33cec6741f3f2db449410fa37430021080ab
SHA512 8d35ceae212b203df810010ace168349c4f2488fcc8e0f08d998958b4ea3d120413bf625da729043a52b07e77ee39a2bf86128e3124293a47a9a71b59f30a28b

memory/2672-141-0x0000000000000000-mapping.dmp

memory/1148-142-0x0000000000D20000-0x0000000000D45000-memory.dmp

memory/1148-143-0x0000000000DC0000-0x0000000000DFF000-memory.dmp

memory/1560-144-0x0000000002110000-0x000000000214F000-memory.dmp

memory/2672-145-0x0000000001670000-0x00000000016AF000-memory.dmp

memory/4908-146-0x0000000000000000-mapping.dmp

memory/4908-147-0x0000000000DC0000-0x0000000000DFF000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-04-26 23:36

Reported

2022-04-26 23:36

Platform

win11-20220223-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A