Overview

overview

10

Static

static

3

DeElevator.exe

windows7-x64

10

DeElevator.exe

windows10-1703-x64

10

DeElevator.exe

windows10-2004-x64

10

DeElevator.exe

windows11-21h2-x64

10

DeElevator64.dll

windows7-x64

1

DeElevator64.dll

windows10-1703-x64

1

DeElevator64.dll

windows10-2004-x64

1

DeElevator64.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DeElevator.exe

  • Size

    10KB

  • MD5

    77f4f5243e1f2eab70e253e138488754

  • SHA1

    6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a

  • SHA256

    22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4

  • SHA512

    64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

  • SSDEEP

    96:M4/hNM2frP3IhjM7EugiG3/YiPoHQjzQMLy+y54+MIc/g23PQnA7k4WZwT:v/hNMIejMAPYyowJL/yCl/g2YnF2T

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 25 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeElevator.exe
    "C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1924
  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    "C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 1924
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2612
  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    "C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2440
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    Filesize

    10KB

    MD5

    77f4f5243e1f2eab70e253e138488754

    SHA1

    6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a

    SHA256

    22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4

    SHA512

    64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

    Download Submit

  • C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll
    Filesize

    119KB

    MD5

    d2c7db5f032e0a1577007eeee844e1df

    SHA1

    5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28

    SHA256

    23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b

    SHA512

    97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a

    Download Submit

  • C:\ProgramData\Microsoft\MapACASvc\Private.USO
    Filesize

    380KB

    MD5

    73af29f04bfd945e07de31b490f3aa56

    SHA1

    94e7b1ce58aacfa7afe070693bd497bfea07f568

    SHA256

    4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e

    SHA512

    105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c

    Download Submit

  • memory/1508-81-0x00000000006E0000-0x0000000000729000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1508-79-0x00000000006E0000-0x0000000000729000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1508-78-0x00000000006E0000-0x0000000000729000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1508-77-0x00000000006E0000-0x0000000000729000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1508-76-0x0000000000200000-0x0000000000201000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1508-75-0x00000000006E0000-0x0000000000729000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1508-73-0x00000000006E0000-0x0000000000729000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1924-4-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1924-2-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1924-47-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1924-0-0x000007FFFFEB0000-0x000007FFFFFB0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2440-64-0x0000000000060000-0x00000000000A9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2440-39-0x0000000000130000-0x0000000000190000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2440-59-0x0000000000060000-0x00000000000A9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2440-58-0x0000000000360000-0x0000000000361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2440-60-0x0000000000060000-0x00000000000A9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2440-61-0x0000000000060000-0x00000000000A9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2440-62-0x0000000000060000-0x00000000000A9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2440-44-0x0000000000060000-0x00000000000A9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2440-80-0x0000000000060000-0x00000000000A9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2440-48-0x0000000000060000-0x00000000000A9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2440-42-0x0000000000130000-0x0000000000190000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2564-43-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2564-40-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2564-37-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2612-30-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2612-68-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2612-28-0x0000000000030000-0x0000000000079000-memory.dmp

    Filesize

    292KB

    Download