Analysis Overview
SHA256
28dc274e4f75b88e22a58a0672e4abaf15f9660f939dbd49a8db443a7e8891a6
Threat Level: Known bad
The file AsComDtSvc.rar was found to be: Known bad.
Malicious Activity Summary
PlugX
Detects PlugX payload
Unexpected DNS network traffic destination
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-18 16:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-18 16:11
Reported
2024-02-18 16:15
Platform
win11-20240214-en
Max time kernel
82s
Max time network
90s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 4900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 4900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2176 wrote to memory of 4900 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKEX.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKEX.dll,#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-18 16:11
Reported
2024-02-18 16:15
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 35.77.99.82 | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35004400340043003400360031004600320045003800300042003600340044000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe
"C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe"
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
"C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe" 100 4492
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
"C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\system32\WerFault.exe 209 3880
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.chatgpt-server.com | udp |
| N/A | 10.127.255.255:3128 | udp | |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| US | 8.8.8.8:53 | 82.99.77.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.246.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
Files
memory/4492-0-0x0000000002860000-0x0000000002960000-memory.dmp
memory/4492-2-0x0000000000F90000-0x0000000000FC5000-memory.dmp
memory/4492-4-0x0000000000F90000-0x0000000000FC5000-memory.dmp
C:\ProgramData\Microsoft\AsComDtSvc\ATKEX.dat
| MD5 | e83af8dd173892918a785d27e1aef2a5 |
| SHA1 | d0ce65a13d43205b7a9c253b010fb2cea977a4b3 |
| SHA256 | 31a63f7813c3436fec5c5493e30356da12ea4729fb1757bff877fc1a63825361 |
| SHA512 | 884cb0ddf17ce35e6f191ddd97905781da67b8c8b4d27a87f872564e7d419df8966eadf93df5928fdc87e09aaf1eea187b621858c5bd2f6d41fb99872762acd5 |
C:\ProgramData\Microsoft\AsComDtSvc\ATKEX.dll
| MD5 | ed5b3b3a04e3ccc8ddc41e0691c6af38 |
| SHA1 | 7ab5dc0750fa4d5953bf45b9de4b5261458b69fa |
| SHA256 | 9b0f2a4833461caabd4d44c53c31b719c80b7f44a92cff5c0fb01d83f7fa43cb |
| SHA512 | ae89fa6db3ba270e0ba1cae0d0457441500dfc78a50a40b7d3a2e3fae99529690e3aaa05c8821115a0a4e41197a4a650a2a8b25f92fbcb50eed7a639119cd8ad |
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
| MD5 | 07321f91bad9653b4fa737e5c993de90 |
| SHA1 | 9b0e7f445739825816e970205fe92adf7d3e1fc8 |
| SHA256 | c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3 |
| SHA512 | c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6 |
memory/1712-27-0x0000000000670000-0x00000000006A5000-memory.dmp
memory/1712-30-0x0000000000670000-0x00000000006A5000-memory.dmp
memory/4948-34-0x0000000000B90000-0x0000000000BC5000-memory.dmp
memory/4948-36-0x0000000000B90000-0x0000000000BC5000-memory.dmp
memory/3880-37-0x0000000001070000-0x0000000001071000-memory.dmp
memory/3880-39-0x0000000001690000-0x00000000016C5000-memory.dmp
memory/3880-40-0x0000000001690000-0x00000000016C5000-memory.dmp
memory/4492-45-0x0000000000F90000-0x0000000000FC5000-memory.dmp
memory/3880-52-0x0000000001070000-0x0000000001071000-memory.dmp
memory/3880-53-0x0000000001690000-0x00000000016C5000-memory.dmp
memory/3880-54-0x0000000001690000-0x00000000016C5000-memory.dmp
memory/3880-55-0x0000000001690000-0x00000000016C5000-memory.dmp
memory/3880-56-0x0000000001690000-0x00000000016C5000-memory.dmp
memory/3880-58-0x0000000001690000-0x00000000016C5000-memory.dmp
memory/3880-61-0x0000000001690000-0x00000000016C5000-memory.dmp
memory/1712-62-0x0000000000670000-0x00000000006A5000-memory.dmp
memory/4996-63-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
memory/3880-64-0x0000000001690000-0x00000000016C5000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-18 16:11
Reported
2024-02-18 16:15
Platform
win11-20240214-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 35.77.99.82 | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34003500310046004300390037004100370035003600350031004400300045000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe
"C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe"
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
"C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe" 100 1508
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
"C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\system32\WerFault.exe 209 2404
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:3128 | udp | |
| US | 8.8.8.8:53 | update.chatgpt-server.com | udp |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| US | 8.8.8.8:53 | 82.99.77.35.in-addr.arpa | udp |
Files
memory/1508-0-0x0000000000E40000-0x0000000000F40000-memory.dmp
memory/1508-2-0x0000000000650000-0x0000000000685000-memory.dmp
memory/1508-4-0x0000000000650000-0x0000000000685000-memory.dmp
C:\ProgramData\Microsoft\AsComDtSvc\ATKEX.dat
| MD5 | e83af8dd173892918a785d27e1aef2a5 |
| SHA1 | d0ce65a13d43205b7a9c253b010fb2cea977a4b3 |
| SHA256 | 31a63f7813c3436fec5c5493e30356da12ea4729fb1757bff877fc1a63825361 |
| SHA512 | 884cb0ddf17ce35e6f191ddd97905781da67b8c8b4d27a87f872564e7d419df8966eadf93df5928fdc87e09aaf1eea187b621858c5bd2f6d41fb99872762acd5 |
C:\ProgramData\Microsoft\AsComDtSvc\ATKEX.dll
| MD5 | ed5b3b3a04e3ccc8ddc41e0691c6af38 |
| SHA1 | 7ab5dc0750fa4d5953bf45b9de4b5261458b69fa |
| SHA256 | 9b0f2a4833461caabd4d44c53c31b719c80b7f44a92cff5c0fb01d83f7fa43cb |
| SHA512 | ae89fa6db3ba270e0ba1cae0d0457441500dfc78a50a40b7d3a2e3fae99529690e3aaa05c8821115a0a4e41197a4a650a2a8b25f92fbcb50eed7a639119cd8ad |
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
| MD5 | 07321f91bad9653b4fa737e5c993de90 |
| SHA1 | 9b0e7f445739825816e970205fe92adf7d3e1fc8 |
| SHA256 | c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3 |
| SHA512 | c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6 |
memory/4840-27-0x0000000000820000-0x0000000000855000-memory.dmp
memory/4840-30-0x0000000000820000-0x0000000000855000-memory.dmp
memory/5008-34-0x0000000001230000-0x0000000001265000-memory.dmp
memory/5008-36-0x0000000001230000-0x0000000001265000-memory.dmp
memory/2404-37-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/2404-39-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/2404-38-0x0000000000890000-0x0000000000891000-memory.dmp
memory/1508-44-0x0000000000650000-0x0000000000685000-memory.dmp
memory/2404-51-0x0000000000890000-0x0000000000891000-memory.dmp
memory/2404-52-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/2404-54-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/2404-53-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/2404-55-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/2404-57-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/2404-60-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/4840-61-0x0000000000820000-0x0000000000855000-memory.dmp
memory/2804-62-0x0000000000A60000-0x0000000000A61000-memory.dmp
memory/2404-63-0x0000000000BA0000-0x0000000000BD5000-memory.dmp
memory/2804-64-0x0000000000A60000-0x0000000000A61000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-18 16:11
Reported
2024-02-18 16:15
Platform
win7-20231215-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2020 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2020 wrote to memory of 1716 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKEX.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKEX.dll,#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-18 16:11
Reported
2024-02-18 16:15
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1244 wrote to memory of 4760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1244 wrote to memory of 4760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1244 wrote to memory of 4760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKEX.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKEX.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-18 16:11
Reported
2024-02-18 16:15
Platform
win10-20240214-en
Max time kernel
123s
Max time network
136s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1572 wrote to memory of 4668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1572 wrote to memory of 4668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1572 wrote to memory of 4668 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKEX.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ATKEX.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-18 16:11
Reported
2024-02-18 16:15
Platform
win7-20231215-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe
"C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe"
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
"C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe" 100 2088
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
"C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
Network
Files
memory/2088-0-0x0000000000890000-0x0000000000990000-memory.dmp
memory/2088-2-0x00000000000E0000-0x0000000000115000-memory.dmp
memory/2088-4-0x00000000000E0000-0x0000000000115000-memory.dmp
C:\ProgramData\Microsoft\AsComDtSvc\ATKEX.dat
| MD5 | e83af8dd173892918a785d27e1aef2a5 |
| SHA1 | d0ce65a13d43205b7a9c253b010fb2cea977a4b3 |
| SHA256 | 31a63f7813c3436fec5c5493e30356da12ea4729fb1757bff877fc1a63825361 |
| SHA512 | 884cb0ddf17ce35e6f191ddd97905781da67b8c8b4d27a87f872564e7d419df8966eadf93df5928fdc87e09aaf1eea187b621858c5bd2f6d41fb99872762acd5 |
C:\ProgramData\Microsoft\AsComDtSvc\ATKEX.dll
| MD5 | ed5b3b3a04e3ccc8ddc41e0691c6af38 |
| SHA1 | 7ab5dc0750fa4d5953bf45b9de4b5261458b69fa |
| SHA256 | 9b0f2a4833461caabd4d44c53c31b719c80b7f44a92cff5c0fb01d83f7fa43cb |
| SHA512 | ae89fa6db3ba270e0ba1cae0d0457441500dfc78a50a40b7d3a2e3fae99529690e3aaa05c8821115a0a4e41197a4a650a2a8b25f92fbcb50eed7a639119cd8ad |
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
| MD5 | 07321f91bad9653b4fa737e5c993de90 |
| SHA1 | 9b0e7f445739825816e970205fe92adf7d3e1fc8 |
| SHA256 | c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3 |
| SHA512 | c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6 |
memory/2712-26-0x0000000000200000-0x0000000000235000-memory.dmp
memory/2712-28-0x0000000000200000-0x0000000000235000-memory.dmp
memory/2672-34-0x0000000000150000-0x0000000000185000-memory.dmp
memory/1328-36-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1328-40-0x00000000000A0000-0x00000000000C0000-memory.dmp
memory/1328-42-0x00000000000C0000-0x00000000000C2000-memory.dmp
memory/1328-45-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1328-44-0x0000000000170000-0x00000000001A5000-memory.dmp
memory/2672-48-0x0000000000150000-0x0000000000185000-memory.dmp
memory/1328-46-0x0000000000170000-0x00000000001A5000-memory.dmp
memory/1328-47-0x0000000000170000-0x00000000001A5000-memory.dmp
memory/2088-54-0x00000000000E0000-0x0000000000115000-memory.dmp
memory/2712-57-0x0000000000200000-0x0000000000235000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-18 16:11
Reported
2024-02-18 16:15
Platform
win10-20240214-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 35.77.99.82 | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42004600440039003600340034003000360034003500430038003900430033000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe
"C:\Users\Admin\AppData\Local\Temp\TraceIndexer.exe"
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
"C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe" 100 200
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
"C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\system32\WerFault.exe 209 4564
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.chatgpt-server.com | udp |
| N/A | 10.127.255.255:3128 | udp | |
| JP | 35.77.99.82:53 | update.chatgpt-server.com | udp |
| US | 8.8.8.8:53 | 82.99.77.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
Files
memory/200-0-0x00000000018E0000-0x00000000019E0000-memory.dmp
memory/200-3-0x0000000000F70000-0x0000000000FA5000-memory.dmp
C:\ProgramData\Microsoft\AsComDtSvc\ATKEX.dat
| MD5 | e83af8dd173892918a785d27e1aef2a5 |
| SHA1 | d0ce65a13d43205b7a9c253b010fb2cea977a4b3 |
| SHA256 | 31a63f7813c3436fec5c5493e30356da12ea4729fb1757bff877fc1a63825361 |
| SHA512 | 884cb0ddf17ce35e6f191ddd97905781da67b8c8b4d27a87f872564e7d419df8966eadf93df5928fdc87e09aaf1eea187b621858c5bd2f6d41fb99872762acd5 |
C:\ProgramData\Microsoft\AsComDtSvc\TraceIndexer.exe
| MD5 | 07321f91bad9653b4fa737e5c993de90 |
| SHA1 | 9b0e7f445739825816e970205fe92adf7d3e1fc8 |
| SHA256 | c81b31f8986cc40ff2d31c3bafd7abdf275826ccb5859eba8d927144e38bc7f3 |
| SHA512 | c065581716ac8158f657c231a48a8eff2eb215a008ca1d76215a17313b99888d9d14ccb73782d810cedaf5e8acc671deca28a9e2875a5668a03ece0e2cd8f5b6 |
C:\ProgramData\Microsoft\AsComDtSvc\ATKEX.dll
| MD5 | ed5b3b3a04e3ccc8ddc41e0691c6af38 |
| SHA1 | 7ab5dc0750fa4d5953bf45b9de4b5261458b69fa |
| SHA256 | 9b0f2a4833461caabd4d44c53c31b719c80b7f44a92cff5c0fb01d83f7fa43cb |
| SHA512 | ae89fa6db3ba270e0ba1cae0d0457441500dfc78a50a40b7d3a2e3fae99529690e3aaa05c8821115a0a4e41197a4a650a2a8b25f92fbcb50eed7a639119cd8ad |
memory/2796-27-0x0000000000E00000-0x0000000000E35000-memory.dmp
memory/2796-30-0x0000000000E00000-0x0000000000E35000-memory.dmp
memory/4612-36-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4612-34-0x0000000000400000-0x0000000000435000-memory.dmp
memory/4564-38-0x0000000003250000-0x0000000003285000-memory.dmp
memory/4564-37-0x0000000000E90000-0x0000000000E91000-memory.dmp
memory/4564-40-0x0000000003250000-0x0000000003285000-memory.dmp
memory/4612-39-0x0000000000400000-0x0000000000435000-memory.dmp
memory/200-43-0x0000000000F70000-0x0000000000FA5000-memory.dmp
memory/4564-52-0x0000000003250000-0x0000000003285000-memory.dmp
memory/4564-53-0x0000000003250000-0x0000000003285000-memory.dmp
memory/4564-51-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
memory/4564-54-0x0000000003250000-0x0000000003285000-memory.dmp
memory/4564-55-0x0000000003250000-0x0000000003285000-memory.dmp
memory/4564-57-0x0000000003250000-0x0000000003285000-memory.dmp
memory/4564-60-0x0000000003250000-0x0000000003285000-memory.dmp
memory/2796-61-0x0000000000E00000-0x0000000000E35000-memory.dmp
memory/1636-62-0x0000000000730000-0x0000000000731000-memory.dmp
memory/4564-63-0x0000000003250000-0x0000000003285000-memory.dmp