Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe
Resource
win7-20220414-en
General
-
Target
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe
-
Size
327KB
-
MD5
c48cdf2ce519307358ead3512e31f264
-
SHA1
47ac40fe2bee7931c15450ec7e2c556d15fa5149
-
SHA256
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096
-
SHA512
fbb6b5f776b3853827b780516ba71a394a84845f0c51a1370c3d834db18cf91341edb87a1e0af8c9be550790b64bf192c2ed1ce57e343e32e03740c0a54e4446
Malware Config
Signatures
-
Detects PlugX Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/472-81-0x0000000000460000-0x000000000048C000-memory.dmp family_plugx behavioral1/memory/1832-83-0x0000000000280000-0x00000000002AC000-memory.dmp family_plugx behavioral1/memory/1324-82-0x00000000003D0000-0x00000000003FC000-memory.dmp family_plugx behavioral1/memory/1948-84-0x00000000001B0000-0x00000000001DC000-memory.dmp family_plugx behavioral1/memory/1808-89-0x0000000000250000-0x000000000027C000-memory.dmp family_plugx -
suricata: ET MALWARE PlugX/Destory HTTP traffic
suricata: ET MALWARE PlugX/Destory HTTP traffic
-
suricata: ET MALWARE Possible PlugX Common Header Struct
suricata: ET MALWARE Possible PlugX Common Header Struct
-
suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2
suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2
-
Executes dropped EXE 3 IoCs
Processes:
hkcmd.exehkcmd.exehkcmd.exepid process 1324 hkcmd.exe 1832 hkcmd.exe 472 hkcmd.exe -
Loads dropped DLL 7 IoCs
Processes:
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exehkcmd.exehkcmd.exehkcmd.exepid process 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe 1324 hkcmd.exe 1832 hkcmd.exe 472 hkcmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe -
Modifies registry class 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 36004100330033003000310042003900450041003400330030004600430041000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exemsiexec.exepid process 1948 svchost.exe 1948 svchost.exe 1948 svchost.exe 1948 svchost.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1948 svchost.exe 1948 svchost.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1948 svchost.exe 1948 svchost.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1948 svchost.exe 1948 svchost.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1948 svchost.exe 1948 svchost.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1948 svchost.exe 1948 svchost.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1948 svchost.exe 1948 svchost.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1808 msiexec.exe 1948 svchost.exe 1948 svchost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
hkcmd.exehkcmd.exehkcmd.exesvchost.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1324 hkcmd.exe Token: SeTcbPrivilege 1324 hkcmd.exe Token: SeDebugPrivilege 1832 hkcmd.exe Token: SeTcbPrivilege 1832 hkcmd.exe Token: SeDebugPrivilege 472 hkcmd.exe Token: SeTcbPrivilege 472 hkcmd.exe Token: SeDebugPrivilege 1948 svchost.exe Token: SeTcbPrivilege 1948 svchost.exe Token: SeDebugPrivilege 1808 msiexec.exe Token: SeTcbPrivilege 1808 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exehkcmd.exesvchost.exedescription pid process target process PID 1880 wrote to memory of 1324 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1880 wrote to memory of 1324 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1880 wrote to memory of 1324 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1880 wrote to memory of 1324 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1880 wrote to memory of 1324 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1880 wrote to memory of 1324 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1880 wrote to memory of 1324 1880 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 472 wrote to memory of 1948 472 hkcmd.exe svchost.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe PID 1948 wrote to memory of 1808 1948 svchost.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe"C:\Users\Admin\AppData\Local\Temp\12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Replicat\hkcmd.exe"C:\ProgramData\Replicat\hkcmd.exe" 100 13241⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 01⤵
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 19482⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Replicat\hkcmd.exe"C:\ProgramData\Replicat\hkcmd.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Replicat\hccutils.DLLFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
C:\ProgramData\Replicat\hccutils.DLL.resFilesize
110KB
MD5824ee49166f2cfb45c573434fb588dde
SHA13fbb6160d9ba5a8a3688eaeaed7e43127ac16fb6
SHA256ec0351014319f6631082e36a773d72f4fd04a346ec0ca6299b118d0cafacbafc
SHA512ae2ea934e0f3f7753a3f2d716da467150ae31acf945dea0d3eb8e8b7b904b8aa0b64c66097a33ff5e4093175234bfe54db7f0a54b7a61a092b64680c7dd9cf41
-
C:\ProgramData\Replicat\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
C:\ProgramData\Replicat\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLLFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.resFilesize
110KB
MD5824ee49166f2cfb45c573434fb588dde
SHA13fbb6160d9ba5a8a3688eaeaed7e43127ac16fb6
SHA256ec0351014319f6631082e36a773d72f4fd04a346ec0ca6299b118d0cafacbafc
SHA512ae2ea934e0f3f7753a3f2d716da467150ae31acf945dea0d3eb8e8b7b904b8aa0b64c66097a33ff5e4093175234bfe54db7f0a54b7a61a092b64680c7dd9cf41
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
\ProgramData\Replicat\hccutils.dllFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
\ProgramData\Replicat\hccutils.dllFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.dllFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
memory/472-81-0x0000000000460000-0x000000000048C000-memory.dmpFilesize
176KB
-
memory/1324-59-0x0000000000000000-mapping.dmp
-
memory/1324-82-0x00000000003D0000-0x00000000003FC000-memory.dmpFilesize
176KB
-
memory/1324-65-0x0000000000240000-0x0000000000340000-memory.dmpFilesize
1024KB
-
memory/1808-87-0x0000000000000000-mapping.dmp
-
memory/1808-89-0x0000000000250000-0x000000000027C000-memory.dmpFilesize
176KB
-
memory/1832-83-0x0000000000280000-0x00000000002AC000-memory.dmpFilesize
176KB
-
memory/1880-54-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/1948-77-0x00000000000A0000-0x00000000000BA000-memory.dmpFilesize
104KB
-
memory/1948-79-0x0000000000000000-mapping.dmp
-
memory/1948-84-0x00000000001B0000-0x00000000001DC000-memory.dmpFilesize
176KB