Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-04-2024 12:01
General
-
Target
update/USOPrivate.exe
-
Size
760KB
-
MD5
10866465a9b0c56af2cd093b80cdbc9f
-
SHA1
fc77be3e68a79b597ffed1b307d1b447787e7995
-
SHA256
9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
-
SHA512
975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091
-
SSDEEP
6144:c3PgKtEhPIPe16jzM66rBghPlNoVh5j9mmNpMHGIygduNrnoh/WOHI0jVjSjztx/:eIA4PIPoQMFgDNg/jMmLohW70Rj+ztp
Malware Config
Signatures
-
Detects PlugX payload 26 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Bitdefender\update\USOPrivate.exe"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 100 48001⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Bitdefender\update\USOPrivate.exe"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe 209 34683⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD51eb44d7ec4d7d2a13a81d7542ef6bc2b
SHA1f35d30962790b99cc29d38ccf6e9e66c82e5aa80
SHA256bdba1d2043bd89693895c079d57d2494a02d435eae2981bc20bd3b92e9c8dece
SHA5129a570ced024157613d01ed30293b21b81155401790a160dd42446ad15119c6b2da4362435f39ffba404b266a7831bfb955edbf42412987769c2405655471e97c
-
Filesize
760KB
MD510866465a9b0c56af2cd093b80cdbc9f
SHA1fc77be3e68a79b597ffed1b307d1b447787e7995
SHA2569831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091
-
Filesize
54KB
MD52a747a6201189e133c18ae24e44476f3
SHA1002be31d69cf30bc8a8e2ed51c038a5bdfd88141
SHA2560cc36dd25e099cc6f1798dabe1d6a3e2d8c3883aa0e0d7296e94d035cdb74f3c
SHA51236080f7595b6a1c05ecce348a75adbac4cdf8ccc441a724e3aa50130c62cd74d3948dabf8343b95cd90043f569b7f301f94102626942e9c0080133c486a830b3
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
1024KB