Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-03-2024 15:15
Static task
static1
Behavioral task
behavioral1
Sample
Injected_LoadExe_Malware.exe
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
Injected_LoadExe_Malware.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Injected_LoadExe_Malware.exe
Resource
win10-20240221-en
Behavioral task
behavioral4
Sample
Injected_LoadExe_Malware.exe
Resource
win10v2004-20240226-en
General
-
Target
Injected_LoadExe_Malware.exe
-
Size
428KB
-
MD5
7f7f7f4694f450ed2a0c4ada853a37ca
-
SHA1
3ed531540d781153b51afd253c8eb4c2d1f62deb
-
SHA256
ed7a16bc643d74cd6a15ec9dcc8872e6a30b28b2ce012bd6f6ed6bfa75a61881
-
SHA512
988da1646e17d33e270e5e898e09504aa770d00fb2164e0d49ee6bc7ba3d7fbb915616ea7b0ed5dc9ba4089fe91fc667da37636d1e02c9a0199a20e54885df6c
-
SSDEEP
12288:+K2mhAMJ/cPlFBUVbCwc7FFaQyG4NvIX/gsXyssKR:v2O/GlFBsCwwFwb+Fs0
Malware Config
Signatures
-
Detects PlugX payload 20 IoCs
resource yara_rule behavioral2/memory/2500-24-0x0000000000460000-0x00000000004B8000-memory.dmp family_plugx behavioral2/memory/2500-29-0x0000000000460000-0x00000000004B8000-memory.dmp family_plugx behavioral2/memory/2452-59-0x0000000000870000-0x00000000008C8000-memory.dmp family_plugx behavioral2/memory/2868-80-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2452-86-0x0000000000870000-0x00000000008C8000-memory.dmp family_plugx behavioral2/memory/2500-96-0x0000000000460000-0x00000000004B8000-memory.dmp family_plugx behavioral2/memory/2868-99-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2868-110-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2868-111-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2868-114-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2868-121-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2868-123-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2868-127-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2868-132-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2868-166-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2768-181-0x0000000000300000-0x0000000000358000-memory.dmp family_plugx behavioral2/memory/2768-189-0x0000000000300000-0x0000000000358000-memory.dmp family_plugx behavioral2/memory/2768-188-0x0000000000300000-0x0000000000358000-memory.dmp family_plugx behavioral2/memory/2868-197-0x0000000000410000-0x0000000000468000-memory.dmp family_plugx behavioral2/memory/2768-352-0x0000000000300000-0x0000000000358000-memory.dmp family_plugx -
Deletes itself 1 IoCs
pid Process 2868 svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 2500 iusb3mon.exe 2452 iusb3mon.exe -
Loads dropped DLL 6 IoCs
pid Process 2904 Injected_LoadExe_Malware.exe 2904 Injected_LoadExe_Malware.exe 2904 Injected_LoadExe_Malware.exe 2904 Injected_LoadExe_Malware.exe 2500 iusb3mon.exe 2452 iusb3mon.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 907f4499d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 709b85a7d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000015000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadNetworkName = "Network 2" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecision = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 30487acdd97ada01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 90b2398fd97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 907f4499d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 304df9d0d97ada01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 104c4ab0d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 70d30fc7d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000012000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = f0781c95d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d07f62c2d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f0795ddad97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d0e1f8c9d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 30487acdd97ada01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f03141b7d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 5098c2bad97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 5098c2bad97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d0cab2bdd97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 70d30fc7d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 304df9d0d97ada01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\76-74-29-a7-90-73 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 709b85a7d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 104c4ab0d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d0cab2bdd97ada01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813} svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d0599fabd97ada01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d09f70a3d97ada01 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000013000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 90bb43d6d97ada01 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f0781c95d97ada01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionReason = "1" svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44004600350035003100300043004500350038004400440044003700440045000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2868 svchost.exe 2868 svchost.exe 2868 svchost.exe 2868 svchost.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2868 svchost.exe 2868 svchost.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2868 svchost.exe 2868 svchost.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2868 svchost.exe 2868 svchost.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2868 svchost.exe 2868 svchost.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2768 msiexec.exe 2868 svchost.exe 2868 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2868 svchost.exe 2768 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2500 iusb3mon.exe Token: SeTcbPrivilege 2500 iusb3mon.exe Token: SeDebugPrivilege 2452 iusb3mon.exe Token: SeTcbPrivilege 2452 iusb3mon.exe Token: SeDebugPrivilege 2868 svchost.exe Token: SeTcbPrivilege 2868 svchost.exe Token: SeDebugPrivilege 2768 msiexec.exe Token: SeTcbPrivilege 2768 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2500 2904 Injected_LoadExe_Malware.exe 28 PID 2904 wrote to memory of 2500 2904 Injected_LoadExe_Malware.exe 28 PID 2904 wrote to memory of 2500 2904 Injected_LoadExe_Malware.exe 28 PID 2904 wrote to memory of 2500 2904 Injected_LoadExe_Malware.exe 28 PID 2904 wrote to memory of 2500 2904 Injected_LoadExe_Malware.exe 28 PID 2904 wrote to memory of 2500 2904 Injected_LoadExe_Malware.exe 28 PID 2904 wrote to memory of 2500 2904 Injected_LoadExe_Malware.exe 28 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2452 wrote to memory of 2868 2452 iusb3mon.exe 30 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31 PID 2868 wrote to memory of 2768 2868 svchost.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Deletes itself
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 28683⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD553c8cecfec9def827dd79eba8894c073
SHA14fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a
SHA2566104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388
SHA5122049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2
-
Filesize
225KB
MD59b697afa24fa4e8e32c97bfe3f791344
SHA17b8563102dbb1de9cf96cfb51dcdf0b5116e26aa
SHA2561cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e
SHA512d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082
-
Filesize
4KB
MD5e9a5d0321439cb69ad4a3805042128a1
SHA1f80004d9380e0e94edbed91f1b0c4ecdc393473d
SHA256477df02ec43ddb2287c7ccde765f114d5391f91ef6452603c9b991f757a31447
SHA512e435ae289aa7e5f61297229398eb5686aa5dacbca96728274625ed8f7e8bbdff5a8d70a4bf606a1bf142ad8c7fc022eadfb2563484307f0b6e28f2bfc1539136
-
Filesize
23KB
MD571be2e1148489794f02f049eec1e64fa
SHA1ae6281b653f8ac5f5d12f55e3a16973e738f46bf
SHA256955b4dbda39904d535dc013ebb08722c259506106ef824a43fcefbff4bf34627
SHA512d0d1a0826eae0693181e3ff74faba76e227d5a19d0d3333b040e2884a3cc0aad60ec45d15191d63a6cd89813efbdb57de03bd09bad789436f3e4856e1f9ebe0a
-
Filesize
25KB
MD577bd5c48ed49f08ca7c5c950c6cd6f4d
SHA19165e2c7fbd15906eaac8d1186727528741e2e6b
SHA2560fd10bd7ea44348fc96de391a48632f328dc8303c4eac46a81ab45b805cea817
SHA5121901afbad383da275dc821f8048b5afa7963e5b6db8a56928b6ff0d225ddca1dff7492368acaec6ee29a777ce43c581e2e2bc9bc4ef19456799dfeaea8f53109
-
Filesize
4KB
MD5d56867a49c9eaf834dc416bfde9034a6
SHA136433329d6971acedd0f88c4601d736537b53d50
SHA256fc26fa6e029934274d8a07325abf7034b9708b0a54bdb8c48568b25864391453
SHA512d9bf63e24c171400c989b117191d54f20e344e9c62e689ba3da176c6aa752b4bb969e7c3cac78efcae26d7c003d81181679dede68d464808422e621ba13e8a5e
-
Filesize
6KB
MD5136fe31318b808f8b6421d152e3e3b7a
SHA1c0679372c0badeb73e71641fdb38fb09e52afa86
SHA2564aecaf094ff8eacf42f1dcef4b145cd8a79722046621739fed20cc517fab480f
SHA512c95a8704c30e495831323cfb13fc26e8935aa87c6c000223914f489596beaefd6aa2023874728eda1d4f3bca1f07c22823d8125183cb82727e3fc09e3c1df0a3
-
Filesize
7KB
MD5990dd9e4255660503ce6efdfbbf40774
SHA17f0974a0c6f517f5f596256963e4ecf636b3fa7f
SHA256195dab4e2c9a2d9307eb0e4190fb261b4c705e4ca83555f43df36d5ec47178c9
SHA5124b9fcc86b97cdaee9a398d7e30f43e4fbd5c6c0431b6c1816cfab16e0402db9b5c3eae306142e56501422fa463a74408e19cf0ab768cdc31cfa72588dfcb405c
-
Filesize
9KB
MD539f4c9e71513fa2e7e09defc1a8c6d9e
SHA1c4244d3b9197a11a8bf30e850196373937a45f8a
SHA25624cf0ff50eb18eb3a74749814e3afe6613750ac9619b6b41427e354b1cc4e8f7
SHA51251ca54b025fbe9b04caf3c26efca93f6de2c56bc573b3ed7c350188208c50c9822fbcb8b7d8007deefb18cd3899cb21fa49ae01a623277f54319526a37dafb24
-
Filesize
9KB
MD50abecb5b6951a43445a6d2ca9daeeb7d
SHA1b89aeb913cec4bd6d787cbcd9202213be4fc442c
SHA256f71e383959c368664c1670baf62db39932f1cc8c7b2bf46533c9151fcadd4b6c
SHA5122ba083d11f09821c4d45e731fc804ab3dfeea6eac7a90ab7e2d1bee64803ab71bda368bcb02334d05870dac99a63635d1694434e347b4494fed848689276cf92
-
Filesize
9KB
MD5c050898ccc96e1fd1b1240690e1df6b9
SHA13655fc41138983eb224de6e9a7bac5b2ec56abc4
SHA256ff2d9ceabf53c3f180a45b85a65b168ab0b10701aeebb43f812dace1d25d68fa
SHA512c60aec9983ade23c9086a2edd6b277f4b453a1941ccc79d6855d2015c6ab3ab6a93ea141f6f950c1dfa1eac87c3ea616e1c57f313b0885a0be356c487efe1e05
-
Filesize
285KB
MD59166c1276b296bc78fa816cd8448cd32
SHA1b5e48ccae94269ca95904fc58440113e9a4cae00
SHA2561d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA51235d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26