Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
14-01-2024 14:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe
Resource
win7-20231129-en
windows7-x64
9 signatures
150 seconds
General
-
Target
2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe
-
Size
212KB
-
MD5
31a46a27aa677a184b1010ddc68c2ada
-
SHA1
73818a6b0035e812b8cfe3fe771cd403693709b5
-
SHA256
2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c
-
SHA512
c8106ad1107bb2320c8bd52fdcb88d6d380e804a94602273f8327c0a7b2eee5a650fbf057067a4d33ba35515d8a2997e41d4eafc22ac56ec857830ef81918e54
-
SSDEEP
3072:Jn7jBZSl+I7ZaKZAbTXAjS6jXEGnNxzjXlvl22KDInmXH5O0z9:Jn7j/CU2/jSCEGNdjXlvlxKDI6Dz
Malware Config
Signatures
-
Detects PlugX payload 21 IoCs
resource yara_rule behavioral2/memory/3244-1-0x00000000028E0000-0x0000000002915000-memory.dmp family_plugx behavioral2/memory/3244-2-0x00000000028E0000-0x0000000002915000-memory.dmp family_plugx behavioral2/memory/8-18-0x0000000000F40000-0x0000000000F75000-memory.dmp family_plugx behavioral2/memory/8-19-0x0000000000F40000-0x0000000000F75000-memory.dmp family_plugx behavioral2/memory/772-20-0x0000000000F80000-0x0000000000FB5000-memory.dmp family_plugx behavioral2/memory/772-23-0x0000000000F80000-0x0000000000FB5000-memory.dmp family_plugx behavioral2/memory/3244-26-0x00000000028E0000-0x0000000002915000-memory.dmp family_plugx behavioral2/memory/8-22-0x0000000000F40000-0x0000000000F75000-memory.dmp family_plugx behavioral2/memory/772-35-0x0000000000F80000-0x0000000000FB5000-memory.dmp family_plugx behavioral2/memory/772-36-0x0000000000F80000-0x0000000000FB5000-memory.dmp family_plugx behavioral2/memory/772-37-0x0000000000F80000-0x0000000000FB5000-memory.dmp family_plugx behavioral2/memory/772-38-0x0000000000F80000-0x0000000000FB5000-memory.dmp family_plugx behavioral2/memory/772-40-0x0000000000F80000-0x0000000000FB5000-memory.dmp family_plugx behavioral2/memory/2660-45-0x0000000001340000-0x0000000001375000-memory.dmp family_plugx behavioral2/memory/2660-46-0x0000000001340000-0x0000000001375000-memory.dmp family_plugx behavioral2/memory/2660-47-0x0000000001340000-0x0000000001375000-memory.dmp family_plugx behavioral2/memory/2660-49-0x0000000001340000-0x0000000001375000-memory.dmp family_plugx behavioral2/memory/2660-50-0x0000000001340000-0x0000000001375000-memory.dmp family_plugx behavioral2/memory/2660-51-0x0000000001340000-0x0000000001375000-memory.dmp family_plugx behavioral2/memory/772-52-0x0000000000F80000-0x0000000000FB5000-memory.dmp family_plugx behavioral2/memory/2660-53-0x0000000001340000-0x0000000001375000-memory.dmp family_plugx -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 35.77.99.82 Destination IP 35.77.99.82 Destination IP 35.77.99.82 Destination IP 35.77.99.82 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003300460033003000330036003200420041004100370033004300440035000000 svchost.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 772 svchost.exe 2660 dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3244 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 3244 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 3244 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 3244 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 772 svchost.exe 772 svchost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 772 svchost.exe 772 svchost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 772 svchost.exe 772 svchost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 772 svchost.exe 772 svchost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 772 svchost.exe 772 svchost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe 2660 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 772 svchost.exe 2660 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3244 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe Token: SeTcbPrivilege 3244 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe Token: SeDebugPrivilege 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe Token: SeTcbPrivilege 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe Token: SeDebugPrivilege 772 svchost.exe Token: SeTcbPrivilege 772 svchost.exe Token: SeDebugPrivilege 2660 dllhost.exe Token: SeTcbPrivilege 2660 dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 8 wrote to memory of 772 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 98 PID 8 wrote to memory of 772 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 98 PID 8 wrote to memory of 772 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 98 PID 8 wrote to memory of 772 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 98 PID 8 wrote to memory of 772 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 98 PID 8 wrote to memory of 772 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 98 PID 8 wrote to memory of 772 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 98 PID 8 wrote to memory of 772 8 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe 98 PID 772 wrote to memory of 2660 772 svchost.exe 99 PID 772 wrote to memory of 2660 772 svchost.exe 99 PID 772 wrote to memory of 2660 772 svchost.exe 99 PID 772 wrote to memory of 2660 772 svchost.exe 99 PID 772 wrote to memory of 2660 772 svchost.exe 99 PID 772 wrote to memory of 2660 772 svchost.exe 99 PID 772 wrote to memory of 2660 772 svchost.exe 99 PID 772 wrote to memory of 2660 772 svchost.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe" 200 01⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\dllhost.exeC:\Windows\system32\dllhost.exe 209 7723⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-