Analysis Overview
SHA256
e49e2826c4d9fae960ca6baecd6754400e5da74446c5b511beb15831b42f2b1d
Threat Level: Known bad
The file NvSmartMax.rar was found to be: Known bad.
Malicious Activity Summary
Detects PlugX payload
PlugX
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-07 20:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-07 20:57
Reported
2024-02-07 21:02
Platform
win7-20231215-en
Max time kernel
300s
Max time network
301s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDecisionTime = 50c3f4cc085ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadNetworkName = "Network 3" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\be-23-f0-4f-e6-3d | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadDecisionTime = 50c3f4cc085ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDetectedUrl | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadDecisionTime = f0deeb65085ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDecisionTime = f0deeb65085ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003700350035003200370035004200340030003300300041003200300031000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar"
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19207:100:7zEvent6980
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\Nv.exe
nv
C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 100 300
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 200 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1400
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | exchange.from-sc.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Nv.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
C:\Users\Admin\AppData\Local\Temp\NvSmartMax.dll
| MD5 | 0b21678ed8e2b117344cfceba8f097dd |
| SHA1 | db53bb022cb6de016713f1570f2ae501f20f9c76 |
| SHA256 | eaaa7899b37a3b04dcd02ad6d51e83e035be535f129773621ef0f399a2a98ee3 |
| SHA512 | 182268649b360f44f021570ddc9290f5051a8be556ffd66355bc325027ba48c5fe824e1bea925411bdaef4c17e0f3d81a1d3c710b59c4462540d567da625a41a |
C:\Users\Admin\AppData\Local\Temp\Nv.mp3
| MD5 | 5ef7c3bcbc11cd02c95e509b226eebe9 |
| SHA1 | 794a90212d226628c8ce4441c3418c1ecca0e3b8 |
| SHA256 | 3d64e638f961b922398e2efaf75504da007e41ea979f213f8eb4f83e00efeebb |
| SHA512 | c86f464f736125d8fb499efe2555cae1aea5d67fbf15be816883e058ad9107eb399d3ade6c5afe811a2eb59ebdc1d52c992124359fa26085a650eb940fe2eae4 |
memory/300-35-0x0000000000410000-0x0000000000510000-memory.dmp
memory/300-37-0x0000000000280000-0x00000000002B0000-memory.dmp
memory/300-36-0x0000000000280000-0x00000000002B0000-memory.dmp
C:\ProgramData\SxS\Nv.exe
| MD5 | 567454f23114827bb6394cb2a39b7558 |
| SHA1 | 348df1cf1896359afb60e377844e42e6b6cecbd5 |
| SHA256 | 12cc8beee16c16ab409971054335a73bec15e94210e5d388660ab6b1a69faeb1 |
| SHA512 | 132faf68816aef41c369b1b20de453e7a83522eeab3d03b3608b972ec1393403e67195c72d1a65ac9d8e4037d535cafe75db4bce77ec7b9525eee73101e60b82 |
C:\ProgramData\SxS\NvSmartMax.dll
| MD5 | 364aedd62318de58603f5cbe59be1f2b |
| SHA1 | 929fd4750f7c9bc235477464c164a9034b5b0332 |
| SHA256 | fa9a0fec3ed1c6a008ed862ca53559039183e4288b0e8bd2ceebef430d850d1a |
| SHA512 | 261e85eb361e53d51996dcba71a7e761bc875ddaaf71f31a18d2ddb3d7c07af9f337584b7b7440e8f2368b5aa33ee9035540cae7ea3e52c4ee71bc6e4f854b3c |
C:\ProgramData\SxS\Nv.mp3
| MD5 | 56e2d0804ef02eb06b67198316438ede |
| SHA1 | 44801d650f56beab5eaa1ba5527d8799adb4e727 |
| SHA256 | 8728bd42eed8b4c4b558992531d0c44697d47c7bfcf60c2aa1e54eb1743b535d |
| SHA512 | 32c33413a93d5d0261b50be454fbf2d74f3b4d63b5585b50523fb4826aea454c23659d6d0c109aee5620d59771861b83e8ce910ed07abc3e693779e3db2783b3 |
C:\ProgramData\SxS\Nv.mp3
| MD5 | 8181e25b82b809075936cd5871307499 |
| SHA1 | d442f3e6367593cdb4d1b04857a3e2347860570e |
| SHA256 | aca64c47b8d224d84e1a30ed841fb67540629d6955710d19d466f6f778440101 |
| SHA512 | 70b8575ad3da85c8e180f91a8f62858ed48f8ef2c52e520172e43c43b514a6e73c86c7dcde47a8c09bc33355ea2dd33753bf621ce3f8dc908699d9b6d75eaa2f |
memory/868-57-0x0000000000280000-0x00000000002B0000-memory.dmp
memory/868-56-0x0000000000280000-0x00000000002B0000-memory.dmp
\ProgramData\SxS\NvSmartMax.dll
| MD5 | efbc7e63b808809fb97023ff97d43e93 |
| SHA1 | 121f600b8e378d7c5f4f1b761b81f5b210c97f58 |
| SHA256 | d6c84f55958192cd12715bb52b8ca130c2df4f93ea3c8adfcc929263ce29902e |
| SHA512 | 7a36aa0cbb546e7b3425c109e241b4e8645d51175bb7d3525bd408d967d860455cc376e757c2ef00d4a99a3ba76c73727b6397876b88d267a04d27a82bf7d990 |
memory/1400-66-0x0000000000140000-0x0000000000142000-memory.dmp
memory/1400-71-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-93-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-97-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-96-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-94-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-95-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-92-0x0000000000180000-0x00000000001B0000-memory.dmp
C:\ProgramData\SxS\bug.log
| MD5 | 5a9f634c4d5f649b9b8ab461c26af052 |
| SHA1 | b4a10800ea5198e0d9dd7e3136ab06d96eab43bb |
| SHA256 | 8484070442fbfcac840caeba03b383b4e82fa5bf7aba6e85728ff65043e3e933 |
| SHA512 | 4721f5d1f76d159d3d6537da7e75872ba5665094b14ffa313139c74eb6068b9e0170e0ae531938360be00a26ba0893cacbf285bfc5bff028b4e7ec17521e933c |
memory/1400-88-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-87-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-86-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-85-0x0000000000020000-0x0000000000021000-memory.dmp
memory/300-76-0x0000000000280000-0x00000000002B0000-memory.dmp
C:\ProgramData\SxS\bug.log
| MD5 | 517274021f580090e3b05ffcf8049ffe |
| SHA1 | 013bafab4586b02209594039e633c08139b2c517 |
| SHA256 | 0669976ab7464092d492ec079fb18c2c3c2b390cd1a5cdd581000255287095c5 |
| SHA512 | 8f4b4eaf1c25c0046d249d4009bfd00d752a7673f863f77cbc5030b157da4d3099d9a04474f729aa4542749379c96eab1512a6afa0f90880f180268effca9745 |
memory/1400-69-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/1400-67-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1400-65-0x0000000000120000-0x000000000013D000-memory.dmp
memory/1400-63-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1332-62-0x0000000000410000-0x0000000000440000-memory.dmp
memory/1332-61-0x0000000000410000-0x0000000000440000-memory.dmp
C:\ProgramData\SxS\Nv.exe
| MD5 | 6fb42249972ff72e4394978cada4b151 |
| SHA1 | a1fdd01e6ba9f6a003ff1e9db35e1ab2975a67ec |
| SHA256 | aaf8f9a8be670616731a5f5b41ad3e9d20e601c9dd46d1acb3908483d2cce7c3 |
| SHA512 | ce47cf4b800ab0db9c6785716611c58ded64e421f3290dc44b8a615f2d35738e6a728981c5844eea735a7edf1b6e519a1fd50c44679f8048d6b4384c1af51e41 |
memory/868-98-0x0000000000280000-0x00000000002B0000-memory.dmp
memory/1400-100-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/432-108-0x0000000000260000-0x0000000000290000-memory.dmp
memory/432-113-0x0000000000260000-0x0000000000290000-memory.dmp
memory/432-112-0x0000000000260000-0x0000000000290000-memory.dmp
memory/432-110-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1400-115-0x0000000000180000-0x00000000001B0000-memory.dmp
memory/432-116-0x0000000000260000-0x0000000000290000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-07 20:57
Reported
2024-02-07 21:02
Platform
win10-20231215-en
Max time kernel
300s
Max time network
303s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004200330045003200350031003200440037003200410033004300340038000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\Nv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap22787:100:7zEvent812
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\AppData\Local\Temp\Nv.exe
nv
C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 100 4516
C:\ProgramData\SxS\Nv.exe
"C:\ProgramData\SxS\Nv.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 4960
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | exchange.from-sc.com | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exchange.from-sc.com | udp |
| US | 8.8.8.8:53 | exchange.from-sc.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Nv.exe
| MD5 | 09b8b54f78a10c435cd319070aa13c28 |
| SHA1 | 6474d0369f97e72e01e4971128d1062f5c2b3656 |
| SHA256 | 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256 |
| SHA512 | c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7 |
\Users\Admin\AppData\Local\Temp\NvSmartMax.dll
| MD5 | 0b21678ed8e2b117344cfceba8f097dd |
| SHA1 | db53bb022cb6de016713f1570f2ae501f20f9c76 |
| SHA256 | eaaa7899b37a3b04dcd02ad6d51e83e035be535f129773621ef0f399a2a98ee3 |
| SHA512 | 182268649b360f44f021570ddc9290f5051a8be556ffd66355bc325027ba48c5fe824e1bea925411bdaef4c17e0f3d81a1d3c710b59c4462540d567da625a41a |
C:\Users\Admin\AppData\Local\Temp\Nv.mp3
| MD5 | 5ef7c3bcbc11cd02c95e509b226eebe9 |
| SHA1 | 794a90212d226628c8ce4441c3418c1ecca0e3b8 |
| SHA256 | 3d64e638f961b922398e2efaf75504da007e41ea979f213f8eb4f83e00efeebb |
| SHA512 | c86f464f736125d8fb499efe2555cae1aea5d67fbf15be816883e058ad9107eb399d3ade6c5afe811a2eb59ebdc1d52c992124359fa26085a650eb940fe2eae4 |
memory/4516-12-0x0000000002000000-0x0000000002100000-memory.dmp
memory/4516-13-0x0000000002150000-0x0000000002180000-memory.dmp
memory/4516-28-0x0000000002150000-0x0000000002180000-memory.dmp
memory/5084-36-0x00000000005B0000-0x00000000005E0000-memory.dmp
memory/3564-41-0x0000000000E40000-0x0000000000E70000-memory.dmp
memory/3564-46-0x0000000000E40000-0x0000000000E70000-memory.dmp
memory/4960-61-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-67-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-68-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-72-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-70-0x0000000000850000-0x0000000000880000-memory.dmp
C:\ProgramData\SxS\bug.log
| MD5 | 4cf794ec5abcb3e69e4a338a0d3d1ebb |
| SHA1 | 6f52c69df3405b6c9e9e8fe9e4efa5b194880a64 |
| SHA256 | 249f9f61f14f594a2dac007e190d61906fa1c7b397819e368729aae53a6aaa3e |
| SHA512 | 3b0ff750819e33509687f9eec3f1693f8c2fd9473bb8396181e74c45aa79656371b2dc828cedb2ff2b1c8b8bc5d00d0610fe9969f35060f88d27ebb443cd9f4c |
memory/4960-74-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-63-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-62-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-60-0x00000000000B0000-0x00000000000B1000-memory.dmp
C:\ProgramData\SxS\bug.log
| MD5 | 1b0a71ad841631d5ee160f1d786c03a8 |
| SHA1 | 94a8c754f5fc57c5ecdd7c1213dbcccb8d00bc84 |
| SHA256 | 14983e7d3bb47bc69525630eb9b88a05de1566a5088d8f901427394eac64579c |
| SHA512 | 41c02f2d60536f5145fded609ea977925f9cea1a55d6469e3d22c31a5ef93fcd4dc18a8edd1a3dccb84f02f23a868038058e8462fc49b353f2ea96a1d9ed9278 |
memory/4960-45-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-44-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-43-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4960-42-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/5084-35-0x00000000005B0000-0x00000000005E0000-memory.dmp
memory/5084-75-0x00000000005B0000-0x00000000005E0000-memory.dmp
memory/4976-79-0x0000000002C60000-0x0000000002C61000-memory.dmp
memory/4976-78-0x00000000032A0000-0x00000000032D0000-memory.dmp
memory/4976-82-0x00000000032A0000-0x00000000032D0000-memory.dmp
memory/4976-80-0x00000000032A0000-0x00000000032D0000-memory.dmp
memory/4960-83-0x0000000000850000-0x0000000000880000-memory.dmp
memory/4976-84-0x00000000032A0000-0x00000000032D0000-memory.dmp