Overview

overview

10

Static

static

3

DeElevator.exe

windows7-x64

10

DeElevator.exe

windows10-1703-x64

10

DeElevator.exe

windows10-2004-x64

10

DeElevator.exe

windows11-21h2-x64

10

DeElevator64.dll

windows7-x64

1

DeElevator64.dll

windows10-1703-x64

1

DeElevator64.dll

windows10-2004-x64

1

DeElevator64.dll

windows11-21h2-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-02-2024 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DeElevator.exe

  • Size

    10KB

  • MD5

    77f4f5243e1f2eab70e253e138488754

  • SHA1

    6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a

  • SHA256

    22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4

  • SHA512

    64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

  • SSDEEP

    96:M4/hNM2frP3IhjM7EugiG3/YiPoHQjzQMLy+y54+MIc/g23PQnA7k4WZwT:v/hNMIejMAPYyowJL/yCl/g2YnF2T

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 25 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeElevator.exe
    "C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1848
  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    "C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 1848
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3588
  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    "C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3292
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
    Filesize

    10KB

    MD5

    77f4f5243e1f2eab70e253e138488754

    SHA1

    6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a

    SHA256

    22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4

    SHA512

    64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

    Download Submit

  • C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll
    Filesize

    119KB

    MD5

    d2c7db5f032e0a1577007eeee844e1df

    SHA1

    5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28

    SHA256

    23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b

    SHA512

    97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a

    Download Submit

  • C:\ProgramData\Microsoft\MapACASvc\Private.USO
    Filesize

    380KB

    MD5

    73af29f04bfd945e07de31b490f3aa56

    SHA1

    94e7b1ce58aacfa7afe070693bd497bfea07f568

    SHA256

    4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e

    SHA512

    105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c

    Download Submit

  • memory/1648-69-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1648-73-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1648-71-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1648-68-0x0000021B2F150000-0x0000021B2F151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1648-67-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1648-70-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1648-64-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1848-3-0x0000000000470000-0x00000000004B9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/1848-0-0x00007FF4FDDC0000-0x00007FF4FDEC0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1848-42-0x0000000000470000-0x00000000004B9000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-72-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-52-0x0000023115760000-0x0000023115761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3292-53-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-54-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-55-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-56-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-58-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-61-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-47-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-41-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-39-0x0000023114E00000-0x0000023114E49000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3292-37-0x0000023114A20000-0x0000023114A80000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3588-62-0x0000000000630000-0x0000000000679000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3588-29-0x0000000000630000-0x0000000000679000-memory.dmp

    Filesize

    292KB

    Download

  • memory/3588-27-0x0000000000630000-0x0000000000679000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4956-38-0x0000000000730000-0x0000000000779000-memory.dmp

    Filesize

    292KB

    Download

  • memory/4956-35-0x0000000000730000-0x0000000000779000-memory.dmp

    Filesize

    292KB

    Download