Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2024 11:32
Static task
static1
Behavioral task
behavioral1
Sample
7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe
Resource
win7-20231215-en
General
-
Target
7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe
-
Size
680KB
-
MD5
2f1356cb77747b11a41902001be47d03
-
SHA1
b580948628efa035b39beb2a132d025ba3306a34
-
SHA256
7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8
-
SHA512
9cbbdc58fc69c6bdbdf455fd86615a127e694d8571715d4aaad2e8a9cf1dbc1e6d22c29be3ebd8f192d9b2d1a4c094e121ffa554e198b9e6acc9a46c3c497d8c
-
SSDEEP
12288:uubsNSOetfARQAPyGU2X+tZ/mH2xd8eEOLBc64cry3rqiWaA3HG:uubsnafAPyjt/hxd8jCBr1ubiakm
Malware Config
Signatures
-
Detects PlugX payload 21 IoCs
resource yara_rule behavioral2/memory/4592-24-0x00000000020A0000-0x00000000020DA000-memory.dmp family_plugx behavioral2/memory/3392-47-0x00000000022D0000-0x000000000230A000-memory.dmp family_plugx behavioral2/memory/2260-54-0x0000000000D50000-0x0000000000D8A000-memory.dmp family_plugx behavioral2/memory/4252-57-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/2260-59-0x0000000000D50000-0x0000000000D8A000-memory.dmp family_plugx behavioral2/memory/4252-61-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/4592-66-0x00000000020A0000-0x00000000020DA000-memory.dmp family_plugx behavioral2/memory/4252-75-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/4252-76-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/4252-77-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/4252-78-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/4252-79-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/4252-80-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/4252-83-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/2516-87-0x0000024F0C740000-0x0000024F0C77A000-memory.dmp family_plugx behavioral2/memory/2516-90-0x0000024F0C740000-0x0000024F0C77A000-memory.dmp family_plugx behavioral2/memory/2516-91-0x0000024F0C740000-0x0000024F0C77A000-memory.dmp family_plugx behavioral2/memory/2516-92-0x0000024F0C740000-0x0000024F0C77A000-memory.dmp family_plugx behavioral2/memory/3392-93-0x00000000022D0000-0x000000000230A000-memory.dmp family_plugx behavioral2/memory/4252-96-0x000002877A070000-0x000002877A0AA000-memory.dmp family_plugx behavioral2/memory/2516-97-0x0000024F0C740000-0x0000024F0C77A000-memory.dmp family_plugx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation 7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe -
Executes dropped EXE 3 IoCs
pid Process 4592 wps.exe 3392 wps.exe 2260 wps.exe -
Loads dropped DLL 3 IoCs
pid Process 4592 wps.exe 3392 wps.exe 2260 wps.exe -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 123.111.231.1 Destination IP 110.173.53.162 Destination IP 114.114.114.114 -
resource yara_rule behavioral2/files/0x000600000002320d-16.dat vmprotect behavioral2/memory/4592-19-0x00007FFC947A0000-0x00007FFC947E4000-memory.dmp vmprotect behavioral2/memory/4592-18-0x00007FFC947A0000-0x00007FFC947E4000-memory.dmp vmprotect behavioral2/memory/3392-42-0x00007FFC946D0000-0x00007FFC94714000-memory.dmp vmprotect behavioral2/memory/3392-41-0x00007FFC946D0000-0x00007FFC94714000-memory.dmp vmprotect behavioral2/memory/2260-51-0x00007FFC946D0000-0x00007FFC94714000-memory.dmp vmprotect behavioral2/memory/4592-56-0x00007FFC947A0000-0x00007FFC947E4000-memory.dmp vmprotect behavioral2/memory/2260-62-0x00007FFC946D0000-0x00007FFC94714000-memory.dmp vmprotect behavioral2/memory/3392-84-0x00007FFC946D0000-0x00007FFC94714000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 33003700320039003900390046004200300044003700390034003000370030000000 svchost.exe Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4592 wps.exe 4592 wps.exe 4592 wps.exe 4592 wps.exe 3392 wps.exe 3392 wps.exe 3392 wps.exe 3392 wps.exe 2260 wps.exe 2260 wps.exe 2260 wps.exe 2260 wps.exe 4252 svchost.exe 4252 svchost.exe 4252 svchost.exe 4252 svchost.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 4252 svchost.exe 4252 svchost.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 4252 svchost.exe 4252 svchost.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 4252 svchost.exe 4252 svchost.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 2516 msiexec.exe 4252 svchost.exe 4252 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4252 svchost.exe 2516 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4592 wps.exe Token: SeTcbPrivilege 4592 wps.exe Token: SeDebugPrivilege 3392 wps.exe Token: SeTcbPrivilege 3392 wps.exe Token: SeDebugPrivilege 2260 wps.exe Token: SeTcbPrivilege 2260 wps.exe Token: SeDebugPrivilege 4252 svchost.exe Token: SeTcbPrivilege 4252 svchost.exe Token: SeDebugPrivilege 2516 msiexec.exe Token: SeTcbPrivilege 2516 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1292 wrote to memory of 4592 1292 7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe 83 PID 1292 wrote to memory of 4592 1292 7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe 83 PID 2260 wrote to memory of 4252 2260 wps.exe 88 PID 2260 wrote to memory of 4252 2260 wps.exe 88 PID 2260 wrote to memory of 4252 2260 wps.exe 88 PID 2260 wrote to memory of 4252 2260 wps.exe 88 PID 2260 wrote to memory of 4252 2260 wps.exe 88 PID 2260 wrote to memory of 4252 2260 wps.exe 88 PID 4252 wrote to memory of 2516 4252 svchost.exe 89 PID 4252 wrote to memory of 2516 4252 svchost.exe 89 PID 4252 wrote to memory of 2516 4252 svchost.exe 89 PID 4252 wrote to memory of 2516 4252 svchost.exe 89 PID 4252 wrote to memory of 2516 4252 svchost.exe 89 PID 4252 wrote to memory of 2516 4252 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe"C:\Users\Admin\AppData\Local\Temp\7eae5cef9f7990ee8f749c2ee2d3d93027bcd4c9ad9896e641786e18009e2ad8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wps.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\wps.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4592
-
-
C:\ProgramData\Kingsoft\office6\wps.exe"C:\ProgramData\Kingsoft\office6\wps.exe" 100 45921⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
C:\ProgramData\Kingsoft\office6\wps.exe"C:\ProgramData\Kingsoft\office6\wps.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe 209 42523⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5ae0178a893006cdc447f54e41d549991
SHA1e5109d5f1e762ab3c52bfecdca67ccb783248bf4
SHA256e4ba3a0debbb790a917abe7c5374350de9f7909d5a8b2fafdc1962b968013acd
SHA512d3782758405423afec5000af001ea990fd26be0e2561cf5ec344db1f45cae072a41c0cdd107745b9bb473e535bf8220acef0a00a9992b997a0bcc7baed4a9ea9
-
Filesize
152KB
MD5a1ed676cf36394b6b4fb449309b91b5b
SHA14cf7a01b132e4855581e39f5d0da204301fdae98
SHA2568da2085b60e44aa5fa46c8613757e1582df098e27373b2c8916d2725f28b46de
SHA512ce224d2376a7d78777691f9eceb8a48755787b390b73e309d48337b8d097a9370e66780237e2884294c76205f93f27e82744804781abe8eaee255c9e2f0f3f11
-
Filesize
177KB
MD5f44992d14033a2b5b1064104658a29e1
SHA162673aa6e8bde17f218524cbe3bf50cb5b949f3b
SHA256331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4
SHA5129a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b