Analysis
-
max time kernel
176s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
Resource
win7-20220414-en
General
-
Target
2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe
-
Size
290KB
-
MD5
e64c67b5d78a53909bfadfbf781162e9
-
SHA1
aa5582e0420bd0e5905537233b94f145e039a2c6
-
SHA256
2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a
-
SHA512
8ede7ecbaa13b99276ee46fa2beeb1fa06ee2f3a5a86b3a4b8ff16f99d4e2904f035914a4b091fbe87beab72645c35cd0ae76a65757045e87f27122e2e633a77
Malware Config
Signatures
-
Detects PlugX Payload 6 IoCs
resource yara_rule behavioral2/memory/3112-140-0x00000000020D0000-0x000000000210F000-memory.dmp family_plugx behavioral2/memory/4912-143-0x0000000000640000-0x000000000067F000-memory.dmp family_plugx behavioral2/memory/3824-145-0x00000000008B0000-0x00000000008EF000-memory.dmp family_plugx behavioral2/memory/3824-146-0x00000000008B0000-0x00000000008EF000-memory.dmp family_plugx behavioral2/memory/1448-148-0x0000000002A20000-0x0000000002A5F000-memory.dmp family_plugx behavioral2/memory/1448-149-0x0000000002A20000-0x0000000002A5F000-memory.dmp family_plugx -
Executes dropped EXE 2 IoCs
pid Process 3112 TPLCDCLR.EXE 4912 TPLCDCLR.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe -
Loads dropped DLL 2 IoCs
pid Process 3112 TPLCDCLR.EXE 4912 TPLCDCLR.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 32003300450045004400420041003100340035003600440034003100350034000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3824 svchost.exe 3824 svchost.exe 3824 svchost.exe 3824 svchost.exe 3824 svchost.exe 3824 svchost.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 3824 svchost.exe 3824 svchost.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 3824 svchost.exe 3824 svchost.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 3824 svchost.exe 3824 svchost.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 3824 svchost.exe 3824 svchost.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe 1448 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3824 svchost.exe 1448 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3112 TPLCDCLR.EXE Token: SeTcbPrivilege 3112 TPLCDCLR.EXE Token: SeDebugPrivilege 4912 TPLCDCLR.EXE Token: SeTcbPrivilege 4912 TPLCDCLR.EXE Token: SeDebugPrivilege 3824 svchost.exe Token: SeTcbPrivilege 3824 svchost.exe Token: SeDebugPrivilege 1448 msiexec.exe Token: SeTcbPrivilege 1448 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2616 wrote to memory of 3112 2616 2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe 79 PID 2616 wrote to memory of 3112 2616 2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe 79 PID 2616 wrote to memory of 3112 2616 2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe 79 PID 4912 wrote to memory of 3824 4912 TPLCDCLR.EXE 82 PID 4912 wrote to memory of 3824 4912 TPLCDCLR.EXE 82 PID 4912 wrote to memory of 3824 4912 TPLCDCLR.EXE 82 PID 4912 wrote to memory of 3824 4912 TPLCDCLR.EXE 82 PID 4912 wrote to memory of 3824 4912 TPLCDCLR.EXE 82 PID 4912 wrote to memory of 3824 4912 TPLCDCLR.EXE 82 PID 4912 wrote to memory of 3824 4912 TPLCDCLR.EXE 82 PID 4912 wrote to memory of 3824 4912 TPLCDCLR.EXE 82 PID 3824 wrote to memory of 1448 3824 svchost.exe 83 PID 3824 wrote to memory of 1448 3824 svchost.exe 83 PID 3824 wrote to memory of 1448 3824 svchost.exe 83 PID 3824 wrote to memory of 1448 3824 svchost.exe 83 PID 3824 wrote to memory of 1448 3824 svchost.exe 83 PID 3824 wrote to memory of 1448 3824 svchost.exe 83 PID 3824 wrote to memory of 1448 3824 svchost.exe 83 PID 3824 wrote to memory of 1448 3824 svchost.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe"C:\Users\Admin\AppData\Local\Temp\2443cfea2a2de60fe321282643231993f8c3960066509d004da95c901566757a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE"C:\Users\Admin\AppData\Local\Temp\RarSFX0\TPLCDCLR.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\TPLCDCLR.EXE"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 38243⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5d9978f95ce30e85943efb52c9c7d731b
SHA1a64bb28c87c4e41be56a9bb3b887c53051eb1db5
SHA25669c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45
SHA512766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c
-
Filesize
37KB
MD5d9978f95ce30e85943efb52c9c7d731b
SHA1a64bb28c87c4e41be56a9bb3b887c53051eb1db5
SHA25669c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45
SHA512766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c
-
Filesize
147KB
MD55ce1c050fb6370e5cf997313abba9947
SHA16751978299e9b956da914a5110438b6b262dcb75
SHA256ab927653e27e3374aa97eb9bfdacb011a7664d930e6f356512c5ae9582c2cfe5
SHA512e6ce9bf2392fb9610efdfa0abb460b8031cef020ffed2b4cae9b609631f0fba5ae18ea311dc8f94aa5f46a4dbac9064186b5a0648459504256a7fb17ad8c3061
-
Filesize
78KB
MD5be59ff05b96b7bb251dd77932b71bbc1
SHA128a4a3be8606aea4f46761238d99fa4d7a96354e
SHA256c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251
SHA5122e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050
-
Filesize
78KB
MD5be59ff05b96b7bb251dd77932b71bbc1
SHA128a4a3be8606aea4f46761238d99fa4d7a96354e
SHA256c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251
SHA5122e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050
-
Filesize
37KB
MD5d9978f95ce30e85943efb52c9c7d731b
SHA1a64bb28c87c4e41be56a9bb3b887c53051eb1db5
SHA25669c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45
SHA512766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c
-
Filesize
37KB
MD5d9978f95ce30e85943efb52c9c7d731b
SHA1a64bb28c87c4e41be56a9bb3b887c53051eb1db5
SHA25669c2c1733dd95f16a1e89869ec05a618c27df1e7e86a51884abcdeb709eb3d45
SHA512766a222e9f6fc9acafd2bbf72fdf44bb486d394cbd8751d487d47e828760240b1b945775efd17e77ca6b163e9e1f140f4612715b63b390cdf86e20325112124c
-
Filesize
147KB
MD55ce1c050fb6370e5cf997313abba9947
SHA16751978299e9b956da914a5110438b6b262dcb75
SHA256ab927653e27e3374aa97eb9bfdacb011a7664d930e6f356512c5ae9582c2cfe5
SHA512e6ce9bf2392fb9610efdfa0abb460b8031cef020ffed2b4cae9b609631f0fba5ae18ea311dc8f94aa5f46a4dbac9064186b5a0648459504256a7fb17ad8c3061
-
Filesize
78KB
MD5be59ff05b96b7bb251dd77932b71bbc1
SHA128a4a3be8606aea4f46761238d99fa4d7a96354e
SHA256c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251
SHA5122e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050
-
Filesize
78KB
MD5be59ff05b96b7bb251dd77932b71bbc1
SHA128a4a3be8606aea4f46761238d99fa4d7a96354e
SHA256c8dd154950db3401b2e91c6a535b2f0f8853bc188e31f9d91c96bf31cebd1251
SHA5122e06ad4dac78bd08d8c0b9925455662900bc6cf71df70ce478d18bc4cb273ab6fd15eedaa563c646001765a1a8878b752748abc1ea6c43a1acdf32a76c524050