Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    194s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25/06/2022, 17:36

General

  • Target

    5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe

  • Size

    427KB

  • MD5

    cfe882ba290b6bd30bff5848c20554a5

  • SHA1

    ceb839a8c04c75844cab7b18916234f7cd093157

  • SHA256

    5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201

  • SHA512

    c3dd4139b7a0d4192c0c1f5a096a3cfdc59414ce40a8cb52d2ade2bdc966e0678a591bdf25368bbf8173dff7b4d5cce3c0063a0f945302109294e507ab64f509

Score
10/10

Malware Config

Signatures

  • Detects PlugX Payload 6 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe
    "C:\Users\Admin\AppData\Local\Temp\5fee52bdb2265e87cf37ed28f4e3f63c99646d8c64e23219d4573dae52f1e201.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
  • C:\ProgramData\AVck\hkcmd.exe
    C:\ProgramData\AVck\hkcmd.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3600
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AVck\hccutils.DLL

    Filesize

    2KB

    MD5

    1b49645bc75c8353c1bf0d9feb3af7e5

    SHA1

    5684b5d6d42bf284cfd5537f0300371c3f006314

    SHA256

    87fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533

    SHA512

    b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e

  • C:\ProgramData\AVck\hccutils.DLL.hcc

    Filesize

    122KB

    MD5

    1546b7616bea033524a81939983bc766

    SHA1

    e0a1751cdb7c0d3eb486ea70faeec13a0b352fb4

    SHA256

    034e116d7e575029461af32ddd04494d67a62d4fe929e779c51b34d106ebc5e6

    SHA512

    6c7c84f29fbd33e6c3ff6ec14ff1d860beee0bb03703b26798757e2706098f6bad7a245a201f5de82a12f77c394ef30931636abf5f6b71c0d1833d1dd53fc8cb

  • C:\ProgramData\AVck\hccutils.dll

    Filesize

    2KB

    MD5

    1b49645bc75c8353c1bf0d9feb3af7e5

    SHA1

    5684b5d6d42bf284cfd5537f0300371c3f006314

    SHA256

    87fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533

    SHA512

    b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e

  • C:\ProgramData\AVck\hkcmd.exe

    Filesize

    169KB

    MD5

    23f2c3dbdb65c898a11e7f4ddc598a10

    SHA1

    cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

    SHA256

    a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

    SHA512

    0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

  • C:\ProgramData\AVck\hkcmd.exe

    Filesize

    169KB

    MD5

    23f2c3dbdb65c898a11e7f4ddc598a10

    SHA1

    cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

    SHA256

    a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

    SHA512

    0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL

    Filesize

    2KB

    MD5

    1b49645bc75c8353c1bf0d9feb3af7e5

    SHA1

    5684b5d6d42bf284cfd5537f0300371c3f006314

    SHA256

    87fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533

    SHA512

    b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.DLL.hcc

    Filesize

    122KB

    MD5

    1546b7616bea033524a81939983bc766

    SHA1

    e0a1751cdb7c0d3eb486ea70faeec13a0b352fb4

    SHA256

    034e116d7e575029461af32ddd04494d67a62d4fe929e779c51b34d106ebc5e6

    SHA512

    6c7c84f29fbd33e6c3ff6ec14ff1d860beee0bb03703b26798757e2706098f6bad7a245a201f5de82a12f77c394ef30931636abf5f6b71c0d1833d1dd53fc8cb

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hccutils.dll

    Filesize

    2KB

    MD5

    1b49645bc75c8353c1bf0d9feb3af7e5

    SHA1

    5684b5d6d42bf284cfd5537f0300371c3f006314

    SHA256

    87fd3a7ec2f818443ebc19df89c1f22f5cc44fa6d1a45c2482578d2d9e0b4533

    SHA512

    b979c7bd8174e2f7a09aba3df78143043d2682a6677084cbcca1eb6aced6627fea783e95b6f57ad418624049375fe17a350cffe32f27c5f1bc7c701b3189359e

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

    Filesize

    169KB

    MD5

    23f2c3dbdb65c898a11e7f4ddc598a10

    SHA1

    cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

    SHA256

    a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

    SHA512

    0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hkcmd.exe

    Filesize

    169KB

    MD5

    23f2c3dbdb65c898a11e7f4ddc598a10

    SHA1

    cd3cc620c55dba7eaeb77a4fde5833b4ca115e9c

    SHA256

    a67de1db8d5b8134e4ba468cbb38274d1b36d7ade8f80c58e680650c68149677

    SHA512

    0e854e276c146cf90cea6db254e9741650336f77c31290502073f5c78fb9c8f6d1afdc67b913cd736e2330556440534e7422bdc072b482a5cdc4a5addee10c3a

  • memory/1196-148-0x0000000000790000-0x00000000007C1000-memory.dmp

    Filesize

    196KB

  • memory/1196-149-0x0000000000790000-0x00000000007C1000-memory.dmp

    Filesize

    196KB

  • memory/3600-145-0x0000000001830000-0x0000000001861000-memory.dmp

    Filesize

    196KB

  • memory/3600-146-0x0000000001830000-0x0000000001861000-memory.dmp

    Filesize

    196KB

  • memory/4100-144-0x00000000021B0000-0x00000000021E1000-memory.dmp

    Filesize

    196KB

  • memory/4448-142-0x0000000000D30000-0x0000000000E30000-memory.dmp

    Filesize

    1024KB

  • memory/4448-143-0x0000000000E60000-0x0000000000E91000-memory.dmp

    Filesize

    196KB