Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-01-2024 14:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe
Resource
win7-20231129-en
windows7-x64
9 signatures
150 seconds
General
-
Target
2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe
-
Size
212KB
-
MD5
31a46a27aa677a184b1010ddc68c2ada
-
SHA1
73818a6b0035e812b8cfe3fe771cd403693709b5
-
SHA256
2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c
-
SHA512
c8106ad1107bb2320c8bd52fdcb88d6d380e804a94602273f8327c0a7b2eee5a650fbf057067a4d33ba35515d8a2997e41d4eafc22ac56ec857830ef81918e54
-
SSDEEP
3072:Jn7jBZSl+I7ZaKZAbTXAjS6jXEGnNxzjXlvl22KDInmXH5O0z9:Jn7j/CU2/jSCEGNdjXlvlxKDI6Dz
Malware Config
Signatures
-
Detects PlugX payload 20 IoCs
resource yara_rule behavioral1/memory/2364-2-0x00000000001B0000-0x00000000001E5000-memory.dmp family_plugx behavioral1/memory/2364-1-0x00000000001B0000-0x00000000001E5000-memory.dmp family_plugx behavioral1/memory/2660-19-0x00000000001B0000-0x00000000001E5000-memory.dmp family_plugx behavioral1/memory/2692-28-0x00000000001F0000-0x0000000000225000-memory.dmp family_plugx behavioral1/memory/2692-46-0x00000000001F0000-0x0000000000225000-memory.dmp family_plugx behavioral1/memory/2692-44-0x00000000001F0000-0x0000000000225000-memory.dmp family_plugx behavioral1/memory/2692-43-0x00000000001F0000-0x0000000000225000-memory.dmp family_plugx behavioral1/memory/2692-42-0x00000000001F0000-0x0000000000225000-memory.dmp family_plugx behavioral1/memory/2692-41-0x00000000001F0000-0x0000000000225000-memory.dmp family_plugx behavioral1/memory/2364-31-0x00000000001B0000-0x00000000001E5000-memory.dmp family_plugx behavioral1/memory/2660-27-0x00000000001B0000-0x00000000001E5000-memory.dmp family_plugx behavioral1/memory/2692-26-0x00000000001F0000-0x0000000000225000-memory.dmp family_plugx behavioral1/memory/3064-56-0x0000000000200000-0x0000000000235000-memory.dmp family_plugx behavioral1/memory/3064-62-0x0000000000200000-0x0000000000235000-memory.dmp family_plugx behavioral1/memory/3064-61-0x0000000000200000-0x0000000000235000-memory.dmp family_plugx behavioral1/memory/3064-60-0x0000000000200000-0x0000000000235000-memory.dmp family_plugx behavioral1/memory/3064-59-0x0000000000200000-0x0000000000235000-memory.dmp family_plugx behavioral1/memory/3064-57-0x0000000000200000-0x0000000000235000-memory.dmp family_plugx behavioral1/memory/2692-63-0x00000000001F0000-0x0000000000225000-memory.dmp family_plugx behavioral1/memory/3064-64-0x0000000000200000-0x0000000000235000-memory.dmp family_plugx -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 35.77.99.82 Destination IP 35.77.99.82 Destination IP 35.77.99.82 Destination IP 35.77.99.82 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004400440043003800340033003200310041003800300037003900420042000000 svchost.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2692 svchost.exe 3064 dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2364 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 2364 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 2692 svchost.exe 2692 svchost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 2692 svchost.exe 2692 svchost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 2692 svchost.exe 2692 svchost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 2692 svchost.exe 2692 svchost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 2692 svchost.exe 2692 svchost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 3064 dllhost.exe 2692 svchost.exe 2692 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2692 svchost.exe 3064 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2364 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe Token: SeTcbPrivilege 2364 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe Token: SeDebugPrivilege 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe Token: SeTcbPrivilege 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe Token: SeDebugPrivilege 2692 svchost.exe Token: SeTcbPrivilege 2692 svchost.exe Token: SeDebugPrivilege 3064 dllhost.exe Token: SeTcbPrivilege 3064 dllhost.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2660 wrote to memory of 2692 2660 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 30 PID 2692 wrote to memory of 3064 2692 svchost.exe 31 PID 2692 wrote to memory of 3064 2692 svchost.exe 31 PID 2692 wrote to memory of 3064 2692 svchost.exe 31 PID 2692 wrote to memory of 3064 2692 svchost.exe 31 PID 2692 wrote to memory of 3064 2692 svchost.exe 31 PID 2692 wrote to memory of 3064 2692 svchost.exe 31 PID 2692 wrote to memory of 3064 2692 svchost.exe 31 PID 2692 wrote to memory of 3064 2692 svchost.exe 31 PID 2692 wrote to memory of 3064 2692 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364
-
C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe" 200 01⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\dllhost.exeC:\Windows\system32\dllhost.exe 209 26923⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-