9250660cbb79a033d53de8cf0540982cdd1addbc57f05c8a300eab86c6d1920c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2023, 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

plugx/ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe
Size

146KB
MD5

f1d6ee923099c9f1b10d563e6146cb87
SHA1

605590582a3714d21b48a874c68df15abfb4b190
SHA256

ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2
SHA512

f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a
SSDEEP

3072:Zq3baagC6laxrPPtBUeqc/44KBqEspsExs62pNUYO:Zq3bakvrPXt1OseExz2pH

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2712	SxS.exe
4580	SxS.exe

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	61.139.2.69
Destination IP	202.98.96.68
Destination IP	202.98.96.68
Destination IP	205.252.144.228
Destination IP	202.98.96.68
Destination IP	205.252.144.228
Destination IP	61.139.2.69
Destination IP	61.139.2.69
Destination IP	61.139.2.69
Destination IP	205.252.144.228

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 33003900430039003800370039003200440036004500410033003300390031000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3776	svchost.exe
3776	svchost.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
3776	svchost.exe
3776	svchost.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
3776	svchost.exe
3776	svchost.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
3776	svchost.exe
3776	svchost.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
3776	svchost.exe
4372	msiexec.exe
4372	msiexec.exe
3776	svchost.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
4372	msiexec.exe
3776	svchost.exe
3776	svchost.exe
4372	msiexec.exe
4372	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe
Token: SeTcbPrivilege	3760	ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe
Token: SeDebugPrivilege	2712	SxS.exe
Token: SeTcbPrivilege	2712	SxS.exe
Token: SeDebugPrivilege	4580	SxS.exe
Token: SeTcbPrivilege	4580	SxS.exe
Token: SeDebugPrivilege	3776	svchost.exe
Token: SeTcbPrivilege	3776	svchost.exe
Token: SeDebugPrivilege	4372	msiexec.exe
Token: SeTcbPrivilege	4372	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3760 wrote to memory of 2712	3760	ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe	79
PID 3760 wrote to memory of 2712	3760	ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe	79
PID 3760 wrote to memory of 2712	3760	ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe	79
PID 4580 wrote to memory of 3776	4580	SxS.exe	81
PID 4580 wrote to memory of 3776	4580	SxS.exe	81
PID 4580 wrote to memory of 3776	4580	SxS.exe	81
PID 4580 wrote to memory of 3776	4580	SxS.exe	81
PID 4580 wrote to memory of 3776	4580	SxS.exe	81
PID 4580 wrote to memory of 3776	4580	SxS.exe	81
PID 4580 wrote to memory of 3776	4580	SxS.exe	81
PID 4580 wrote to memory of 3776	4580	SxS.exe	81
PID 3776 wrote to memory of 4372	3776	svchost.exe	86
PID 3776 wrote to memory of 4372	3776	svchost.exe	86
PID 3776 wrote to memory of 4372	3776	svchost.exe	86
PID 3776 wrote to memory of 4372	3776	svchost.exe	86
PID 3776 wrote to memory of 4372	3776	svchost.exe	86
PID 3776 wrote to memory of 4372	3776	svchost.exe	86
PID 3776 wrote to memory of 4372	3776	svchost.exe	86
PID 3776 wrote to memory of 4372	3776	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\plugx\ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe
"C:\Users\Admin\AppData\Local\Temp\plugx\ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760
- C:\ProgramData\Microsoft PA\SxS.exe
  "C:\ProgramData\Microsoft PA\SxS.exe" 100 3760
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2712

C:\ProgramData\Microsoft PA\SxS.exe
"C:\ProgramData\Microsoft PA\SxS.exe" 200 0
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 300 3776
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft PA\SxS.exe

Filesize
146KB

MD5
f1d6ee923099c9f1b10d563e6146cb87

SHA1
605590582a3714d21b48a874c68df15abfb4b190

SHA256
ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2

SHA512
f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a

Download Submit
C:\ProgramData\Microsoft PA\SxS.exe

Filesize
146KB

MD5
f1d6ee923099c9f1b10d563e6146cb87

SHA1
605590582a3714d21b48a874c68df15abfb4b190

SHA256
ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2

SHA512
f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a

Download Submit
C:\ProgramData\Microsoft PA\SxS.exe

Filesize
146KB

MD5
f1d6ee923099c9f1b10d563e6146cb87

SHA1
605590582a3714d21b48a874c68df15abfb4b190

SHA256
ac758e6ad91120d1c98248ed2582c1ab472d83ef354f9c4b2f62167a699565f2

SHA512
f4a4910ba6e0392fcfb08fbbff895b043d392ea4ce4377c3a2a07bb94f166509525441928f33c24c3d8e1e67a4d0a66294c714c319062ecd3ad742c7e48e205a

Download Submit
memory/2712-138-0x00000000026C0000-0x00000000026EE000-memory.dmp

Filesize
184KB

Download
memory/2712-157-0x00000000026C0000-0x00000000026EE000-memory.dmp

Filesize
184KB

Download
memory/2712-143-0x00000000026C0000-0x00000000026EE000-memory.dmp

Filesize
184KB

Download
memory/3760-133-0x0000000002900000-0x000000000292E000-memory.dmp

Filesize
184KB

Download
memory/3760-140-0x0000000000DE0000-0x0000000000DFB000-memory.dmp

Filesize
108KB

Download
memory/3760-142-0x0000000002900000-0x000000000292E000-memory.dmp

Filesize
184KB

Download
memory/3776-150-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-144-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-146-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-147-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-148-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-149-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-168-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-145-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-152-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-153-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3776-155-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-156-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-166-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-165-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-164-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/3776-162-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/4372-161-0x00000000012D0000-0x00000000012FE000-memory.dmp

Filesize
184KB

Download
memory/4372-160-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/4372-163-0x00000000007B0000-0x00000000007DE000-memory.dmp

Filesize
184KB

Download
memory/4372-159-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/4372-158-0x00000000012D0000-0x00000000012FE000-memory.dmp

Filesize
184KB

Download
memory/4580-141-0x0000000001590000-0x00000000015BE000-memory.dmp

Filesize
184KB

Download
memory/4580-151-0x0000000001590000-0x00000000015BE000-memory.dmp

Filesize
184KB

Download