Analysis
-
max time kernel
300s -
max time network
303s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
07-02-2024 20:57
Static task
static1
Behavioral task
behavioral1
Sample
NvSmartMax.rar
Resource
win7-20231215-en
General
-
Target
NvSmartMax.rar
-
Size
146KB
-
MD5
c56cac95726fd10b5a85be1c87336354
-
SHA1
b29b5a35c3ecd559047e8477e949ac72e9bdc52d
-
SHA256
e49e2826c4d9fae960ca6baecd6754400e5da74446c5b511beb15831b42f2b1d
-
SHA512
d6dd8283320330199e9235e4e8bb2ed7995f5c6cb51a08e2118502660bc8ce29d7490198e1dcba9641b199b8d7f80c1708948230b69392cfd8391c5a7d505ab5
-
SSDEEP
3072:MljIdulYQyNl7bAT+JbjClf00YM8SzR1hv0iuzFWC9FnbfztQf:Mj+uqXAT6jClkao5WCrbCf
Malware Config
Signatures
-
Detects PlugX payload 23 IoCs
Processes:
resource yara_rule behavioral2/memory/4516-13-0x0000000002150000-0x0000000002180000-memory.dmp family_plugx behavioral2/memory/4516-28-0x0000000002150000-0x0000000002180000-memory.dmp family_plugx behavioral2/memory/5084-36-0x00000000005B0000-0x00000000005E0000-memory.dmp family_plugx behavioral2/memory/3564-41-0x0000000000E40000-0x0000000000E70000-memory.dmp family_plugx behavioral2/memory/3564-46-0x0000000000E40000-0x0000000000E70000-memory.dmp family_plugx behavioral2/memory/4960-61-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-67-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-68-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-72-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-70-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-74-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-63-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-62-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-45-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-44-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4960-43-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/5084-35-0x00000000005B0000-0x00000000005E0000-memory.dmp family_plugx behavioral2/memory/5084-75-0x00000000005B0000-0x00000000005E0000-memory.dmp family_plugx behavioral2/memory/4976-78-0x00000000032A0000-0x00000000032D0000-memory.dmp family_plugx behavioral2/memory/4976-82-0x00000000032A0000-0x00000000032D0000-memory.dmp family_plugx behavioral2/memory/4976-80-0x00000000032A0000-0x00000000032D0000-memory.dmp family_plugx behavioral2/memory/4960-83-0x0000000000850000-0x0000000000880000-memory.dmp family_plugx behavioral2/memory/4976-84-0x00000000032A0000-0x00000000032D0000-memory.dmp family_plugx -
Executes dropped EXE 3 IoCs
Processes:
Nv.exeNv.exeNv.exepid process 4516 Nv.exe 5084 Nv.exe 3564 Nv.exe -
Loads dropped DLL 3 IoCs
Processes:
Nv.exeNv.exeNv.exepid process 4516 Nv.exe 5084 Nv.exe 3564 Nv.exe -
Drops file in System32 directory 5 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies svchost.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe -
Modifies registry class 3 IoCs
Processes:
cmd.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004200330045003200350031003200440037003200410033004300340038000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Nv.exesvchost.exemsiexec.exepid process 4516 Nv.exe 4516 Nv.exe 4960 svchost.exe 4960 svchost.exe 4960 svchost.exe 4960 svchost.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4960 svchost.exe 4960 svchost.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4960 svchost.exe 4960 svchost.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4960 svchost.exe 4960 svchost.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4960 svchost.exe 4960 svchost.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe 4976 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
svchost.exemsiexec.exepid process 4960 svchost.exe 4976 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
7zFM.exe7zG.exeNv.exeNv.exeNv.exesvchost.exemsiexec.exedescription pid process Token: SeRestorePrivilege 3824 7zFM.exe Token: 35 3824 7zFM.exe Token: SeRestorePrivilege 3812 7zG.exe Token: 35 3812 7zG.exe Token: SeSecurityPrivilege 3812 7zG.exe Token: SeSecurityPrivilege 3812 7zG.exe Token: SeDebugPrivilege 4516 Nv.exe Token: SeTcbPrivilege 4516 Nv.exe Token: SeDebugPrivilege 5084 Nv.exe Token: SeTcbPrivilege 5084 Nv.exe Token: SeDebugPrivilege 3564 Nv.exe Token: SeTcbPrivilege 3564 Nv.exe Token: SeDebugPrivilege 4960 svchost.exe Token: SeTcbPrivilege 4960 svchost.exe Token: SeDebugPrivilege 4976 msiexec.exe Token: SeTcbPrivilege 4976 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exe7zG.exepid process 3824 7zFM.exe 3812 7zG.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.execmd.exeNv.exesvchost.exedescription pid process target process PID 5092 wrote to memory of 3824 5092 cmd.exe 7zFM.exe PID 5092 wrote to memory of 3824 5092 cmd.exe 7zFM.exe PID 4928 wrote to memory of 4516 4928 cmd.exe Nv.exe PID 4928 wrote to memory of 4516 4928 cmd.exe Nv.exe PID 4928 wrote to memory of 4516 4928 cmd.exe Nv.exe PID 3564 wrote to memory of 4960 3564 Nv.exe svchost.exe PID 3564 wrote to memory of 4960 3564 Nv.exe svchost.exe PID 3564 wrote to memory of 4960 3564 Nv.exe svchost.exe PID 3564 wrote to memory of 4960 3564 Nv.exe svchost.exe PID 3564 wrote to memory of 4960 3564 Nv.exe svchost.exe PID 3564 wrote to memory of 4960 3564 Nv.exe svchost.exe PID 3564 wrote to memory of 4960 3564 Nv.exe svchost.exe PID 3564 wrote to memory of 4960 3564 Nv.exe svchost.exe PID 4960 wrote to memory of 4976 4960 svchost.exe msiexec.exe PID 4960 wrote to memory of 4976 4960 svchost.exe msiexec.exe PID 4960 wrote to memory of 4976 4960 svchost.exe msiexec.exe PID 4960 wrote to memory of 4976 4960 svchost.exe msiexec.exe PID 4960 wrote to memory of 4976 4960 svchost.exe msiexec.exe PID 4960 wrote to memory of 4976 4960 svchost.exe msiexec.exe PID 4960 wrote to memory of 4976 4960 svchost.exe msiexec.exe PID 4960 wrote to memory of 4976 4960 svchost.exe msiexec.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap22787:100:7zEvent8121⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nv.exenv2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 100 45161⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\SxS\Nv.exe"C:\ProgramData\SxS\Nv.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 49603⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SxS\bug.logFilesize
656B
MD51b0a71ad841631d5ee160f1d786c03a8
SHA194a8c754f5fc57c5ecdd7c1213dbcccb8d00bc84
SHA25614983e7d3bb47bc69525630eb9b88a05de1566a5088d8f901427394eac64579c
SHA51241c02f2d60536f5145fded609ea977925f9cea1a55d6469e3d22c31a5ef93fcd4dc18a8edd1a3dccb84f02f23a868038058e8462fc49b353f2ea96a1d9ed9278
-
C:\ProgramData\SxS\bug.logFilesize
818B
MD54cf794ec5abcb3e69e4a338a0d3d1ebb
SHA16f52c69df3405b6c9e9e8fe9e4efa5b194880a64
SHA256249f9f61f14f594a2dac007e190d61906fa1c7b397819e368729aae53a6aaa3e
SHA5123b0ff750819e33509687f9eec3f1693f8c2fd9473bb8396181e74c45aa79656371b2dc828cedb2ff2b1c8b8bc5d00d0610fe9969f35060f88d27ebb443cd9f4c
-
C:\Users\Admin\AppData\Local\Temp\Nv.exeFilesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
C:\Users\Admin\AppData\Local\Temp\Nv.mp3Filesize
120KB
MD55ef7c3bcbc11cd02c95e509b226eebe9
SHA1794a90212d226628c8ce4441c3418c1ecca0e3b8
SHA2563d64e638f961b922398e2efaf75504da007e41ea979f213f8eb4f83e00efeebb
SHA512c86f464f736125d8fb499efe2555cae1aea5d67fbf15be816883e058ad9107eb399d3ade6c5afe811a2eb59ebdc1d52c992124359fa26085a650eb940fe2eae4
-
\Users\Admin\AppData\Local\Temp\NvSmartMax.dllFilesize
20KB
MD50b21678ed8e2b117344cfceba8f097dd
SHA1db53bb022cb6de016713f1570f2ae501f20f9c76
SHA256eaaa7899b37a3b04dcd02ad6d51e83e035be535f129773621ef0f399a2a98ee3
SHA512182268649b360f44f021570ddc9290f5051a8be556ffd66355bc325027ba48c5fe824e1bea925411bdaef4c17e0f3d81a1d3c710b59c4462540d567da625a41a
-
memory/3564-41-0x0000000000E40000-0x0000000000E70000-memory.dmpFilesize
192KB
-
memory/3564-46-0x0000000000E40000-0x0000000000E70000-memory.dmpFilesize
192KB
-
memory/4516-12-0x0000000002000000-0x0000000002100000-memory.dmpFilesize
1024KB
-
memory/4516-13-0x0000000002150000-0x0000000002180000-memory.dmpFilesize
192KB
-
memory/4516-28-0x0000000002150000-0x0000000002180000-memory.dmpFilesize
192KB
-
memory/4960-63-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-44-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-72-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-70-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-67-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-74-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-61-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-62-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-60-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/4960-83-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-45-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-68-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-43-0x0000000000850000-0x0000000000880000-memory.dmpFilesize
192KB
-
memory/4960-42-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/4976-79-0x0000000002C60000-0x0000000002C61000-memory.dmpFilesize
4KB
-
memory/4976-78-0x00000000032A0000-0x00000000032D0000-memory.dmpFilesize
192KB
-
memory/4976-82-0x00000000032A0000-0x00000000032D0000-memory.dmpFilesize
192KB
-
memory/4976-80-0x00000000032A0000-0x00000000032D0000-memory.dmpFilesize
192KB
-
memory/4976-84-0x00000000032A0000-0x00000000032D0000-memory.dmpFilesize
192KB
-
memory/5084-35-0x00000000005B0000-0x00000000005E0000-memory.dmpFilesize
192KB
-
memory/5084-75-0x00000000005B0000-0x00000000005E0000-memory.dmpFilesize
192KB
-
memory/5084-36-0x00000000005B0000-0x00000000005E0000-memory.dmpFilesize
192KB