Analysis

  • max time kernel
    35s
  • max time network
    38s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-es
  • resource tags

    arch:x64arch:x86image:win10-20240221-eslocale:es-esos:windows10-1703-x64systemwindows
  • submitted
    23/02/2024, 12:42

General

  • Target

    plato.exe

  • Size

    20.0MB

  • MD5

    9bcb723afa2dbc41ee53ddf9824e9e1f

  • SHA1

    3a53d54fb1c4f0aa91e28b02489b0bd57c450d9e

  • SHA256

    2127916ed879446537a6c72fcb3a3485a2f9074ea7f89a69cdce645d6a8dec31

  • SHA512

    08260d7c0bc6c8d528d9d68fc6f8363f866ad94b716d36462948a626bc8b1d0176ab626f1d5743a9fab83e7f3c730c37c94bacf875f3223775fad2e04e8e6ae2

  • SSDEEP

    98304:FAPHP5u2k805vCIgG8YmQysgBsmSwEEIGzSUfW9yHafMpq+gFoESjokfAyXIYDIH:yPnk805vCEc5S/zGeKb6fMpqn/+okcr

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\plato.exe
    "C:\Users\Admin\AppData\Local\Temp\plato.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Users\Admin\AppData\Local\Plato\prod\0.5.37\client.exe
      C:\Users\Admin\AppData\Local\Plato\prod\0.5.37\client.exe -db C:\Users\Admin\AppData\Local\Plato\prod\data -supervisor C:\Users\Admin\AppData\Local\Temp\plato.exe -install-dir C:\Users\Admin\AppData\Local\Plato\prod -logs C:\Users\Admin\AppData\Local\Plato\prod\data\logs\prod-0.5.26-51191be1-20240223124305-log.txt
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1792
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3ec
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1884

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Plato\prod\0.5.37\client.exe

          Filesize

          8.0MB

          MD5

          ff87f01954c7e3f8976726af959827a8

          SHA1

          ae4bd3a3430e448fb98f251ee3781359b49d75d2

          SHA256

          16a8788e9df2c6633e4892636e734baed2ea18dda2310f04e0a9cdafcb48d60a

          SHA512

          273734f0636a6c882473f3adcacb6a2827970c641405fe11c845d5ef07af675ea181913090ebfcc90038af051ec6b6a3d757829ee21a2b9c97eb4e18437b10f1

        • C:\Users\Admin\AppData\Local\Plato\prod\0.5.37\client.exe

          Filesize

          12.3MB

          MD5

          81e344af12af595a5ea4ad72ceb03165

          SHA1

          4374f6dec7fbefc85cce361f7b9224c1c94592f5

          SHA256

          ac4ddabb72a541bb69b46f6b863d611fa89b20d6cc0b76bc40c2dfb15d737f0d

          SHA512

          6822227acc2dcb5c89e2671b7b5818a3e1fa1fc51ac6959beea4c418323eea406889fa0660a2a8711e736c08f12886c9e99e7f2a7147271599dcc9f6a497c445

        • C:\Users\Admin\AppData\Local\Plato\prod\0.5.37\d3dcompiler_47.dll

          Filesize

          4.3MB

          MD5

          086cffe6323a116b1885b56448a82e76

          SHA1

          a69ea6fe1ed67a3e6af5a823234983f60fabb8e2

          SHA256

          a0aa1b7e60f7c2a6100980215e51f2f958b50711b4e8455ddeddb5065af306bc

          SHA512

          c066ba6afd1a4f12ddc0b0a2adf632d8edbac5ea986a13ae5250162a6c96b4f78f81d6a4b1593062b7def88c356caa836da9cbbc263ace0033d48b1c93878ad8

        • C:\Users\Admin\AppData\Local\Plato\prod\data\logs\prod-0.5.26-51191be1-20240223124305-log.txt

          Filesize

          581B

          MD5

          34001407175bf1d07ba35a19b317490d

          SHA1

          5e206f560c3ee11f06468d42867ed9bfe5e600c9

          SHA256

          68910291d486d661c1dce8120644e9ad315f027bf41382e0ce66defc00982cdc

          SHA512

          32842e9613cfb7124405c8d39ee3af7a44e1a7b140d8c88e9fbb36c01a48ade915d5e3d2966d0098e0ecd0eda32e1242c877bbf2136716a2f876c73a7e141b9b

        • C:\Users\Admin\AppData\Local\Plato\prod\plato.exe

          Filesize

          13.8MB

          MD5

          2f69077139324e79c98f1e9ddda3bfa2

          SHA1

          4c7eb8d16476c2fa56b8565273ffc02bbf50b355

          SHA256

          702fc0cea0955dc5c286c07deee30863610376cab86f782958b5de50f2b34283

          SHA512

          f3b77bd09c02f6671c48792e8bb8d26766a7cb76c5b229a340cf99b72c7f619a19f54c0c6a49d49205cc73527d39efa8ae7e394032526001dc2f283f5033cccd

        • C:\Users\Admin\AppData\Local\font_index_v2.cache

          Filesize

          31KB

          MD5

          f01c7f1a3294304503d46ba013f2e8f9

          SHA1

          42564c759426ae4a0771548ad1220e00f86418e2

          SHA256

          15e06f9105562a4b0d2e49c53a90869d882d14736c3f971ea955cf3cb667643a

          SHA512

          9026bd02ccca9d82a268313ccaacec5de4f4b54325eff177444155c15500bce01203eb7a3b2fc4a96bcb0d415f4a063958a329b2afaafe7b6ed035d6b74aa0e8

        • \Users\Admin\AppData\Local\Plato\prod\0.5.37\libEGL.dll

          Filesize

          403KB

          MD5

          e9208c49c80f09f8167db476788cedad

          SHA1

          e9f7ec37e0d574a14bf4b55daa2958f4e630689d

          SHA256

          c90b1024204a9db27807488322d063016984470ed22c48f22b2e786c3ba29d24

          SHA512

          d53be53319d3096856b9e3563bed5c04408d66118ff4b3a4663bf91d196f8000216e42df4809625a536c76a66d5f7aa0fabf25dab4965487e23a6f6a4e53d957

        • \Users\Admin\AppData\Local\Plato\prod\0.5.37\libGLESv2.dll

          Filesize

          6.5MB

          MD5

          dfcf238c6e196eee412d875c293a82ee

          SHA1

          ff231d341b3a355c000e2d03d2c7563775f58993

          SHA256

          84c8adca5ac21f0c324ad85bade9caf265de6e61f28b84cac61d893d088dcef2

          SHA512

          79a70570b51eb30784eaba7e08044b404d1914be3d5e98442b9002d9ad85fd6ea5961f7333ad2c3fa8d52f09cd202c54220b243629e0cfd37e6787794123c0d4

        • \Users\Admin\AppData\Local\Plato\prod\0.5.37\libgcc_s_seh-1.dll

          Filesize

          92KB

          MD5

          bd5749c30e8f97227ad3993bcaa312c9

          SHA1

          2c241a2ea6b7132ad37bdac693dbad38cf8a39cc

          SHA256

          0fda0844b07c9976f405b19f2b946770a89a2de63b3260a852daefffdb9d4af8

          SHA512

          d12e98a7f278db76c77c2dce84e62d3ebef04018ff8d5932c6c392a1356f8f43b0a98f3d7eb78118b3b7ab4539027c6ee39222819fc2f502dc64ec9ba9bc8862

        • \Users\Admin\AppData\Local\Plato\prod\0.5.37\libstdc++-6.dll

          Filesize

          1.7MB

          MD5

          b11988763791cb941b3e99b7960e88f1

          SHA1

          84d00bfe5dfe206296c14235b076af9262959abc

          SHA256

          0487227d3821b8222e445b6da6f62d956680c4a4405d6d60f38f147478df7583

          SHA512

          48a36df542f967e78b3efc86ed06c4c6d47caf56dcfa76c29952cd57ffa64aed9e010f2feaac83d9c3130e4497f8e2b5eccc9d5b3dad826719a9bcdf13e34dc0

        • \Users\Admin\AppData\Local\Plato\prod\0.5.37\libwinpthread-1.dll

          Filesize

          69KB

          MD5

          733d05b314199d8c78691f02468a60ea

          SHA1

          15d4e94c5a473d04373f92a17eb1547df26a1441

          SHA256

          dc01d23b272d7cf1f8c698a88141399b9376f563ffb0edff2f3ebcec8bcd26ca

          SHA512

          5ac6d62301727f28aaee3b23f93a65ff026acff9c18845640c9d9a9d094be1eb2f49729ed0955bf1ccfa773965ecd6a4b865997bd77b4485e963402aee6d21a9

        • \Users\Admin\AppData\Local\Plato\prod\0.5.37\zlib1.dll

          Filesize

          126KB

          MD5

          f5ee141fb811e541f684b49d104fab39

          SHA1

          d5572426ac96fb1c9338fc48a6b9c2f54a73931f

          SHA256

          f1026242564b8a7079a463db2594eaf3a94972c1c839781b1ee1c8d131fa729f

          SHA512

          2d224d366d64674ea205bf1f0bc852836fd742f628f842069869a5e32981895b6566791fd4fdb5e8a6b5c7bc77dcacadeb24f783eb610b4c5c036887d2ac3f06

        • memory/1792-73-0x00007FFE76B40000-0x00007FFE76B64000-memory.dmp

          Filesize

          144KB

        • memory/1792-104-0x00007FFE7AB80000-0x00007FFE7AB9C000-memory.dmp

          Filesize

          112KB

        • memory/1792-62-0x00007FF7AFCF0000-0x00007FF7B3D77000-memory.dmp

          Filesize

          64.5MB

        • memory/1792-69-0x00007FFE7AB80000-0x00007FFE7AB9C000-memory.dmp

          Filesize

          112KB

        • memory/1792-74-0x00007FFE76CF0000-0x00007FFE76D06000-memory.dmp

          Filesize

          88KB

        • memory/1792-107-0x00007FFE76CF0000-0x00007FFE76D06000-memory.dmp

          Filesize

          88KB

        • memory/1792-106-0x00007FFE76B40000-0x00007FFE76B64000-memory.dmp

          Filesize

          144KB

        • memory/1792-90-0x00007FF7AFCF0000-0x00007FF7B3D77000-memory.dmp

          Filesize

          64.5MB

        • memory/1792-91-0x00007FFE7AB80000-0x00007FFE7AB9C000-memory.dmp

          Filesize

          112KB

        • memory/1792-94-0x00007FFE763E0000-0x00007FFE76591000-memory.dmp

          Filesize

          1.7MB

        • memory/1792-96-0x00007FFE76CF0000-0x00007FFE76D06000-memory.dmp

          Filesize

          88KB

        • memory/1792-105-0x00007FFE763E0000-0x00007FFE76591000-memory.dmp

          Filesize

          1.7MB

        • memory/1792-103-0x00007FF7AFCF0000-0x00007FF7B3D77000-memory.dmp

          Filesize

          64.5MB

        • memory/1792-72-0x00007FFE763E0000-0x00007FFE76591000-memory.dmp

          Filesize

          1.7MB

        • memory/3444-97-0x00007FF6B4E00000-0x00007FF6B6273000-memory.dmp

          Filesize

          20.4MB

        • memory/3444-54-0x00007FF6B4E00000-0x00007FF6B6273000-memory.dmp

          Filesize

          20.4MB

        • memory/3444-82-0x00007FF6B4E00000-0x00007FF6B6273000-memory.dmp

          Filesize

          20.4MB

        • memory/3444-108-0x00007FF6B4E00000-0x00007FF6B6273000-memory.dmp

          Filesize

          20.4MB