Overview

overview

10

Static

static

3

DeElevator.exe

windows7-x64

10

DeElevator.exe

windows10-1703-x64

10

DeElevator.exe

windows10-2004-x64

10

DeElevator.exe

windows11-21h2-x64

10

DeElevator64.dll

windows7-x64

1

DeElevator64.dll

windows10-1703-x64

1

DeElevator64.dll

windows10-2004-x64

1

DeElevator64.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-02-2024 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DeElevator.exe

  • Size

    10KB

  • MD5

    77f4f5243e1f2eab70e253e138488754

  • SHA1

    6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a

  • SHA256

    22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4

  • SHA512

    64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

  • SSDEEP

    96:M4/hNM2frP3IhjM7EugiG3/YiPoHQjzQMLy+y54+MIc/g23PQnA7k4WZwT:v/hNMIejMAPYyowJL/yCl/g2YnF2T

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 24 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeElevator.exe
    "C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2756
  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    "C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 2756
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1664
  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    "C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3160
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    Filesize

    10KB

    MD5

    77f4f5243e1f2eab70e253e138488754

    SHA1

    6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a

    SHA256

    22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4

    SHA512

    64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

    Download Submit

  • C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll
    Filesize

    119KB

    MD5

    d2c7db5f032e0a1577007eeee844e1df

    SHA1

    5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28

    SHA256

    23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b

    SHA512

    97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a

    Download Submit

  • C:\ProgramData\Microsoft\MapACASvc\Private.USO
    Filesize

    380KB

    MD5

    73af29f04bfd945e07de31b490f3aa56

    SHA1

    94e7b1ce58aacfa7afe070693bd497bfea07f568

    SHA256

    4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e

    SHA512

    105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c

    Download Submit

  • memory/1456-34-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1456-37-0x0000000000400000-0x0000000000449000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1664-27-0x00000000004D0000-0x0000000000519000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1664-30-0x00000000004D0000-0x0000000000519000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1664-62-0x00000000004D0000-0x0000000000519000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2756-0-0x00007FF4FDD90000-0x00007FF4FDE90000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2756-2-0x0000000000050000-0x0000000000099000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2756-39-0x0000000000050000-0x0000000000099000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-53-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-36-0x0000025EB6CB0000-0x0000025EB6D10000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3160-52-0x0000025EB7880000-0x0000025EB7881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3160-40-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-54-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-55-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-56-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-58-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-61-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-42-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3160-71-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4356-66-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4356-67-0x0000023BA5880000-0x0000023BA5881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4356-68-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4356-69-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4356-70-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4356-64-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4356-72-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

    Filesize

    292KB

    Download