Analysis Overview
SHA256
42bb35a99f00d6ec5a18aced113c138d05a5e9662b61e7130a7383f440c4db27
Threat Level: Known bad
The file MapACASvc.rar was found to be: Known bad.
Malicious Activity Summary
PlugX
Detects PlugX payload
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-26 12:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-26 12:29
Reported
2024-02-26 12:32
Platform
win11-20240221-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43003600380038004500450033004200440034004600390038003000420038000000 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4956 wrote to memory of 3292 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 4956 wrote to memory of 3292 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 4956 wrote to memory of 3292 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 3292 wrote to memory of 1648 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
| PID 3292 wrote to memory of 1648 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
| PID 3292 wrote to memory of 1648 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DeElevator.exe
"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 1848
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe 209 3292
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| N/A | 10.127.255.255:3128 | udp | |
| HK | 8.218.234.216:80 | update.mcrcsoft.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1848-0-0x00007FF4FDDC0000-0x00007FF4FDEC0000-memory.dmp
memory/1848-3-0x0000000000470000-0x00000000004B9000-memory.dmp
C:\ProgramData\Microsoft\MapACASvc\Private.USO
| MD5 | 73af29f04bfd945e07de31b490f3aa56 |
| SHA1 | 94e7b1ce58aacfa7afe070693bd497bfea07f568 |
| SHA256 | 4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e |
| SHA512 | 105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c |
C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll
| MD5 | d2c7db5f032e0a1577007eeee844e1df |
| SHA1 | 5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28 |
| SHA256 | 23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b |
| SHA512 | 97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a |
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
| MD5 | 77f4f5243e1f2eab70e253e138488754 |
| SHA1 | 6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a |
| SHA256 | 22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4 |
| SHA512 | 64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5 |
memory/3588-27-0x0000000000630000-0x0000000000679000-memory.dmp
memory/3588-29-0x0000000000630000-0x0000000000679000-memory.dmp
memory/4956-35-0x0000000000730000-0x0000000000779000-memory.dmp
memory/3292-37-0x0000023114A20000-0x0000023114A80000-memory.dmp
memory/3292-39-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/4956-38-0x0000000000730000-0x0000000000779000-memory.dmp
memory/3292-41-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/1848-42-0x0000000000470000-0x00000000004B9000-memory.dmp
memory/3292-47-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/3292-52-0x0000023115760000-0x0000023115761000-memory.dmp
memory/3292-53-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/3292-54-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/3292-55-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/3292-56-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/3292-58-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/3292-61-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/3588-62-0x0000000000630000-0x0000000000679000-memory.dmp
memory/1648-64-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp
memory/1648-67-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp
memory/1648-68-0x0000021B2F150000-0x0000021B2F151000-memory.dmp
memory/1648-69-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp
memory/1648-70-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp
memory/1648-71-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp
memory/3292-72-0x0000023114E00000-0x0000023114E49000-memory.dmp
memory/1648-73-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-26 12:29
Reported
2024-02-26 12:32
Platform
win10v2004-20240221-en
Max time kernel
143s
Max time network
158s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-26 12:29
Reported
2024-02-26 12:32
Platform
win11-20240221-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-26 12:29
Reported
2024-02-26 12:32
Platform
win10-20240214-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003700320031003400380031003000380038003900430042003300450035000000 | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2152 wrote to memory of 1132 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 2152 wrote to memory of 1132 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 2152 wrote to memory of 1132 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 1132 wrote to memory of 4348 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
| PID 1132 wrote to memory of 4348 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
| PID 1132 wrote to memory of 4348 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DeElevator.exe
"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 212
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1132
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update.mcrcsoft.com | udp |
| N/A | 10.127.255.255:3128 | udp | |
| HK | 8.218.234.216:80 | update.mcrcsoft.com | tcp |
| US | 8.8.8.8:53 | 216.234.218.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
memory/212-0-0x00007FF5FFDD0000-0x00007FF5FFED0000-memory.dmp
memory/212-3-0x0000000000050000-0x0000000000099000-memory.dmp
C:\ProgramData\Microsoft\MapACASvc\Private.USO
| MD5 | 73af29f04bfd945e07de31b490f3aa56 |
| SHA1 | 94e7b1ce58aacfa7afe070693bd497bfea07f568 |
| SHA256 | 4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e |
| SHA512 | 105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c |
C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll
| MD5 | d2c7db5f032e0a1577007eeee844e1df |
| SHA1 | 5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28 |
| SHA256 | 23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b |
| SHA512 | 97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a |
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
| MD5 | 77f4f5243e1f2eab70e253e138488754 |
| SHA1 | 6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a |
| SHA256 | 22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4 |
| SHA512 | 64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5 |
memory/2276-29-0x0000000000050000-0x0000000000099000-memory.dmp
memory/2276-27-0x0000000000050000-0x0000000000099000-memory.dmp
memory/2152-34-0x0000000000C80000-0x0000000000CC9000-memory.dmp
memory/2152-37-0x0000000000C80000-0x0000000000CC9000-memory.dmp
memory/1132-36-0x000002505F1E0000-0x000002505F240000-memory.dmp
memory/212-39-0x0000000000050000-0x0000000000099000-memory.dmp
memory/1132-41-0x000002505F310000-0x000002505F359000-memory.dmp
memory/1132-43-0x000002505F310000-0x000002505F359000-memory.dmp
memory/1132-47-0x000002505F310000-0x000002505F359000-memory.dmp
memory/1132-53-0x000002505F3B0000-0x000002505F3B1000-memory.dmp
memory/1132-54-0x000002505F310000-0x000002505F359000-memory.dmp
memory/1132-55-0x000002505F310000-0x000002505F359000-memory.dmp
memory/1132-56-0x000002505F310000-0x000002505F359000-memory.dmp
memory/1132-57-0x000002505F310000-0x000002505F359000-memory.dmp
memory/1132-59-0x000002505F310000-0x000002505F359000-memory.dmp
memory/1132-62-0x000002505F310000-0x000002505F359000-memory.dmp
memory/2276-63-0x0000000000050000-0x0000000000099000-memory.dmp
memory/4348-67-0x0000019CE7710000-0x0000019CE7759000-memory.dmp
memory/4348-70-0x0000019CE7710000-0x0000019CE7759000-memory.dmp
memory/4348-71-0x0000019CE7AB0000-0x0000019CE7AB1000-memory.dmp
memory/4348-72-0x0000019CE7710000-0x0000019CE7759000-memory.dmp
memory/4348-74-0x0000019CE7710000-0x0000019CE7759000-memory.dmp
memory/4348-73-0x0000019CE7710000-0x0000019CE7759000-memory.dmp
memory/1132-75-0x000002505F310000-0x000002505F359000-memory.dmp
memory/4348-76-0x0000019CE7710000-0x0000019CE7759000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-26 12:29
Reported
2024-02-26 12:32
Platform
win7-20240221-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39004200440043004300330038004600300041004100460034003600360043000000 | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DeElevator.exe
"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 1924
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2440
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:3128 | udp | |
| US | 8.8.8.8:53 | update.mcrcsoft.com | udp |
| HK | 8.218.234.216:80 | update.mcrcsoft.com | tcp |
Files
memory/1924-0-0x000007FFFFEB0000-0x000007FFFFFB0000-memory.dmp
memory/1924-2-0x0000000000030000-0x0000000000079000-memory.dmp
memory/1924-4-0x0000000000030000-0x0000000000079000-memory.dmp
C:\ProgramData\Microsoft\MapACASvc\Private.USO
| MD5 | 73af29f04bfd945e07de31b490f3aa56 |
| SHA1 | 94e7b1ce58aacfa7afe070693bd497bfea07f568 |
| SHA256 | 4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e |
| SHA512 | 105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c |
C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll
| MD5 | d2c7db5f032e0a1577007eeee844e1df |
| SHA1 | 5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28 |
| SHA256 | 23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b |
| SHA512 | 97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a |
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
| MD5 | 77f4f5243e1f2eab70e253e138488754 |
| SHA1 | 6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a |
| SHA256 | 22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4 |
| SHA512 | 64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5 |
memory/2612-28-0x0000000000030000-0x0000000000079000-memory.dmp
memory/2612-30-0x0000000000030000-0x0000000000079000-memory.dmp
memory/2564-37-0x0000000000030000-0x0000000000079000-memory.dmp
memory/2564-40-0x0000000000030000-0x0000000000079000-memory.dmp
memory/2440-39-0x0000000000130000-0x0000000000190000-memory.dmp
memory/2440-42-0x0000000000130000-0x0000000000190000-memory.dmp
memory/2564-43-0x0000000000030000-0x0000000000079000-memory.dmp
memory/2440-44-0x0000000000060000-0x00000000000A9000-memory.dmp
memory/2440-48-0x0000000000060000-0x00000000000A9000-memory.dmp
memory/1924-47-0x0000000000030000-0x0000000000079000-memory.dmp
memory/2440-59-0x0000000000060000-0x00000000000A9000-memory.dmp
memory/2440-58-0x0000000000360000-0x0000000000361000-memory.dmp
memory/2440-60-0x0000000000060000-0x00000000000A9000-memory.dmp
memory/2440-61-0x0000000000060000-0x00000000000A9000-memory.dmp
memory/2440-62-0x0000000000060000-0x00000000000A9000-memory.dmp
memory/2440-64-0x0000000000060000-0x00000000000A9000-memory.dmp
memory/2612-68-0x0000000000030000-0x0000000000079000-memory.dmp
memory/1508-73-0x00000000006E0000-0x0000000000729000-memory.dmp
memory/1508-75-0x00000000006E0000-0x0000000000729000-memory.dmp
memory/1508-76-0x0000000000200000-0x0000000000201000-memory.dmp
memory/1508-77-0x00000000006E0000-0x0000000000729000-memory.dmp
memory/1508-78-0x00000000006E0000-0x0000000000729000-memory.dmp
memory/1508-79-0x00000000006E0000-0x0000000000729000-memory.dmp
memory/2440-80-0x0000000000060000-0x00000000000A9000-memory.dmp
memory/1508-81-0x00000000006E0000-0x0000000000729000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-26 12:29
Reported
2024-02-26 12:32
Platform
win10v2004-20240221-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| N/A | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31003000320044003200310034003500430035004400460030004200320033000000 | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1456 wrote to memory of 3160 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 1456 wrote to memory of 3160 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 1456 wrote to memory of 3160 | N/A | C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe | C:\Windows\system32\svchost.exe |
| PID 3160 wrote to memory of 4356 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
| PID 3160 wrote to memory of 4356 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
| PID 3160 wrote to memory of 4356 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\system32\msiexec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DeElevator.exe
"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 2756
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe 209 3160
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.mcrcsoft.com | udp |
| N/A | 10.127.255.255:3128 | udp | |
| HK | 8.218.234.216:80 | update.mcrcsoft.com | tcp |
| US | 8.8.8.8:53 | 216.234.218.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2756-0-0x00007FF4FDD90000-0x00007FF4FDE90000-memory.dmp
memory/2756-2-0x0000000000050000-0x0000000000099000-memory.dmp
C:\ProgramData\Microsoft\MapACASvc\Private.USO
| MD5 | 73af29f04bfd945e07de31b490f3aa56 |
| SHA1 | 94e7b1ce58aacfa7afe070693bd497bfea07f568 |
| SHA256 | 4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e |
| SHA512 | 105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c |
C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll
| MD5 | d2c7db5f032e0a1577007eeee844e1df |
| SHA1 | 5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28 |
| SHA256 | 23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b |
| SHA512 | 97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a |
C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe
| MD5 | 77f4f5243e1f2eab70e253e138488754 |
| SHA1 | 6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a |
| SHA256 | 22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4 |
| SHA512 | 64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5 |
memory/1664-27-0x00000000004D0000-0x0000000000519000-memory.dmp
memory/1664-30-0x00000000004D0000-0x0000000000519000-memory.dmp
memory/1456-34-0x0000000000400000-0x0000000000449000-memory.dmp
memory/3160-36-0x0000025EB6CB0000-0x0000025EB6D10000-memory.dmp
memory/1456-37-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2756-39-0x0000000000050000-0x0000000000099000-memory.dmp
memory/3160-40-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/3160-42-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/3160-52-0x0000025EB7880000-0x0000025EB7881000-memory.dmp
memory/3160-53-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/3160-54-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/3160-55-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/3160-56-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/3160-58-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/3160-61-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/1664-62-0x00000000004D0000-0x0000000000519000-memory.dmp
memory/4356-64-0x0000023BA5800000-0x0000023BA5849000-memory.dmp
memory/4356-66-0x0000023BA5800000-0x0000023BA5849000-memory.dmp
memory/4356-67-0x0000023BA5880000-0x0000023BA5881000-memory.dmp
memory/4356-68-0x0000023BA5800000-0x0000023BA5849000-memory.dmp
memory/4356-69-0x0000023BA5800000-0x0000023BA5849000-memory.dmp
memory/4356-70-0x0000023BA5800000-0x0000023BA5849000-memory.dmp
memory/3160-71-0x0000025EB7000000-0x0000025EB7049000-memory.dmp
memory/4356-72-0x0000023BA5800000-0x0000023BA5849000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-26 12:29
Reported
2024-02-26 12:32
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-26 12:29
Reported
2024-02-26 12:32
Platform
win10-20240221-en
Max time kernel
132s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
memory/4888-0-0x00007FF7D7530000-0x00007FF7D7546000-memory.dmp
memory/4888-1-0x00007FF7D7530000-0x00007FF7D7546000-memory.dmp