Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe
Resource
win7-20220414-en
General
-
Target
8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe
-
Size
340KB
-
MD5
b2dc23e3ac76194e9ad5aee22b35267f
-
SHA1
98ab0d3125556c7fd2cc5e1ac95f8e53e1598c2e
-
SHA256
8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d
-
SHA512
f4bf84930d6d5ae1da8624be63d3d6cea2b94eda3a09dfc978a3e0556d7e077052bc03ea1195a50f6037a5c36567a8656d519f7f1d6e36482487caf5854cc86d
Malware Config
Signatures
-
Detects PlugX Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4968-143-0x00000000017A0000-0x00000000017F1000-memory.dmp family_plugx behavioral2/memory/3608-144-0x00000000028B0000-0x0000000002901000-memory.dmp family_plugx behavioral2/memory/2320-150-0x00000000012D0000-0x0000000001321000-memory.dmp family_plugx behavioral2/memory/2416-152-0x0000000002EC0000-0x0000000002F11000-memory.dmp family_plugx -
Executes dropped EXE 3 IoCs
Processes:
NvSmartMaxAPP.exeNvSmartMaxAPP.execheck_run_environment.exepid process 3608 NvSmartMaxAPP.exe 4968 NvSmartMaxAPP.exe 4252 check_run_environment.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe -
Loads dropped DLL 2 IoCs
Processes:
NvSmartMaxAPP.exeNvSmartMaxAPP.exepid process 3608 NvSmartMaxAPP.exe 4968 NvSmartMaxAPP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5112 taskkill.exe -
Modifies data under HKEY_USERS 22 IoCs
Processes:
svchost.exeNvSmartMaxAPP.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ NvSmartMaxAPP.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" NvSmartMaxAPP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" NvSmartMaxAPP.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" NvSmartMaxAPP.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" NvSmartMaxAPP.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe -
Modifies registry class 2 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003900440039003500360032004500340036003300350036003700410036000000 svchost.exe Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
check_run_environment.exesvchost.exemsiexec.exepid process 4252 check_run_environment.exe 4252 check_run_environment.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2320 svchost.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2320 svchost.exe 2320 svchost.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2320 svchost.exe 2320 svchost.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2320 svchost.exe 2416 msiexec.exe 2320 svchost.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2320 svchost.exe 2320 svchost.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe 2416 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
svchost.exemsiexec.exepid process 2320 svchost.exe 2416 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
NvSmartMaxAPP.exeNvSmartMaxAPP.execheck_run_environment.exesvchost.exetaskkill.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3608 NvSmartMaxAPP.exe Token: SeTcbPrivilege 3608 NvSmartMaxAPP.exe Token: SeDebugPrivilege 4968 NvSmartMaxAPP.exe Token: SeTcbPrivilege 4968 NvSmartMaxAPP.exe Token: SeTcbPrivilege 4252 check_run_environment.exe Token: SeDebugPrivilege 4252 check_run_environment.exe Token: SeDebugPrivilege 2320 svchost.exe Token: SeTcbPrivilege 2320 svchost.exe Token: SeDebugPrivilege 5112 taskkill.exe Token: SeDebugPrivilege 2416 msiexec.exe Token: SeTcbPrivilege 2416 msiexec.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exeNvSmartMaxAPP.exesvchost.exedescription pid process target process PID 4464 wrote to memory of 3608 4464 8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe NvSmartMaxAPP.exe PID 4464 wrote to memory of 3608 4464 8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe NvSmartMaxAPP.exe PID 4464 wrote to memory of 3608 4464 8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe NvSmartMaxAPP.exe PID 4968 wrote to memory of 4252 4968 NvSmartMaxAPP.exe check_run_environment.exe PID 4968 wrote to memory of 4252 4968 NvSmartMaxAPP.exe check_run_environment.exe PID 4968 wrote to memory of 5112 4968 NvSmartMaxAPP.exe taskkill.exe PID 4968 wrote to memory of 5112 4968 NvSmartMaxAPP.exe taskkill.exe PID 4968 wrote to memory of 5112 4968 NvSmartMaxAPP.exe taskkill.exe PID 4968 wrote to memory of 2320 4968 NvSmartMaxAPP.exe svchost.exe PID 4968 wrote to memory of 2320 4968 NvSmartMaxAPP.exe svchost.exe PID 4968 wrote to memory of 2320 4968 NvSmartMaxAPP.exe svchost.exe PID 4968 wrote to memory of 2320 4968 NvSmartMaxAPP.exe svchost.exe PID 4968 wrote to memory of 2320 4968 NvSmartMaxAPP.exe svchost.exe PID 4968 wrote to memory of 2320 4968 NvSmartMaxAPP.exe svchost.exe PID 4968 wrote to memory of 2320 4968 NvSmartMaxAPP.exe svchost.exe PID 4968 wrote to memory of 2320 4968 NvSmartMaxAPP.exe svchost.exe PID 2320 wrote to memory of 2416 2320 svchost.exe msiexec.exe PID 2320 wrote to memory of 2416 2320 svchost.exe msiexec.exe PID 2320 wrote to memory of 2416 2320 svchost.exe msiexec.exe PID 2320 wrote to memory of 2416 2320 svchost.exe msiexec.exe PID 2320 wrote to memory of 2416 2320 svchost.exe msiexec.exe PID 2320 wrote to memory of 2416 2320 svchost.exe msiexec.exe PID 2320 wrote to memory of 2416 2320 svchost.exe msiexec.exe PID 2320 wrote to memory of 2416 2320 svchost.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe"C:\Users\Admin\AppData\Local\Temp\8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe"C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\check_run_environment.exe"C:\Windows\TEMP\check_run_environment.exe" "jhi_service"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im check_run_environment.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 23203⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMax.dllFilesize
4KB
MD5c62c4b09c8543821e0ff2213c633f5e5
SHA1ff59b219fa140c48536d79a9a73027d4acf40bc9
SHA2565afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c
SHA5128e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e
-
C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMax.dllFilesize
4KB
MD5c62c4b09c8543821e0ff2213c633f5e5
SHA1ff59b219fa140c48536d79a9a73027d4acf40bc9
SHA2565afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c
SHA5128e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e
-
C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.ConfigFilesize
212KB
MD5cdbf515d885c303ff2b2c6cf182fa19b
SHA19bc67dd9f4718f0dd3a995b5a41eac788f8ae76b
SHA2563203294c334b0cc5db4e2bf09fdab1dc9bbcb6f536cef4db5c9ae275c0ac569c
SHA512d8a4c196ff9cf708fe394519b27d4ed1b156b03ab43d1aae11b5ec49c557e9b6332194f74671010ab778beea39db3fcd78b8a98e9e4ed2fcc5360226d1e9f359
-
C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exeFilesize
60KB
MD54e3cae0eda4c873b0afdb803ea981a0d
SHA106ddb2a4a1c4d119efeed10147666afa0c4eda25
SHA25611a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e
SHA512c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431
-
C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exeFilesize
60KB
MD54e3cae0eda4c873b0afdb803ea981a0d
SHA106ddb2a4a1c4d119efeed10147666afa0c4eda25
SHA25611a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e
SHA512c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dllFilesize
4KB
MD5c62c4b09c8543821e0ff2213c633f5e5
SHA1ff59b219fa140c48536d79a9a73027d4acf40bc9
SHA2565afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c
SHA5128e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dllFilesize
4KB
MD5c62c4b09c8543821e0ff2213c633f5e5
SHA1ff59b219fa140c48536d79a9a73027d4acf40bc9
SHA2565afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c
SHA5128e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.ConfigFilesize
212KB
MD5cdbf515d885c303ff2b2c6cf182fa19b
SHA19bc67dd9f4718f0dd3a995b5a41eac788f8ae76b
SHA2563203294c334b0cc5db4e2bf09fdab1dc9bbcb6f536cef4db5c9ae275c0ac569c
SHA512d8a4c196ff9cf708fe394519b27d4ed1b156b03ab43d1aae11b5ec49c557e9b6332194f74671010ab778beea39db3fcd78b8a98e9e4ed2fcc5360226d1e9f359
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exeFilesize
60KB
MD54e3cae0eda4c873b0afdb803ea981a0d
SHA106ddb2a4a1c4d119efeed10147666afa0c4eda25
SHA25611a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e
SHA512c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exeFilesize
60KB
MD54e3cae0eda4c873b0afdb803ea981a0d
SHA106ddb2a4a1c4d119efeed10147666afa0c4eda25
SHA25611a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e
SHA512c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431
-
C:\Windows\TEMP\check_run_environment.exeFilesize
11KB
MD56622918d92a44e67175f7aeb3fcb5a05
SHA10b226563fa229783bea7aa27e28f908967c729e6
SHA256b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c
SHA51265ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe
-
C:\Windows\Temp\check_run_environment.exeFilesize
11KB
MD56622918d92a44e67175f7aeb3fcb5a05
SHA10b226563fa229783bea7aa27e28f908967c729e6
SHA256b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c
SHA51265ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe
-
memory/2320-150-0x00000000012D0000-0x0000000001321000-memory.dmpFilesize
324KB
-
memory/2320-149-0x0000000000000000-mapping.dmp
-
memory/2416-152-0x0000000002EC0000-0x0000000002F11000-memory.dmpFilesize
324KB
-
memory/2416-151-0x0000000000000000-mapping.dmp
-
memory/3608-140-0x0000000000CD0000-0x0000000000D06000-memory.dmpFilesize
216KB
-
memory/3608-144-0x00000000028B0000-0x0000000002901000-memory.dmpFilesize
324KB
-
memory/3608-130-0x0000000000000000-mapping.dmp
-
memory/4252-145-0x0000000000000000-mapping.dmp
-
memory/4968-142-0x00000000016B0000-0x00000000016E6000-memory.dmpFilesize
216KB
-
memory/4968-143-0x00000000017A0000-0x00000000017F1000-memory.dmpFilesize
324KB
-
memory/5112-148-0x0000000000000000-mapping.dmp