plugx | fa62a1ea32407f9f4eb1548c8bba0576b17ea2645f71bf33353f866410fd4ef5

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20220414-en
submitted
13-07-2022 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe
Size

254KB
MD5

4485d8844b083564cf510271d90d7399
SHA1

769d564f9b895c8d07fee07733782c548e30267a
SHA256

fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f
SHA512

0f0e1eb3249e1a73ab51b08462dfd8871c9fe5db7b87090635a8b6930c830440a2a225c4e1ed5e8f596cea1672f65fcb1a383a47ea9e4133bde8cc9ed793efeb

Score

10^/10

plugx suricata trojan upx

Malware Config

Signatures

Detects PlugX payload 9 IoCs

resource	yara_rule
behavioral1/memory/1968-67-0x0000000000180000-0x00000000001AE000-memory.dmp	family_plugx
behavioral1/memory/1976-83-0x0000000000390000-0x00000000003BE000-memory.dmp	family_plugx
behavioral1/memory/1072-84-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/988-85-0x0000000000380000-0x00000000003AE000-memory.dmp	family_plugx
behavioral1/memory/1800-90-0x0000000000220000-0x000000000024E000-memory.dmp	family_plugx
behavioral1/memory/1072-91-0x0000000000280000-0x00000000002AE000-memory.dmp	family_plugx
behavioral1/memory/1976-92-0x0000000000390000-0x00000000003BE000-memory.dmp	family_plugx
behavioral1/memory/988-93-0x0000000000380000-0x00000000003AE000-memory.dmp	family_plugx
behavioral1/memory/1800-94-0x0000000000220000-0x000000000024E000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
suricata: ET MALWARE PlugX CnC Beacon
suricata: ET MALWARE PlugX CnC Beacon
suricata
suricata: ET MALWARE PlugX/Destory HTTP traffic
suricata: ET MALWARE PlugX/Destory HTTP traffic
suricata
suricata: ET MALWARE Possible PlugX Common Header Struct
suricata: ET MALWARE Possible PlugX Common Header Struct
suricata
suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2
suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2
suricata

Blocklisted process makes network request 9 IoCs

flow	pid	Process
16	1800	msiexec.exe
17	1800	msiexec.exe
18	1800	msiexec.exe
25	1800	msiexec.exe
27	1800	msiexec.exe
28	1800	msiexec.exe
33	1800	msiexec.exe
35	1800	msiexec.exe
36	1800	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
1968	ktmhelp.exe
1976	ktmhelp.exe
1072	ktmhelp.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1160-58-0x0000000000400000-0x000000000047F000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1968	ktmhelp.exe

Loads dropped DLL 4 IoCs

pid	Process
1160	fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe
1968	ktmhelp.exe
1976	ktmhelp.exe
1072	ktmhelp.exe

Unexpected DNS network traffic destination 4 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	92.38.178.133
Destination IP	92.38.178.133
Destination IP	92.38.178.133
Destination IP	92.38.178.133

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	ktmhelp.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	dllhost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ	dllhost.exe

Modifies data under HKEY_USERS 60 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	ktmhelp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\WpadDecision = "0"	ktmhelp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a\WpadDecisionTime = a0dc965b2497d801	dllhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\WpadDecisionTime = c0d45c6e2497d801	dllhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\WpadNetworkName = "Network 2"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	ktmhelp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	dllhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a\WpadDecisionTime = c0d45c6e2497d801	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	ktmhelp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\WpadDecisionReason = "1"	ktmhelp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\WpadNetworkName = "Network 2"	ktmhelp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a\WpadDecision = "0"	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	dllhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	dllhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ktmhelp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ktmhelp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\WpadDecisionTime = a0dc965b2497d801	ktmhelp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a\WpadDecisionReason = "1"	dllhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	ktmhelp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ktmhelp.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ktmhelp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	ktmhelp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\WpadDecisionReason = "1"	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\WpadDecision = "0"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	ktmhelp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a	ktmhelp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a\WpadDecisionReason = "1"	ktmhelp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	dllhost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\d6-46-3b-0f-35-7a	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B10D3BC-B4DB-4BED-879C-D7BCA76675CC}\d6-46-3b-0f-35-7a	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a\WpadDecision = "0"	dllhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a\WpadDetectedUrl	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	ktmhelp.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	ktmhelp.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-46-3b-0f-35-7a\WpadDecisionTime = a0dc965b2497d801	ktmhelp.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	dllhost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44004600420034004200340046003400380043003000310041004400380043000000	ktmhelp.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	ktmhelp.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
988	dllhost.exe
1800	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	ktmhelp.exe
1968	ktmhelp.exe
988	dllhost.exe
988	dllhost.exe
988	dllhost.exe
988	dllhost.exe
1800	msiexec.exe
1800	msiexec.exe
1976	ktmhelp.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
988	dllhost.exe
988	dllhost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
988	dllhost.exe
988	dllhost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
988	dllhost.exe
988	dllhost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
988	dllhost.exe
988	dllhost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
988	dllhost.exe
988	dllhost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
988	dllhost.exe
988	dllhost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	ktmhelp.exe
Token: SeTcbPrivilege	1968	ktmhelp.exe
Token: SeDebugPrivilege	1976	ktmhelp.exe
Token: SeTcbPrivilege	1976	ktmhelp.exe
Token: SeDebugPrivilege	1072	ktmhelp.exe
Token: SeTcbPrivilege	1072	ktmhelp.exe
Token: SeDebugPrivilege	988	dllhost.exe
Token: SeTcbPrivilege	988	dllhost.exe
Token: SeDebugPrivilege	1800	msiexec.exe
Token: SeTcbPrivilege	1800	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1160	fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe
1160	fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1968	1160	fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe	28
PID 1160 wrote to memory of 1968	1160	fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe	28
PID 1160 wrote to memory of 1968	1160	fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe	28
PID 1160 wrote to memory of 1968	1160	fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe	28
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 1072 wrote to memory of 988	1072	ktmhelp.exe	32
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33
PID 988 wrote to memory of 1800	988	dllhost.exe	33

C:\Users\Admin\AppData\Local\Temp\fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe
"C:\Users\Admin\AppData\Local\Temp\fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
  C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 100 1968
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
"C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 200 0
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\system32\dllhost.exe 201 0
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 988
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\RoboForm.DLL

Filesize
74KB

MD5
ee1887696c8445caaaad13bdb39d5dba

SHA1
bc09e8530d2497befaeacbf4d50022181ffc59cc

SHA256
2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

SHA512
94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

Download Submit
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe

Filesize
96KB

MD5
0ba73a0db3913ba14be521f82c1b2c6c

SHA1
15920f9b5c190b70f927d18fa9d03793cb1f6332

SHA256
212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

SHA512
51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

Download Submit
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe

Filesize
96KB

MD5
0ba73a0db3913ba14be521f82c1b2c6c

SHA1
15920f9b5c190b70f927d18fa9d03793cb1f6332

SHA256
212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

SHA512
51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

Download Submit
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\update.log

Filesize
116KB

MD5
8c49d603e67e5933ff07216c80b0ed4b

SHA1
a31aaff7adccb8563a2f798816f9b211b774bf08

SHA256
6e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c

SHA512
48397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLL

Filesize
74KB

MD5
ee1887696c8445caaaad13bdb39d5dba

SHA1
bc09e8530d2497befaeacbf4d50022181ffc59cc

SHA256
2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

SHA512
94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

Filesize
96KB

MD5
0ba73a0db3913ba14be521f82c1b2c6c

SHA1
15920f9b5c190b70f927d18fa9d03793cb1f6332

SHA256
212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

SHA512
51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

Filesize
96KB

MD5
0ba73a0db3913ba14be521f82c1b2c6c

SHA1
15920f9b5c190b70f927d18fa9d03793cb1f6332

SHA256
212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

SHA512
51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUT\update.log

Filesize
116KB

MD5
8c49d603e67e5933ff07216c80b0ed4b

SHA1
a31aaff7adccb8563a2f798816f9b211b774bf08

SHA256
6e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c

SHA512
48397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4

Download Submit
\ProgramData\Microsoft\NetFramework\BreadcrumbStore\roboform.dll

Filesize
74KB

MD5
ee1887696c8445caaaad13bdb39d5dba

SHA1
bc09e8530d2497befaeacbf4d50022181ffc59cc

SHA256
2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

SHA512
94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

Download Submit
\ProgramData\Microsoft\NetFramework\BreadcrumbStore\roboform.dll

Filesize
74KB

MD5
ee1887696c8445caaaad13bdb39d5dba

SHA1
bc09e8530d2497befaeacbf4d50022181ffc59cc

SHA256
2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

SHA512
94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

Download Submit
\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe

Filesize
96KB

MD5
0ba73a0db3913ba14be521f82c1b2c6c

SHA1
15920f9b5c190b70f927d18fa9d03793cb1f6332

SHA256
212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

SHA512
51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

Download Submit
\Users\Admin\AppData\Local\Temp\OUT\roboform.dll

Filesize
74KB

MD5
ee1887696c8445caaaad13bdb39d5dba

SHA1
bc09e8530d2497befaeacbf4d50022181ffc59cc

SHA256
2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

SHA512
94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

Download Submit
memory/988-79-0x00000000000D0000-0x00000000000EC000-memory.dmp

Filesize
112KB

Download
memory/988-93-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/988-85-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/1072-91-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/1072-84-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/1160-54-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download
memory/1160-58-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-90-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/1800-94-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/1968-66-0x0000000075581000-0x0000000075583000-memory.dmp

Filesize
8KB

Download
memory/1968-65-0x0000000001D70000-0x0000000001E70000-memory.dmp

Filesize
1024KB

Download
memory/1968-67-0x0000000000180000-0x00000000001AE000-memory.dmp

Filesize
184KB

Download
memory/1976-83-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download
memory/1976-92-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download