Malware Analysis Report

2024-07-11 07:38

Sample ID 240226-ppdnksde62
Target MapACASvc.rar
SHA256 42bb35a99f00d6ec5a18aced113c138d05a5e9662b61e7130a7383f440c4db27
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42bb35a99f00d6ec5a18aced113c138d05a5e9662b61e7130a7383f440c4db27

Threat Level: Known bad

The file MapACASvc.rar was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Checks processor information in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-26 12:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-26 12:29

Reported

2024-02-26 12:32

Platform

win11-20240221-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43003600380038004500450033004200440034004600390038003000420038000000 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\system32\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DeElevator.exe

"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 1848

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe 209 3292

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
N/A 10.127.255.255:3128 udp
HK 8.218.234.216:80 update.mcrcsoft.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1848-0-0x00007FF4FDDC0000-0x00007FF4FDEC0000-memory.dmp

memory/1848-3-0x0000000000470000-0x00000000004B9000-memory.dmp

C:\ProgramData\Microsoft\MapACASvc\Private.USO

MD5 73af29f04bfd945e07de31b490f3aa56
SHA1 94e7b1ce58aacfa7afe070693bd497bfea07f568
SHA256 4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e
SHA512 105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c

C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll

MD5 d2c7db5f032e0a1577007eeee844e1df
SHA1 5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28
SHA256 23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b
SHA512 97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

MD5 77f4f5243e1f2eab70e253e138488754
SHA1 6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a
SHA256 22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4
SHA512 64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

memory/3588-27-0x0000000000630000-0x0000000000679000-memory.dmp

memory/3588-29-0x0000000000630000-0x0000000000679000-memory.dmp

memory/4956-35-0x0000000000730000-0x0000000000779000-memory.dmp

memory/3292-37-0x0000023114A20000-0x0000023114A80000-memory.dmp

memory/3292-39-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/4956-38-0x0000000000730000-0x0000000000779000-memory.dmp

memory/3292-41-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/1848-42-0x0000000000470000-0x00000000004B9000-memory.dmp

memory/3292-47-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/3292-52-0x0000023115760000-0x0000023115761000-memory.dmp

memory/3292-53-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/3292-54-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/3292-55-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/3292-56-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/3292-58-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/3292-61-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/3588-62-0x0000000000630000-0x0000000000679000-memory.dmp

memory/1648-64-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

memory/1648-67-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

memory/1648-68-0x0000021B2F150000-0x0000021B2F151000-memory.dmp

memory/1648-69-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

memory/1648-70-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

memory/1648-71-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

memory/3292-72-0x0000023114E00000-0x0000023114E49000-memory.dmp

memory/1648-73-0x0000021B2F0F0000-0x0000021B2F139000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-26 12:29

Reported

2024-02-26 12:32

Platform

win10v2004-20240221-en

Max time kernel

143s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-26 12:29

Reported

2024-02-26 12:32

Platform

win11-20240221-en

Max time kernel

149s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 12:29

Reported

2024-02-26 12:32

Platform

win10-20240214-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003700320031003400380031003000380038003900430042003300450035000000 C:\Windows\system32\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DeElevator.exe

"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 212

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe 209 1132

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.mcrcsoft.com udp
N/A 10.127.255.255:3128 udp
HK 8.218.234.216:80 update.mcrcsoft.com tcp
US 8.8.8.8:53 216.234.218.8.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

memory/212-0-0x00007FF5FFDD0000-0x00007FF5FFED0000-memory.dmp

memory/212-3-0x0000000000050000-0x0000000000099000-memory.dmp

C:\ProgramData\Microsoft\MapACASvc\Private.USO

MD5 73af29f04bfd945e07de31b490f3aa56
SHA1 94e7b1ce58aacfa7afe070693bd497bfea07f568
SHA256 4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e
SHA512 105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c

C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll

MD5 d2c7db5f032e0a1577007eeee844e1df
SHA1 5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28
SHA256 23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b
SHA512 97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

MD5 77f4f5243e1f2eab70e253e138488754
SHA1 6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a
SHA256 22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4
SHA512 64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

memory/2276-29-0x0000000000050000-0x0000000000099000-memory.dmp

memory/2276-27-0x0000000000050000-0x0000000000099000-memory.dmp

memory/2152-34-0x0000000000C80000-0x0000000000CC9000-memory.dmp

memory/2152-37-0x0000000000C80000-0x0000000000CC9000-memory.dmp

memory/1132-36-0x000002505F1E0000-0x000002505F240000-memory.dmp

memory/212-39-0x0000000000050000-0x0000000000099000-memory.dmp

memory/1132-41-0x000002505F310000-0x000002505F359000-memory.dmp

memory/1132-43-0x000002505F310000-0x000002505F359000-memory.dmp

memory/1132-47-0x000002505F310000-0x000002505F359000-memory.dmp

memory/1132-53-0x000002505F3B0000-0x000002505F3B1000-memory.dmp

memory/1132-54-0x000002505F310000-0x000002505F359000-memory.dmp

memory/1132-55-0x000002505F310000-0x000002505F359000-memory.dmp

memory/1132-56-0x000002505F310000-0x000002505F359000-memory.dmp

memory/1132-57-0x000002505F310000-0x000002505F359000-memory.dmp

memory/1132-59-0x000002505F310000-0x000002505F359000-memory.dmp

memory/1132-62-0x000002505F310000-0x000002505F359000-memory.dmp

memory/2276-63-0x0000000000050000-0x0000000000099000-memory.dmp

memory/4348-67-0x0000019CE7710000-0x0000019CE7759000-memory.dmp

memory/4348-70-0x0000019CE7710000-0x0000019CE7759000-memory.dmp

memory/4348-71-0x0000019CE7AB0000-0x0000019CE7AB1000-memory.dmp

memory/4348-72-0x0000019CE7710000-0x0000019CE7759000-memory.dmp

memory/4348-74-0x0000019CE7710000-0x0000019CE7759000-memory.dmp

memory/4348-73-0x0000019CE7710000-0x0000019CE7759000-memory.dmp

memory/1132-75-0x000002505F310000-0x000002505F359000-memory.dmp

memory/4348-76-0x0000019CE7710000-0x0000019CE7759000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 12:29

Reported

2024-02-26 12:32

Platform

win7-20240221-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\~MHZ C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39004200440043004300330038004600300041004100460034003600360043000000 C:\Windows\system32\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DeElevator.exe

"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 1924

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2440

Network

Country Destination Domain Proto
N/A 10.127.255.255:3128 udp
US 8.8.8.8:53 update.mcrcsoft.com udp
HK 8.218.234.216:80 update.mcrcsoft.com tcp

Files

memory/1924-0-0x000007FFFFEB0000-0x000007FFFFFB0000-memory.dmp

memory/1924-2-0x0000000000030000-0x0000000000079000-memory.dmp

memory/1924-4-0x0000000000030000-0x0000000000079000-memory.dmp

C:\ProgramData\Microsoft\MapACASvc\Private.USO

MD5 73af29f04bfd945e07de31b490f3aa56
SHA1 94e7b1ce58aacfa7afe070693bd497bfea07f568
SHA256 4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e
SHA512 105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c

C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll

MD5 d2c7db5f032e0a1577007eeee844e1df
SHA1 5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28
SHA256 23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b
SHA512 97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

MD5 77f4f5243e1f2eab70e253e138488754
SHA1 6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a
SHA256 22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4
SHA512 64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

memory/2612-28-0x0000000000030000-0x0000000000079000-memory.dmp

memory/2612-30-0x0000000000030000-0x0000000000079000-memory.dmp

memory/2564-37-0x0000000000030000-0x0000000000079000-memory.dmp

memory/2564-40-0x0000000000030000-0x0000000000079000-memory.dmp

memory/2440-39-0x0000000000130000-0x0000000000190000-memory.dmp

memory/2440-42-0x0000000000130000-0x0000000000190000-memory.dmp

memory/2564-43-0x0000000000030000-0x0000000000079000-memory.dmp

memory/2440-44-0x0000000000060000-0x00000000000A9000-memory.dmp

memory/2440-48-0x0000000000060000-0x00000000000A9000-memory.dmp

memory/1924-47-0x0000000000030000-0x0000000000079000-memory.dmp

memory/2440-59-0x0000000000060000-0x00000000000A9000-memory.dmp

memory/2440-58-0x0000000000360000-0x0000000000361000-memory.dmp

memory/2440-60-0x0000000000060000-0x00000000000A9000-memory.dmp

memory/2440-61-0x0000000000060000-0x00000000000A9000-memory.dmp

memory/2440-62-0x0000000000060000-0x00000000000A9000-memory.dmp

memory/2440-64-0x0000000000060000-0x00000000000A9000-memory.dmp

memory/2612-68-0x0000000000030000-0x0000000000079000-memory.dmp

memory/1508-73-0x00000000006E0000-0x0000000000729000-memory.dmp

memory/1508-75-0x00000000006E0000-0x0000000000729000-memory.dmp

memory/1508-76-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1508-77-0x00000000006E0000-0x0000000000729000-memory.dmp

memory/1508-78-0x00000000006E0000-0x0000000000729000-memory.dmp

memory/1508-79-0x00000000006E0000-0x0000000000729000-memory.dmp

memory/2440-80-0x0000000000060000-0x00000000000A9000-memory.dmp

memory/1508-81-0x00000000006E0000-0x0000000000729000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-26 12:29

Reported

2024-02-26 12:32

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\system32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31003000320044003200310034003500430035004400460030004200320033000000 C:\Windows\system32\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DeElevator.exe

"C:\Users\Admin\AppData\Local\Temp\DeElevator.exe"

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 100 2756

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

"C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe" 200 0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe 209 3160

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 update.mcrcsoft.com udp
N/A 10.127.255.255:3128 udp
HK 8.218.234.216:80 update.mcrcsoft.com tcp
US 8.8.8.8:53 216.234.218.8.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2756-0-0x00007FF4FDD90000-0x00007FF4FDE90000-memory.dmp

memory/2756-2-0x0000000000050000-0x0000000000099000-memory.dmp

C:\ProgramData\Microsoft\MapACASvc\Private.USO

MD5 73af29f04bfd945e07de31b490f3aa56
SHA1 94e7b1ce58aacfa7afe070693bd497bfea07f568
SHA256 4b7bbb949e0dca762687f113a5a2be5bda2b8a2c9654612a4907eeaf23b3976e
SHA512 105cadea52a8f01bedaf3bddb336a694ffa52430093fe6224984a0f28b9ef9063b2e4f4ff7e0ce1d09720b4eee59af57a346018e287f031892daae2ce12ce88c

C:\ProgramData\Microsoft\MapACASvc\DeElevator64.dll

MD5 d2c7db5f032e0a1577007eeee844e1df
SHA1 5e92a9fe4e2098816cdc50d6d41ed71a74fd4f28
SHA256 23269729c2c0b943edbdf469fe456e7583ac95423c9279d1ddc4d4c122444d7b
SHA512 97d48ca5d613e27004aa3aaf98547a69129961bc73e51ae7bbc34dc2838bd9e2da94a58e909a73eee742ddc965af86b3c6236b20408fd4f1e9f684a914be4d1a

C:\ProgramData\Microsoft\MapACASvc\DeElevator.exe

MD5 77f4f5243e1f2eab70e253e138488754
SHA1 6f91e14d7c5a7d2bc865cf0928dc9be9a2cef55a
SHA256 22869e3326fe1de011cd500e666769027126c5c440b76837baf55139f30094e4
SHA512 64a2be3bbc720f66264238aca89daa1214d96e5566838ba49c4b5ec32f3ab1bdd83a9bcc59d965c6fbbc7c171ac20f07e9118908064b5006503f343074b28bf5

memory/1664-27-0x00000000004D0000-0x0000000000519000-memory.dmp

memory/1664-30-0x00000000004D0000-0x0000000000519000-memory.dmp

memory/1456-34-0x0000000000400000-0x0000000000449000-memory.dmp

memory/3160-36-0x0000025EB6CB0000-0x0000025EB6D10000-memory.dmp

memory/1456-37-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2756-39-0x0000000000050000-0x0000000000099000-memory.dmp

memory/3160-40-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/3160-42-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/3160-52-0x0000025EB7880000-0x0000025EB7881000-memory.dmp

memory/3160-53-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/3160-54-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/3160-55-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/3160-56-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/3160-58-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/3160-61-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/1664-62-0x00000000004D0000-0x0000000000519000-memory.dmp

memory/4356-64-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

memory/4356-66-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

memory/4356-67-0x0000023BA5880000-0x0000023BA5881000-memory.dmp

memory/4356-68-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

memory/4356-69-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

memory/4356-70-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

memory/3160-71-0x0000025EB7000000-0x0000025EB7049000-memory.dmp

memory/4356-72-0x0000023BA5800000-0x0000023BA5849000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-26 12:29

Reported

2024-02-26 12:32

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-26 12:29

Reported

2024-02-26 12:32

Platform

win10-20240221-en

Max time kernel

132s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DeElevator64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/4888-0-0x00007FF7D7530000-0x00007FF7D7546000-memory.dmp

memory/4888-1-0x00007FF7D7530000-0x00007FF7D7546000-memory.dmp