Analysis Overview
SHA256
2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c
Threat Level: Known bad
The file 2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c was found to be: Known bad.
Malicious Activity Summary
PlugX
Detects PlugX payload
Unexpected DNS network traffic destination
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-01-14 14:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-14 14:30
Reported
2024-01-14 14:33
Platform
win7-20231129-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 35.77.99.82 | N/A | N/A |
| Destination IP | 35.77.99.82 | N/A | N/A |
| Destination IP | 35.77.99.82 | N/A | N/A |
| Destination IP | 35.77.99.82 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004400440043003800340033003200310041003800300037003900420042000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe
"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"
C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe
"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\system32\dllhost.exe 209 2692
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update.chatgpt-server.com | udp |
| N/A | 10.127.255.255:3128 | udp | |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:80 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:443 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:8080 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:80 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:443 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:8080 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:80 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:443 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:8080 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
Files
memory/2364-2-0x00000000001B0000-0x00000000001E5000-memory.dmp
memory/2364-1-0x00000000001B0000-0x00000000001E5000-memory.dmp
memory/2364-0-0x0000000000360000-0x0000000000460000-memory.dmp
memory/2660-19-0x00000000001B0000-0x00000000001E5000-memory.dmp
memory/2692-28-0x00000000001F0000-0x0000000000225000-memory.dmp
memory/2692-40-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2692-46-0x00000000001F0000-0x0000000000225000-memory.dmp
memory/2692-44-0x00000000001F0000-0x0000000000225000-memory.dmp
memory/2692-43-0x00000000001F0000-0x0000000000225000-memory.dmp
memory/2692-42-0x00000000001F0000-0x0000000000225000-memory.dmp
memory/2692-41-0x00000000001F0000-0x0000000000225000-memory.dmp
memory/2364-31-0x00000000001B0000-0x00000000001E5000-memory.dmp
memory/2692-29-0x00000000001B0000-0x00000000001E5000-memory.dmp
memory/2660-27-0x00000000001B0000-0x00000000001E5000-memory.dmp
memory/2692-26-0x00000000001F0000-0x0000000000225000-memory.dmp
memory/2692-25-0x00000000000C0000-0x00000000000C2000-memory.dmp
memory/2692-23-0x00000000000A0000-0x00000000000C0000-memory.dmp
memory/2692-20-0x0000000000080000-0x0000000000081000-memory.dmp
memory/3064-56-0x0000000000200000-0x0000000000235000-memory.dmp
memory/3064-62-0x0000000000200000-0x0000000000235000-memory.dmp
memory/3064-61-0x0000000000200000-0x0000000000235000-memory.dmp
memory/3064-60-0x0000000000200000-0x0000000000235000-memory.dmp
memory/3064-59-0x0000000000200000-0x0000000000235000-memory.dmp
memory/3064-58-0x0000000000070000-0x0000000000071000-memory.dmp
memory/3064-57-0x0000000000200000-0x0000000000235000-memory.dmp
memory/2692-63-0x00000000001F0000-0x0000000000225000-memory.dmp
memory/3064-64-0x0000000000200000-0x0000000000235000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-14 14:30
Reported
2024-01-14 14:33
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 35.77.99.82 | N/A | N/A |
| Destination IP | 35.77.99.82 | N/A | N/A |
| Destination IP | 35.77.99.82 | N/A | N/A |
| Destination IP | 35.77.99.82 | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42003300460033003000330036003200420041004100370033004300440035000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe
"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe"
C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe
"C:\Users\Admin\AppData\Local\Temp\2a5f8da837a8cb94a556b090b05b06d2805e20cdf78d01cfb5f65d06b0268e3c.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\system32\dllhost.exe 209 772
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| N/A | 10.127.255.255:3128 | udp | |
| US | 8.8.8.8:53 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| US | 8.8.8.8:53 | 82.99.77.35.in-addr.arpa | udp |
| JP | 35.77.99.82:80 | update.chatgpt-server.com | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| JP | 35.77.99.82:443 | update.chatgpt-server.com | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| JP | 35.77.99.82:8080 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| JP | 35.77.99.82:80 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:443 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:8080 | update.chatgpt-server.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:80 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:443 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:8080 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
Files
memory/3244-0-0x0000000002940000-0x0000000002A40000-memory.dmp
memory/3244-1-0x00000000028E0000-0x0000000002915000-memory.dmp
memory/3244-2-0x00000000028E0000-0x0000000002915000-memory.dmp
memory/8-18-0x0000000000F40000-0x0000000000F75000-memory.dmp
memory/8-19-0x0000000000F40000-0x0000000000F75000-memory.dmp
memory/772-21-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/772-20-0x0000000000F80000-0x0000000000FB5000-memory.dmp
memory/772-23-0x0000000000F80000-0x0000000000FB5000-memory.dmp
memory/3244-26-0x00000000028E0000-0x0000000002915000-memory.dmp
memory/8-22-0x0000000000F40000-0x0000000000F75000-memory.dmp
memory/772-34-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/772-35-0x0000000000F80000-0x0000000000FB5000-memory.dmp
memory/772-36-0x0000000000F80000-0x0000000000FB5000-memory.dmp
memory/772-37-0x0000000000F80000-0x0000000000FB5000-memory.dmp
memory/772-38-0x0000000000F80000-0x0000000000FB5000-memory.dmp
memory/772-40-0x0000000000F80000-0x0000000000FB5000-memory.dmp
memory/2660-45-0x0000000001340000-0x0000000001375000-memory.dmp
memory/2660-44-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/2660-46-0x0000000001340000-0x0000000001375000-memory.dmp
memory/2660-47-0x0000000001340000-0x0000000001375000-memory.dmp
memory/2660-48-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/2660-49-0x0000000001340000-0x0000000001375000-memory.dmp
memory/2660-50-0x0000000001340000-0x0000000001375000-memory.dmp
memory/2660-51-0x0000000001340000-0x0000000001375000-memory.dmp
memory/772-52-0x0000000000F80000-0x0000000000FB5000-memory.dmp
memory/2660-53-0x0000000001340000-0x0000000001375000-memory.dmp