Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe
Resource
win7-20220414-en
General
-
Target
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe
-
Size
327KB
-
MD5
c48cdf2ce519307358ead3512e31f264
-
SHA1
47ac40fe2bee7931c15450ec7e2c556d15fa5149
-
SHA256
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096
-
SHA512
fbb6b5f776b3853827b780516ba71a394a84845f0c51a1370c3d834db18cf91341edb87a1e0af8c9be550790b64bf192c2ed1ce57e343e32e03740c0a54e4446
Malware Config
Signatures
-
Detects PlugX Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2184-149-0x0000000002300000-0x000000000232C000-memory.dmp family_plugx behavioral2/memory/1580-148-0x0000000000900000-0x000000000092C000-memory.dmp family_plugx behavioral2/memory/1880-150-0x0000000001180000-0x00000000011AC000-memory.dmp family_plugx behavioral2/memory/1776-147-0x0000000000EC0000-0x0000000000EEC000-memory.dmp family_plugx behavioral2/memory/4780-152-0x0000000002AD0000-0x0000000002AFC000-memory.dmp family_plugx -
Executes dropped EXE 3 IoCs
Processes:
hkcmd.exehkcmd.exehkcmd.exepid process 2184 hkcmd.exe 1580 hkcmd.exe 1776 hkcmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe -
Loads dropped DLL 3 IoCs
Processes:
hkcmd.exehkcmd.exehkcmd.exepid process 2184 hkcmd.exe 1580 hkcmd.exe 1776 hkcmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 32003300450043003500420032004600340031003000440045003800380033000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exemsiexec.exepid process 1880 svchost.exe 1880 svchost.exe 1880 svchost.exe 1880 svchost.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 1880 svchost.exe 1880 svchost.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 1880 svchost.exe 1880 svchost.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 1880 svchost.exe 1880 svchost.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 1880 svchost.exe 1880 svchost.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 4780 msiexec.exe 1880 svchost.exe 1880 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
svchost.exemsiexec.exepid process 1880 svchost.exe 4780 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
hkcmd.exehkcmd.exehkcmd.exesvchost.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2184 hkcmd.exe Token: SeTcbPrivilege 2184 hkcmd.exe Token: SeDebugPrivilege 1580 hkcmd.exe Token: SeTcbPrivilege 1580 hkcmd.exe Token: SeDebugPrivilege 1776 hkcmd.exe Token: SeTcbPrivilege 1776 hkcmd.exe Token: SeDebugPrivilege 1880 svchost.exe Token: SeTcbPrivilege 1880 svchost.exe Token: SeDebugPrivilege 4780 msiexec.exe Token: SeTcbPrivilege 4780 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exehkcmd.exesvchost.exedescription pid process target process PID 1524 wrote to memory of 2184 1524 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1524 wrote to memory of 2184 1524 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1524 wrote to memory of 2184 1524 12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe hkcmd.exe PID 1776 wrote to memory of 1880 1776 hkcmd.exe svchost.exe PID 1776 wrote to memory of 1880 1776 hkcmd.exe svchost.exe PID 1776 wrote to memory of 1880 1776 hkcmd.exe svchost.exe PID 1776 wrote to memory of 1880 1776 hkcmd.exe svchost.exe PID 1776 wrote to memory of 1880 1776 hkcmd.exe svchost.exe PID 1776 wrote to memory of 1880 1776 hkcmd.exe svchost.exe PID 1776 wrote to memory of 1880 1776 hkcmd.exe svchost.exe PID 1776 wrote to memory of 1880 1776 hkcmd.exe svchost.exe PID 1880 wrote to memory of 4780 1880 svchost.exe msiexec.exe PID 1880 wrote to memory of 4780 1880 svchost.exe msiexec.exe PID 1880 wrote to memory of 4780 1880 svchost.exe msiexec.exe PID 1880 wrote to memory of 4780 1880 svchost.exe msiexec.exe PID 1880 wrote to memory of 4780 1880 svchost.exe msiexec.exe PID 1880 wrote to memory of 4780 1880 svchost.exe msiexec.exe PID 1880 wrote to memory of 4780 1880 svchost.exe msiexec.exe PID 1880 wrote to memory of 4780 1880 svchost.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe"C:\Users\Admin\AppData\Local\Temp\12d59477048b530ad04242c8c8849b283051e71e02e136829b6e4152d144d096.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 01⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 18802⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Replicat\hkcmd.exe"C:\ProgramData\Replicat\hkcmd.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Replicat\hkcmd.exe"C:\ProgramData\Replicat\hkcmd.exe" 100 21841⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Replicat\hccutils.DLLFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
C:\ProgramData\Replicat\hccutils.DLL.resFilesize
110KB
MD5824ee49166f2cfb45c573434fb588dde
SHA13fbb6160d9ba5a8a3688eaeaed7e43127ac16fb6
SHA256ec0351014319f6631082e36a773d72f4fd04a346ec0ca6299b118d0cafacbafc
SHA512ae2ea934e0f3f7753a3f2d716da467150ae31acf945dea0d3eb8e8b7b904b8aa0b64c66097a33ff5e4093175234bfe54db7f0a54b7a61a092b64680c7dd9cf41
-
C:\ProgramData\Replicat\hccutils.dllFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
C:\ProgramData\Replicat\hccutils.dllFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
C:\ProgramData\Replicat\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
C:\ProgramData\Replicat\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
C:\ProgramData\Replicat\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLLFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.resFilesize
110KB
MD5824ee49166f2cfb45c573434fb588dde
SHA13fbb6160d9ba5a8a3688eaeaed7e43127ac16fb6
SHA256ec0351014319f6631082e36a773d72f4fd04a346ec0ca6299b118d0cafacbafc
SHA512ae2ea934e0f3f7753a3f2d716da467150ae31acf945dea0d3eb8e8b7b904b8aa0b64c66097a33ff5e4093175234bfe54db7f0a54b7a61a092b64680c7dd9cf41
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.dllFilesize
42KB
MD558c11dd3a9f257869bc362c7a5bc85f1
SHA1b0760b148581c43b3b2b828f39c96eb7f83e7498
SHA2562bda8230b5f1afc3e9d8c5f2c0845a6964559b7dc7daf8ecefa306a57e628c52
SHA512da9fd3851ab015f9864109d3e7bb4ade3a4024650c7db23a9310ed8d0aa742502506b630b2f61863fbf86ceb859a1d06931ec097d6a43e224a19e98dc43118ea
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exeFilesize
169KB
MD50d58e5f4e82539de38ba7f9b4a8dda12
SHA1dd0f39f4d77e1bb347321aa22b5a9d5c1cc65342
SHA256e2c6ec8ea8da05b23327c1d0e350e219c4823d41c2ed98bae9bd2d9b48b8613d
SHA512149c5dcb225829744d632d9c118427c5074d0413246b6e08470cac2aeffdf25504007b98219d6b2b454a20069065168c4c21ad4d9d926d98ab97c45585f37ee3
-
memory/1580-148-0x0000000000900000-0x000000000092C000-memory.dmpFilesize
176KB
-
memory/1776-147-0x0000000000EC0000-0x0000000000EEC000-memory.dmpFilesize
176KB
-
memory/1880-146-0x0000000000000000-mapping.dmp
-
memory/1880-150-0x0000000001180000-0x00000000011AC000-memory.dmpFilesize
176KB
-
memory/2184-130-0x0000000000000000-mapping.dmp
-
memory/2184-149-0x0000000002300000-0x000000000232C000-memory.dmpFilesize
176KB
-
memory/2184-136-0x00000000021D0000-0x00000000022D0000-memory.dmpFilesize
1024KB
-
memory/4780-151-0x0000000000000000-mapping.dmp
-
memory/4780-152-0x0000000002AD0000-0x0000000002AFC000-memory.dmpFilesize
176KB