Analysis Overview
SHA256
66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967
Threat Level: Known bad
The file 66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll was found to be: Known bad.
Malicious Activity Summary
PlugX
Detects PlugX payload
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-12-01 18:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 18:31
Reported
2023-12-01 18:33
Platform
win7-20231020-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\46E0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gadget.exe | N/A |
| N/A | N/A | C:\ProgramData\WS\Gadget.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\46E0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gadget.exe | N/A |
| N/A | N/A | C:\ProgramData\WS\Gadget.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = e087f1da8424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 800256b68424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 0027ffe08424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 800256b68424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 403e21a48424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = e087f1da8424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 609434ed8424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = c0b937b08424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 201d7ac88424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 609434ed8424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = e0ea91c88424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 0027ffe08424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDetectedUrl | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = c0b937b08424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 40c55ab68424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 40c55ab68424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadNetworkName = "Network 2" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 403e21a48424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 201d7ac88424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = e0ea91c88424da01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\02-33-a4-cd-e4-b7 | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004600310046003700440042003300370036003200420032004600300042000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gadget.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gadget.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WS\Gadget.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\WS\Gadget.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1
C:\Users\Admin\AppData\Local\Temp\46E0.tmp
C:\Users\Admin\AppData\Local\Temp\46E0.tmp
C:\Users\Admin\AppData\Local\Temp\Gadget.exe
C:\Users\Admin\AppData\Local\Temp\\Gadget.exe
C:\ProgramData\WS\Gadget.exe
C:\ProgramData\WS\Gadget.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2924
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
Files
\Users\Admin\AppData\Local\Temp\46E0.tmp
| MD5 | c116cd083284cc599c024c3479ca9b70 |
| SHA1 | bf831962162a0446454e3e32d764cc0e5daafde0 |
| SHA256 | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84 |
| SHA512 | d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560 |
\Users\Admin\AppData\Local\Temp\46E0.tmp
| MD5 | c116cd083284cc599c024c3479ca9b70 |
| SHA1 | bf831962162a0446454e3e32d764cc0e5daafde0 |
| SHA256 | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84 |
| SHA512 | d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560 |
C:\Users\Admin\AppData\Local\Temp\46E0.tmp
| MD5 | c116cd083284cc599c024c3479ca9b70 |
| SHA1 | bf831962162a0446454e3e32d764cc0e5daafde0 |
| SHA256 | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84 |
| SHA512 | d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560 |
C:\Users\Admin\AppData\Local\Temp\46E0.tmp
| MD5 | c116cd083284cc599c024c3479ca9b70 |
| SHA1 | bf831962162a0446454e3e32d764cc0e5daafde0 |
| SHA256 | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84 |
| SHA512 | d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560 |
\Users\Admin\AppData\Local\Temp\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\Users\Admin\AppData\Local\Temp\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\Users\Admin\AppData\Local\Temp\SideBar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
memory/2688-17-0x0000000000400000-0x0000000000405000-memory.dmp
\Users\Admin\AppData\Local\Temp\Sidebar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc
| MD5 | 97c11e7d6b1926cd4be13804b36239ac |
| SHA1 | b388b86a782ae14fee2a31bc7626a816c3eabc5a |
| SHA256 | a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a |
| SHA512 | 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121 |
memory/2688-19-0x0000000000660000-0x0000000000760000-memory.dmp
memory/2688-20-0x0000000000290000-0x00000000002C0000-memory.dmp
C:\ProgramData\WS\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\Users\Admin\AppData\Local\Temp\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\ProgramData\WS\SideBar.dll.doc
| MD5 | 97c11e7d6b1926cd4be13804b36239ac |
| SHA1 | b388b86a782ae14fee2a31bc7626a816c3eabc5a |
| SHA256 | a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a |
| SHA512 | 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121 |
C:\ProgramData\WS\SideBar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
C:\ProgramData\WS\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\ProgramData\WS\SideBar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
\ProgramData\WS\SideBar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
memory/2304-38-0x0000000000400000-0x0000000000405000-memory.dmp
C:\ProgramData\WS\SideBar.dll.doc
| MD5 | 97c11e7d6b1926cd4be13804b36239ac |
| SHA1 | b388b86a782ae14fee2a31bc7626a816c3eabc5a |
| SHA256 | a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a |
| SHA512 | 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121 |
memory/2304-41-0x0000000000540000-0x0000000000570000-memory.dmp
memory/2924-42-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2924-44-0x00000000000A0000-0x00000000000BD000-memory.dmp
memory/2924-45-0x00000000000C0000-0x00000000000C2000-memory.dmp
memory/2924-47-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2304-48-0x0000000000540000-0x0000000000570000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\46E0.tmp
| MD5 | c116cd083284cc599c024c3479ca9b70 |
| SHA1 | bf831962162a0446454e3e32d764cc0e5daafde0 |
| SHA256 | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84 |
| SHA512 | d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560 |
memory/2924-46-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2924-50-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2688-51-0x0000000000290000-0x00000000002C0000-memory.dmp
memory/2924-52-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2924-62-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2924-63-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2924-64-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2924-65-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2924-67-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2924-68-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2924-71-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2924-72-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2512-81-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2512-83-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2512-82-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2512-86-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2512-85-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2512-84-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2924-87-0x0000000000210000-0x0000000000240000-memory.dmp
memory/2512-91-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2924-94-0x0000000000210000-0x0000000000240000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 18:31
Reported
2023-12-01 18:33
Platform
win10v2004-20231127-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8925.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gadget.exe | N/A |
| N/A | N/A | C:\ProgramData\WS\Gadget.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Gadget.exe | N/A |
| N/A | N/A | C:\ProgramData\WS\Gadget.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35003700450036004600350031003400430031004600300041004200360038000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gadget.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Gadget.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\WS\Gadget.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\WS\Gadget.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1
C:\Users\Admin\AppData\Local\Temp\8925.tmp
C:\Users\Admin\AppData\Local\Temp\8925.tmp
C:\Users\Admin\AppData\Local\Temp\Gadget.exe
C:\Users\Admin\AppData\Local\Temp\\Gadget.exe
C:\ProgramData\WS\Gadget.exe
C:\ProgramData\WS\Gadget.exe
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 3720
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.78.101.95.in-addr.arpa | udp |
| N/A | 255.255.255.255:53 | fast.bacguarp.com | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| N/A | 255.255.255.255:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| N/A | 255.255.255.255:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| N/A | 255.255.255.255:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 255.255.255.255:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast.bacguarp.com | udp |
| N/A | 255.255.255.255:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| US | 8.8.8.8:53 | fast2.bacguarp.com | udp |
| N/A | 255.255.255.255:53 | fast.bacguarp.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\8925.tmp
| MD5 | c116cd083284cc599c024c3479ca9b70 |
| SHA1 | bf831962162a0446454e3e32d764cc0e5daafde0 |
| SHA256 | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84 |
| SHA512 | d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560 |
C:\Users\Admin\AppData\Local\Temp\8925.tmp
| MD5 | c116cd083284cc599c024c3479ca9b70 |
| SHA1 | bf831962162a0446454e3e32d764cc0e5daafde0 |
| SHA256 | 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84 |
| SHA512 | d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560 |
memory/3112-12-0x0000000000400000-0x0000000000405000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Sidebar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
C:\Users\Admin\AppData\Local\Temp\SideBar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
C:\Users\Admin\AppData\Local\Temp\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\Users\Admin\AppData\Local\Temp\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc
| MD5 | 97c11e7d6b1926cd4be13804b36239ac |
| SHA1 | b388b86a782ae14fee2a31bc7626a816c3eabc5a |
| SHA256 | a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a |
| SHA512 | 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121 |
memory/3112-14-0x00000000007C0000-0x00000000008C0000-memory.dmp
memory/3112-15-0x00000000005B0000-0x00000000005E0000-memory.dmp
C:\ProgramData\WS\SideBar.dll.doc
| MD5 | 97c11e7d6b1926cd4be13804b36239ac |
| SHA1 | b388b86a782ae14fee2a31bc7626a816c3eabc5a |
| SHA256 | a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a |
| SHA512 | 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121 |
C:\ProgramData\WS\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\ProgramData\WS\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\ProgramData\WS\Gadget.exe
| MD5 | 6b97b3cd2fcfb4b74985143230441463 |
| SHA1 | 8985c2394ed9a58c36f907962b0724fe66c204a6 |
| SHA256 | 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9 |
| SHA512 | 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715 |
C:\ProgramData\WS\SideBar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
C:\ProgramData\WS\SideBar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
C:\ProgramData\WS\SideBar.dll
| MD5 | 901fa02ffd43de5b2d7c8c6b8c2f6a43 |
| SHA1 | 8bb71adf1c418061510c40240852c3cd61fb214c |
| SHA256 | 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679 |
| SHA512 | 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab |
memory/116-33-0x0000000000400000-0x0000000000405000-memory.dmp
C:\ProgramData\WS\SideBar.dll.doc
| MD5 | 97c11e7d6b1926cd4be13804b36239ac |
| SHA1 | b388b86a782ae14fee2a31bc7626a816c3eabc5a |
| SHA256 | a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a |
| SHA512 | 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121 |
memory/116-36-0x00000000007B0000-0x00000000007E0000-memory.dmp
memory/3720-37-0x0000000000380000-0x0000000000381000-memory.dmp
memory/3720-39-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/116-40-0x00000000007B0000-0x00000000007E0000-memory.dmp
memory/3112-41-0x00000000005B0000-0x00000000005E0000-memory.dmp
memory/3720-42-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/3720-52-0x0000000000380000-0x0000000000381000-memory.dmp
memory/3720-53-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/3720-54-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/3720-55-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/3720-57-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/3720-58-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/3720-60-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/5040-61-0x0000000002BD0000-0x0000000002C00000-memory.dmp
memory/5040-63-0x0000000001300000-0x0000000001301000-memory.dmp
memory/5040-62-0x0000000001030000-0x0000000001031000-memory.dmp
memory/5040-66-0x0000000002BD0000-0x0000000002C00000-memory.dmp
memory/5040-65-0x0000000002BD0000-0x0000000002C00000-memory.dmp
memory/3720-67-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/3720-68-0x0000000000C30000-0x0000000000C60000-memory.dmp
memory/5040-69-0x0000000002BD0000-0x0000000002C00000-memory.dmp
memory/3720-76-0x0000000000C30000-0x0000000000C60000-memory.dmp