Malware Analysis Report

2024-07-11 07:34

Sample ID 240410-l6331sbh58
Target 2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e
SHA256 2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e

Threat Level: Known bad

The file 2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Loads dropped DLL

Unexpected DNS network traffic destination

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-10 10:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 10:09

Reported

2024-04-10 10:12

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Display3D.exe N/A
N/A N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
N/A N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 182.16.70.42 N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38003600320032003300440042003800360036004300440035003400410033000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Display3D.exe N/A
N/A N/A \??\c:\Display3D.exe N/A
N/A N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Display3D.exe N/A
Token: SeTcbPrivilege N/A \??\c:\Display3D.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 1072 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 1072 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 1072 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 1072 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 1072 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 1072 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 560 wrote to memory of 1040 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 1040 wrote to memory of 2244 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe

"C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\run.bat" "

\??\c:\Display3D.exe

Display3D.exe

C:\ProgramData\CryptSvcs\Display3D.exe

"C:\ProgramData\CryptSvcs\Display3D.exe" 100 2608

C:\ProgramData\CryptSvcs\Display3D.exe

"C:\ProgramData\CryptSvcs\Display3D.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 209 1040

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whoamis.info udp
US 8.8.8.8:53 www.whoamis.info udp
N/A 10.127.255.255:53 udp
HK 182.16.70.42:81 www.whoamis.info tcp
HK 182.16.70.42:81 www.whoamis.info tcp
US 8.8.8.8:53 list.whoamis.info udp
US 8.8.8.8:53 mail.whoamis.info udp
HK 182.16.70.42:443 mail.whoamis.info tcp
HK 182.16.70.42:53 mail.whoamis.info udp
US 8.8.8.8:53 poer.whoamis.info udp
HK 182.16.70.42:1900 poer.whoamis.info udp
US 8.8.8.8:53 www.whoamis.info udp
HK 182.16.70.42:81 www.whoamis.info tcp
US 8.8.8.8:53 list.whoamis.info udp
HK 182.16.70.42:443 list.whoamis.info tcp

Files

C:\run.bat

MD5 da1c5ecc36b8b96cf9bfeed44581ca69
SHA1 3de0e37509fb5211971cbbfcabf76f6afddd17fd
SHA256 ca22a76ef4cc3b48793b0cf6bd68d000d74711079596989a2a209f1ecb012a04
SHA512 4b49ce6fdbcd036d680c8646f78573e088704a9fa8c8e109cd7ae0a1fbddf8e9fa719779454495004c28dccfd0b3133005b45ce70903eef95b639f0ea2b84217

C:\Display3D.exe

MD5 04d96003c2fc885a648028b50c4b0ed0
SHA1 6dbcc75a74ef43a275ba90246279ece264dc7a4f
SHA256 ab6f2d57c89435f667a4edc72635188aee2c559c6c0b6c6272cdf18ac44c1fe1
SHA512 d99a8b7f97a0cdafeef07e6bc6469275f762331f4a5ecf701114ff30d2c3571befa29e47376197d164be3b2e63628bbb6e6e659c54e4e34b98a19a51900c8dbf

\??\c:\D3DX81ab.dll

MD5 4d27c761c43f1f4094005889efd968eb
SHA1 3900a153f894dda7a8b23984b20d87b3ae6b01ab
SHA256 7afd418750824969fd6d0c6db949456998f792c97d6a69669051e1c90a458a5b
SHA512 5a173e16fec3555da024555c3b8ca3c95667b6f6e2286c8ab83a63a70b614effe01c7332a9f518ceb9cc6754295bbfc3fffb93e7e6ca36050a4e3a38ac48dc2e

\??\c:\libcro.dll

MD5 eb21f4f06f900c89519ccf17a0ead35b
SHA1 ad30037f31f910ece2ba79fa30e55128d63059e6
SHA256 618e38e0e5ccdefbd4bc4987f60c40f1c2f733c2441ed2026d1530910d7196bd
SHA512 dd58edad7fdd0e8f352805f75bff7bfda1b016f0815b8df68b9947e456b47f140fc470dbf9ec37adc724601c27ca7276ba88bdc62573b44167bcd12c19cc482a

\??\c:\update.log

MD5 7bdb5c71559aa4eac77ec64b5ac87f3f
SHA1 0a2c272f8e20025da6aad163fa8a21ff5e5405c3
SHA256 817b7a5aebfd53e2792d1d2a5b3ae7948b6557473064f04639479449cbb9157a
SHA512 e27069b7491c618e70215dc02bae766e6c761cd2a924cd49538e3b8156acaa53c434e9c36989ef5361cd404f9550fc3761fc0238bd616d71fcb5e5d5e533ecf7

memory/2608-29-0x0000000001EA0000-0x0000000001FA0000-memory.dmp

memory/2608-30-0x00000000002A0000-0x00000000002CD000-memory.dmp

memory/2608-32-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2456-56-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/2456-57-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/560-62-0x0000000000340000-0x000000000036D000-memory.dmp

memory/560-63-0x0000000000340000-0x000000000036D000-memory.dmp

memory/1040-64-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1040-66-0x00000000000A0000-0x00000000000BB000-memory.dmp

memory/1040-67-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/1040-68-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1040-69-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-72-0x0000000000100000-0x000000000012D000-memory.dmp

memory/560-73-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2608-79-0x00000000002A0000-0x00000000002CD000-memory.dmp

memory/1040-85-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1040-86-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-87-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-88-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-89-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-90-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-91-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-92-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-93-0x0000000000100000-0x000000000012D000-memory.dmp

memory/1040-96-0x0000000000100000-0x000000000012D000-memory.dmp

memory/2456-97-0x0000000000280000-0x00000000002AD000-memory.dmp

memory/2244-107-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2244-108-0x00000000003B0000-0x00000000003DD000-memory.dmp

memory/2244-111-0x00000000003B0000-0x00000000003DD000-memory.dmp

memory/2244-110-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2244-112-0x00000000003B0000-0x00000000003DD000-memory.dmp

memory/2244-113-0x00000000003B0000-0x00000000003DD000-memory.dmp

memory/1040-114-0x0000000000100000-0x000000000012D000-memory.dmp

memory/2244-115-0x00000000003B0000-0x00000000003DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 10:09

Reported

2024-04-10 10:12

Platform

win10v2004-20240226-en

Max time kernel

161s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Display3D.exe N/A
N/A N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
N/A N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 182.16.70.42 N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003800340032004300450033003100390033004300340035004400300031000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\Display3D.exe N/A
N/A N/A \??\c:\Display3D.exe N/A
N/A N/A \??\c:\Display3D.exe N/A
N/A N/A \??\c:\Display3D.exe N/A
N/A N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
N/A N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\Display3D.exe N/A
Token: SeTcbPrivilege N/A \??\c:\Display3D.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\CryptSvcs\Display3D.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 3664 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe C:\Windows\SysWOW64\cmd.exe
PID 3068 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 3068 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 3068 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\Display3D.exe
PID 3452 wrote to memory of 2828 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 3452 wrote to memory of 2828 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 3452 wrote to memory of 2828 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 3452 wrote to memory of 2828 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 3452 wrote to memory of 2828 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 3452 wrote to memory of 2828 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 3452 wrote to memory of 2828 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 3452 wrote to memory of 2828 N/A C:\ProgramData\CryptSvcs\Display3D.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 4420 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 4420 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 4420 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 4420 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 4420 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 4420 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 4420 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
PID 2828 wrote to memory of 4420 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe

"C:\Users\Admin\AppData\Local\Temp\2ecb9e6f123aef47a0650fbd76da8d57408bc43413959750f46b47645e58f88e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\run.bat" "

\??\c:\Display3D.exe

Display3D.exe

C:\ProgramData\CryptSvcs\Display3D.exe

"C:\ProgramData\CryptSvcs\Display3D.exe" 100 2020

C:\ProgramData\CryptSvcs\Display3D.exe

"C:\ProgramData\CryptSvcs\Display3D.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 209 2828

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.whoamis.info udp
US 8.8.8.8:53 www.whoamis.info udp
N/A 10.127.255.255:53 udp
HK 182.16.70.42:81 www.whoamis.info tcp
HK 182.16.70.42:81 www.whoamis.info tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 mail.whoamis.info udp
US 8.8.8.8:53 list.whoamis.info udp
HK 182.16.70.42:443 list.whoamis.info tcp
HK 182.16.70.42:53 list.whoamis.info udp
US 8.8.8.8:53 42.70.16.182.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 poer.whoamis.info udp
HK 182.16.70.42:1900 poer.whoamis.info udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.whoamis.info udp
HK 182.16.70.42:81 www.whoamis.info tcp
US 8.8.8.8:53 list.whoamis.info udp
HK 182.16.70.42:443 list.whoamis.info tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\run.bat

MD5 da1c5ecc36b8b96cf9bfeed44581ca69
SHA1 3de0e37509fb5211971cbbfcabf76f6afddd17fd
SHA256 ca22a76ef4cc3b48793b0cf6bd68d000d74711079596989a2a209f1ecb012a04
SHA512 4b49ce6fdbcd036d680c8646f78573e088704a9fa8c8e109cd7ae0a1fbddf8e9fa719779454495004c28dccfd0b3133005b45ce70903eef95b639f0ea2b84217

C:\Display3D.exe

MD5 04d96003c2fc885a648028b50c4b0ed0
SHA1 6dbcc75a74ef43a275ba90246279ece264dc7a4f
SHA256 ab6f2d57c89435f667a4edc72635188aee2c559c6c0b6c6272cdf18ac44c1fe1
SHA512 d99a8b7f97a0cdafeef07e6bc6469275f762331f4a5ecf701114ff30d2c3571befa29e47376197d164be3b2e63628bbb6e6e659c54e4e34b98a19a51900c8dbf

\??\c:\D3DX81ab.dll

MD5 4d27c761c43f1f4094005889efd968eb
SHA1 3900a153f894dda7a8b23984b20d87b3ae6b01ab
SHA256 7afd418750824969fd6d0c6db949456998f792c97d6a69669051e1c90a458a5b
SHA512 5a173e16fec3555da024555c3b8ca3c95667b6f6e2286c8ab83a63a70b614effe01c7332a9f518ceb9cc6754295bbfc3fffb93e7e6ca36050a4e3a38ac48dc2e

\??\c:\libcro.dll

MD5 eb21f4f06f900c89519ccf17a0ead35b
SHA1 ad30037f31f910ece2ba79fa30e55128d63059e6
SHA256 618e38e0e5ccdefbd4bc4987f60c40f1c2f733c2441ed2026d1530910d7196bd
SHA512 dd58edad7fdd0e8f352805f75bff7bfda1b016f0815b8df68b9947e456b47f140fc470dbf9ec37adc724601c27ca7276ba88bdc62573b44167bcd12c19cc482a

\??\c:\update.log

MD5 7bdb5c71559aa4eac77ec64b5ac87f3f
SHA1 0a2c272f8e20025da6aad163fa8a21ff5e5405c3
SHA256 817b7a5aebfd53e2792d1d2a5b3ae7948b6557473064f04639479449cbb9157a
SHA512 e27069b7491c618e70215dc02bae766e6c761cd2a924cd49538e3b8156acaa53c434e9c36989ef5361cd404f9550fc3761fc0238bd616d71fcb5e5d5e533ecf7

memory/2020-21-0x0000000002500000-0x0000000002600000-memory.dmp

memory/2020-22-0x00000000007C0000-0x00000000007ED000-memory.dmp

memory/4872-47-0x0000000002130000-0x000000000215D000-memory.dmp

memory/2020-48-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4872-49-0x0000000002130000-0x000000000215D000-memory.dmp

memory/3452-54-0x0000000000650000-0x000000000067D000-memory.dmp

memory/3452-55-0x0000000000650000-0x000000000067D000-memory.dmp

memory/2828-57-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-56-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2828-59-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/3452-60-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2020-64-0x00000000007C0000-0x00000000007ED000-memory.dmp

memory/2828-73-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-72-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2828-74-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-76-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-77-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-78-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-75-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-80-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-81-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/2828-83-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/4872-84-0x0000000002130000-0x000000000215D000-memory.dmp

memory/4872-85-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4420-86-0x0000000000440000-0x0000000000441000-memory.dmp

memory/4420-87-0x0000000000AF0000-0x0000000000B1D000-memory.dmp

memory/4420-88-0x0000000000AF0000-0x0000000000B1D000-memory.dmp

memory/4420-89-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/4420-90-0x0000000000AF0000-0x0000000000B1D000-memory.dmp

memory/4420-91-0x0000000000AF0000-0x0000000000B1D000-memory.dmp

memory/4420-92-0x0000000000AF0000-0x0000000000B1D000-memory.dmp

memory/2828-93-0x0000000000F80000-0x0000000000FAD000-memory.dmp

memory/4420-94-0x0000000000AF0000-0x0000000000B1D000-memory.dmp