plugx | 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3

General

Target

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
Size

2.0MB
MD5

0f6b00b0c5a26a5aa8942ae356329945
SHA1

1f412a62f50ff71f0b2b2f54aaa980962ebfd8a4
SHA256

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3
SHA512

e8c6ff3952b6b1066d113ce8b1e76ed20ec8eb5511045f374706fa2a44cf7b6d096e56a01e2318b872de4a5530872132053f13836d8ff4ffa75396a1ee4b34d9
SSDEEP

49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJq:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQs

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/272-76-0x0000000000AA0000-0x0000000000ACE000-memory.dmp	family_plugx
behavioral1/memory/1172-77-0x00000000001B0000-0x00000000001DE000-memory.dmp	family_plugx
behavioral1/memory/1844-83-0x0000000000390000-0x00000000003BE000-memory.dmp	family_plugx
behavioral1/memory/1172-86-0x00000000001B0000-0x00000000001DE000-memory.dmp	family_plugx
behavioral1/memory/1844-87-0x0000000000390000-0x00000000003BE000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Executes dropped EXE 1 IoCs

Processes:

rudiment.exe

pid process

272 rudiment.exe
Drops startup file 1 IoCs

Processes:

rudiment.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk rudiment.exe
Loads dropped DLL 3 IoCs

Processes:

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exerudiment.exe

pid process

1640 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
272 rudiment.exe
272 rudiment.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
272	rudiment.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meekness.lnk	rudiment.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MJ\CLSID = 38003600410046004600310034003600390037003400430039003000320034000000	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2040 WINWORD.EXE

pid	process
2040	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exesvchost.exemsiexec.exe

pid	process
1640	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1172	svchost.exe
1172	svchost.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1172	svchost.exe
1172	svchost.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1172	svchost.exe
1172	svchost.exe
1844	msiexec.exe
1844	msiexec.exe
1172	svchost.exe
1172	svchost.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1172	svchost.exe
1172	svchost.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1172	svchost.exe
1172	svchost.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1844	msiexec.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1172	svchost.exe
1844	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rudiment.exesvchost.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	272	rudiment.exe
Token: SeTcbPrivilege	272	rudiment.exe
Token: SeDebugPrivilege	1172	svchost.exe
Token: SeTcbPrivilege	1172	svchost.exe
Token: SeDebugPrivilege	1844	msiexec.exe
Token: SeTcbPrivilege	1844	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exeWINWORD.EXE

pid	process
1640	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
1640	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
2040	WINWORD.EXE
2040	WINWORD.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exerudiment.exesvchost.exeWINWORD.EXE

description	pid	process	target process
PID 1640 wrote to memory of 272	1640	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe	rudiment.exe
PID 1640 wrote to memory of 272	1640	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe	rudiment.exe
PID 1640 wrote to memory of 272	1640	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe	rudiment.exe
PID 1640 wrote to memory of 272	1640	6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe	rudiment.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 272 wrote to memory of 1172	272	rudiment.exe	svchost.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 1172 wrote to memory of 1844	1172	svchost.exe	msiexec.exe
PID 2040 wrote to memory of 1752	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 1752	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 1752	2040	WINWORD.EXE	splwow64.exe
PID 2040 wrote to memory of 1752	2040	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
"C:\Users\Admin\AppData\Local\Temp\6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\rudiment.exe
C:\Users\Admin\AppData\Local\Temp\rudiment.exe
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\SysWOW64\msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\psychiatry.dat
Filesize
116KB

MD5
32f08fa20d7c5edeaa41daa426a67c41

SHA1
33c1840889cd62d335d3a08226618c0cab03120d

SHA256
bc7b80e410366884cb9cc7cbe336067f4af9fea0ee0f87323ca801bf5a7de223

SHA512
ebc6fbb8d19aa424ad31b6825537f2a3a22901f6ae71998b0015b963f8529947c71f2e29747631a33800b9d69d1394bc2b0872ebbc52fb7c1c63d9daf47f5f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudiment.exe
Filesize
47KB

MD5
b5bdaba69689e8be57ce78bb6845e4f0

SHA1
573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

SHA256
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

SHA512
e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rudiment.exe
Filesize
47KB

MD5
b5bdaba69689e8be57ce78bb6845e4f0

SHA1
573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

SHA256
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

SHA512
e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsodscpl.DLL
Filesize
112KB

MD5
6cea5fd06c8d6201c56303a4556e20f0

SHA1
20e96f270a1afe0b2e6634344195474c8f948f4b

SHA256
08be3ea641ea67ffffdff498deb0a72bef719b3bff1ae7af3dd5f1b20571bd41

SHA512
87ff11a0b1de250f65366a5cd7b657c9a131f264473141044d8fa33ec7117083921d1df245323ff689fea51a435e246f67ef1c6493376eb1bc2a9e23cc76815e

Download Submit
\Users\Admin\AppData\Local\Temp\rudiment.exe
Filesize
47KB

MD5
b5bdaba69689e8be57ce78bb6845e4f0

SHA1
573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

SHA256
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

SHA512
e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

Download Submit
\Users\Admin\AppData\Local\Temp\rudiment.exe
Filesize
47KB

MD5
b5bdaba69689e8be57ce78bb6845e4f0

SHA1
573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

SHA256
1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

SHA512
e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

Download Submit
\Users\Admin\AppData\Local\Temp\vsodscpl.dll
Filesize
112KB

MD5
6cea5fd06c8d6201c56303a4556e20f0

SHA1
20e96f270a1afe0b2e6634344195474c8f948f4b

SHA256
08be3ea641ea67ffffdff498deb0a72bef719b3bff1ae7af3dd5f1b20571bd41

SHA512
87ff11a0b1de250f65366a5cd7b657c9a131f264473141044d8fa33ec7117083921d1df245323ff689fea51a435e246f67ef1c6493376eb1bc2a9e23cc76815e

Download Submit
memory/272-76-0x0000000000AA0000-0x0000000000ACE000-memory.dmp

Filesize
184KB

Download
memory/272-63-0x0000000000000000-mapping.dmp

Download
memory/1172-77-0x00000000001B0000-0x00000000001DE000-memory.dmp

Filesize
184KB

Download
memory/1172-72-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/1172-86-0x00000000001B0000-0x00000000001DE000-memory.dmp

Filesize
184KB

Download
memory/1172-74-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1640-56-0x0000000000240000-0x0000000000443000-memory.dmp

Filesize
2.0MB

Download
memory/1640-55-0x0000000000240000-0x0000000000443000-memory.dmp

Filesize
2.0MB

Download
memory/1752-82-0x0000000000000000-mapping.dmp

Download
memory/1752-84-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1844-80-0x0000000000000000-mapping.dmp

Download
memory/1844-83-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download
memory/1844-87-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download
memory/2040-57-0x0000000072171000-0x0000000072174000-memory.dmp

Filesize
12KB

Download
memory/2040-58-0x000000006FBF1000-0x000000006FBF3000-memory.dmp

Filesize
8KB

Download
memory/2040-60-0x0000000070BDD000-0x0000000070BE8000-memory.dmp

Filesize
44KB

Download
memory/2040-85-0x0000000070BDD000-0x0000000070BE8000-memory.dmp

Filesize
44KB

Download
memory/2040-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads