Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 12:01
Static task
static1
Behavioral task
behavioral1
Sample
update/USOPrivate.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
update/USOPrivate.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
update/log.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
update/log.dll
Resource
win10v2004-20240226-en
General
-
Target
update/USOPrivate.exe
-
Size
760KB
-
MD5
10866465a9b0c56af2cd093b80cdbc9f
-
SHA1
fc77be3e68a79b597ffed1b307d1b447787e7995
-
SHA256
9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
-
SHA512
975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091
-
SSDEEP
6144:c3PgKtEhPIPe16jzM66rBghPlNoVh5j9mmNpMHGIygduNrnoh/WOHI0jVjSjztx/:eIA4PIPoQMFgDNg/jMmLohW70Rj+ztp
Malware Config
Signatures
-
Detects PlugX payload 26 IoCs
resource yara_rule behavioral2/memory/4800-2-0x000002835C390000-0x000002835C3CC000-memory.dmp family_plugx behavioral2/memory/4800-3-0x000002835C390000-0x000002835C3CC000-memory.dmp family_plugx behavioral2/memory/3092-22-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp family_plugx behavioral2/memory/3092-23-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp family_plugx behavioral2/memory/4288-27-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp family_plugx behavioral2/memory/4288-28-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp family_plugx behavioral2/memory/3468-29-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3468-31-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/4800-33-0x000002835C390000-0x000002835C3CC000-memory.dmp family_plugx behavioral2/memory/4288-35-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp family_plugx behavioral2/memory/3468-32-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3468-46-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3468-47-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3468-48-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3468-49-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3468-50-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3468-51-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3468-54-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/3092-55-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp family_plugx behavioral2/memory/1092-57-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp family_plugx behavioral2/memory/1092-61-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp family_plugx behavioral2/memory/1092-60-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp family_plugx behavioral2/memory/1092-62-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp family_plugx behavioral2/memory/1092-63-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp family_plugx behavioral2/memory/3468-64-0x0000015042840000-0x000001504287C000-memory.dmp family_plugx behavioral2/memory/1092-65-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp family_plugx -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 103.56.18.101 Destination IP 103.56.18.101 Destination IP 103.56.18.101 Destination IP 103.56.18.101 Destination IP 123.111.231.1 -
Deletes itself 1 IoCs
pid Process 3092 USOPrivate.exe -
Executes dropped EXE 2 IoCs
pid Process 3092 USOPrivate.exe 4288 USOPrivate.exe -
Loads dropped DLL 2 IoCs
pid Process 3092 USOPrivate.exe 4288 USOPrivate.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003700440031004600440032004200370037004300320035004400310046000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4800 USOPrivate.exe 4800 USOPrivate.exe 4800 USOPrivate.exe 4800 USOPrivate.exe 3092 USOPrivate.exe 3092 USOPrivate.exe 3092 USOPrivate.exe 3092 USOPrivate.exe 4288 USOPrivate.exe 4288 USOPrivate.exe 4288 USOPrivate.exe 4288 USOPrivate.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 3468 svchost.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 3468 svchost.exe 3468 svchost.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 3468 svchost.exe 3468 svchost.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 3468 svchost.exe 3468 svchost.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 1092 msiexec.exe 3468 svchost.exe 3468 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3468 svchost.exe 1092 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4800 USOPrivate.exe Token: SeTcbPrivilege 4800 USOPrivate.exe Token: SeDebugPrivilege 3092 USOPrivate.exe Token: SeTcbPrivilege 3092 USOPrivate.exe Token: SeDebugPrivilege 4288 USOPrivate.exe Token: SeTcbPrivilege 4288 USOPrivate.exe Token: SeDebugPrivilege 3468 svchost.exe Token: SeTcbPrivilege 3468 svchost.exe Token: SeDebugPrivilege 1092 msiexec.exe Token: SeTcbPrivilege 1092 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4288 wrote to memory of 3468 4288 USOPrivate.exe 91 PID 4288 wrote to memory of 3468 4288 USOPrivate.exe 91 PID 4288 wrote to memory of 3468 4288 USOPrivate.exe 91 PID 4288 wrote to memory of 3468 4288 USOPrivate.exe 91 PID 4288 wrote to memory of 3468 4288 USOPrivate.exe 91 PID 4288 wrote to memory of 3468 4288 USOPrivate.exe 91 PID 4288 wrote to memory of 3468 4288 USOPrivate.exe 91 PID 3468 wrote to memory of 1092 3468 svchost.exe 92 PID 3468 wrote to memory of 1092 3468 svchost.exe 92 PID 3468 wrote to memory of 1092 3468 svchost.exe 92 PID 3468 wrote to memory of 1092 3468 svchost.exe 92 PID 3468 wrote to memory of 1092 3468 svchost.exe 92 PID 3468 wrote to memory of 1092 3468 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
C:\ProgramData\Bitdefender\update\USOPrivate.exe"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 100 48001⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092
-
C:\ProgramData\Bitdefender\update\USOPrivate.exe"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe 209 34683⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
154KB
MD51eb44d7ec4d7d2a13a81d7542ef6bc2b
SHA1f35d30962790b99cc29d38ccf6e9e66c82e5aa80
SHA256bdba1d2043bd89693895c079d57d2494a02d435eae2981bc20bd3b92e9c8dece
SHA5129a570ced024157613d01ed30293b21b81155401790a160dd42446ad15119c6b2da4362435f39ffba404b266a7831bfb955edbf42412987769c2405655471e97c
-
Filesize
760KB
MD510866465a9b0c56af2cd093b80cdbc9f
SHA1fc77be3e68a79b597ffed1b307d1b447787e7995
SHA2569831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091
-
Filesize
54KB
MD52a747a6201189e133c18ae24e44476f3
SHA1002be31d69cf30bc8a8e2ed51c038a5bdfd88141
SHA2560cc36dd25e099cc6f1798dabe1d6a3e2d8c3883aa0e0d7296e94d035cdb74f3c
SHA51236080f7595b6a1c05ecce348a75adbac4cdf8ccc441a724e3aa50130c62cd74d3948dabf8343b95cd90043f569b7f301f94102626942e9c0080133c486a830b3