Analysis
-
max time kernel
189s -
max time network
235s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 16:04
Static task
static1
Behavioral task
behavioral1
Sample
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe
Resource
win10v2004-20221111-en
General
-
Target
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe
-
Size
252KB
-
MD5
d3ae29e3719d5fd68d31bf3c4d9eac30
-
SHA1
8739e0f1800b0a89c48e400bd36a705c39bf1c4d
-
SHA256
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2
-
SHA512
db2cb32a5dd1fbb061e1755a48b1b9b1c35ba01a2405e5f26f5afb4f0ead8ccee3f001e6d8178e134ac65eb7b5b2eed064c978ef0fd72188805eefa8245130bf
-
SSDEEP
6144:Qkp72oN2xBsSc6HHLHEKrNhKb1prrTYJR/zMCZf:QkX+sgHLEKphKb1pnYb
Malware Config
Signatures
-
Detects PlugX payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-60-0x00000000004C0000-0x00000000004EE000-memory.dmp family_plugx behavioral1/memory/2016-61-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/2016-62-0x0000000000200000-0x000000000022E000-memory.dmp family_plugx behavioral1/memory/1440-67-0x00000000002F0000-0x000000000031E000-memory.dmp family_plugx behavioral1/memory/1440-68-0x00000000002F0000-0x000000000031E000-memory.dmp family_plugx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdoberDis = "C:\\Windows\\AdobeDis.exe" bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe -
Modifies registry class 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\Software\CLASSES\MJ svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 32003600460042004200420036003300340036003300370033003800360037000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exemsiexec.exepid process 2016 svchost.exe 2016 svchost.exe 2016 svchost.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 2016 svchost.exe 2016 svchost.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 2016 svchost.exe 2016 svchost.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 2016 svchost.exe 2016 svchost.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 2016 svchost.exe 2016 svchost.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 2016 svchost.exe 2016 svchost.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 2016 svchost.exe 2016 svchost.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe 2016 svchost.exe 2016 svchost.exe 1440 msiexec.exe 1440 msiexec.exe 1440 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 2016 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exepid process 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exesvchost.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe Token: SeTcbPrivilege 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe Token: SeDebugPrivilege 2016 svchost.exe Token: SeTcbPrivilege 2016 svchost.exe Token: SeDebugPrivilege 1440 msiexec.exe Token: SeTcbPrivilege 1440 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exesvchost.exedescription pid process target process PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2040 wrote to memory of 2016 2040 bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe svchost.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe PID 2016 wrote to memory of 1440 2016 svchost.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe"C:\Users\Admin\AppData\Local\Temp\bc1c02ee6e4d533847e586205284c7cc4d69909b2bd9c6781c92c766384405f2.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1440-65-0x0000000000000000-mapping.dmp
-
memory/1440-67-0x00000000002F0000-0x000000000031E000-memory.dmpFilesize
184KB
-
memory/1440-68-0x00000000002F0000-0x000000000031E000-memory.dmpFilesize
184KB
-
memory/2016-56-0x00000000000E0000-0x00000000000FB000-memory.dmpFilesize
108KB
-
memory/2016-58-0x0000000000000000-mapping.dmp
-
memory/2016-61-0x0000000000200000-0x000000000022E000-memory.dmpFilesize
184KB
-
memory/2016-62-0x0000000000200000-0x000000000022E000-memory.dmpFilesize
184KB
-
memory/2040-55-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/2040-60-0x00000000004C0000-0x00000000004EE000-memory.dmpFilesize
184KB