Malware Analysis Report

2024-07-11 07:32

Sample ID 240410-n61c8seh32
Target 76d008d9955509d3db6e190acfa58fdf12fc64253884ac6981187a3e5ffdeb20
SHA256 76d008d9955509d3db6e190acfa58fdf12fc64253884ac6981187a3e5ffdeb20
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76d008d9955509d3db6e190acfa58fdf12fc64253884ac6981187a3e5ffdeb20

Threat Level: Known bad

The file 76d008d9955509d3db6e190acfa58fdf12fc64253884ac6981187a3e5ffdeb20 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Unexpected DNS network traffic destination

Deletes itself

Executes dropped EXE

Loads dropped DLL

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-10 12:01

Signatures

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-10 12:01

Reported

2024-04-10 12:03

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\update\log.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\update\log.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp

Files

memory/960-0-0x00007FFD0EEE0000-0x00007FFD0EEE1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 12:01

Reported

2024-04-10 12:04

Platform

win7-20240221-en

Max time kernel

168s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 103.56.18.101 N/A N/A
Destination IP 103.56.18.101 N/A N/A
Destination IP 103.56.18.101 N/A N/A
Destination IP 103.56.18.101 N/A N/A
Destination IP 123.111.231.1 N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35003100450036004300460031003900430035003000340041004400420046000000 C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 2444 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2504 wrote to memory of 2444 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2504 wrote to memory of 2444 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2504 wrote to memory of 2444 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2504 wrote to memory of 2444 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2504 wrote to memory of 2444 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2504 wrote to memory of 2444 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2504 wrote to memory of 2444 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2444 wrote to memory of 2828 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe

"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"

C:\ProgramData\Bitdefender\update\USOPrivate.exe

"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 100 2688

C:\ProgramData\Bitdefender\update\USOPrivate.exe

"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 200 0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2444

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:53 localhost.11i.me udp
US 8.8.8.8:53 localhost.11i.me udp
KR 123.111.231.1:53 localhost.11i.me udp
US 8.8.4.4:53 localhost.11i.me udp
HK 103.56.18.101:53 localhost.11i.me udp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:443 localhost.11i.me tcp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:443 localhost.11i.me tcp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:53 localhost.11i.me udp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:53 localhost.11i.me udp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:443 localhost.11i.me tcp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:443 localhost.11i.me tcp

Files

memory/2688-0-0x0000000001C20000-0x0000000001D20000-memory.dmp

memory/2688-1-0x0000000077090000-0x0000000077091000-memory.dmp

memory/2688-2-0x0000000001DA0000-0x0000000001DDC000-memory.dmp

\ProgramData\Bitdefender\update\USOPrivate.exe

MD5 10866465a9b0c56af2cd093b80cdbc9f
SHA1 fc77be3e68a79b597ffed1b307d1b447787e7995
SHA256 9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512 975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

C:\ProgramData\Bitdefender\update\log.dll

MD5 2a747a6201189e133c18ae24e44476f3
SHA1 002be31d69cf30bc8a8e2ed51c038a5bdfd88141
SHA256 0cc36dd25e099cc6f1798dabe1d6a3e2d8c3883aa0e0d7296e94d035cdb74f3c
SHA512 36080f7595b6a1c05ecce348a75adbac4cdf8ccc441a724e3aa50130c62cd74d3948dabf8343b95cd90043f569b7f301f94102626942e9c0080133c486a830b3

C:\ProgramData\Bitdefender\update\USOPrivate.dat

MD5 1eb44d7ec4d7d2a13a81d7542ef6bc2b
SHA1 f35d30962790b99cc29d38ccf6e9e66c82e5aa80
SHA256 bdba1d2043bd89693895c079d57d2494a02d435eae2981bc20bd3b92e9c8dece
SHA512 9a570ced024157613d01ed30293b21b81155401790a160dd42446ad15119c6b2da4362435f39ffba404b266a7831bfb955edbf42412987769c2405655471e97c

memory/2560-21-0x0000000077090000-0x0000000077091000-memory.dmp

memory/2560-23-0x0000000001E70000-0x0000000001EAC000-memory.dmp

memory/2560-24-0x0000000001E70000-0x0000000001EAC000-memory.dmp

memory/2504-29-0x0000000001BD0000-0x0000000001C0C000-memory.dmp

memory/2444-30-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2444-32-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/2444-33-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/2444-34-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2444-35-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-37-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-36-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2504-38-0x0000000001BD0000-0x0000000001C0C000-memory.dmp

memory/2688-44-0x0000000001DA0000-0x0000000001DDC000-memory.dmp

memory/2444-49-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2444-50-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-51-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-52-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-53-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-55-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-54-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-56-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2444-58-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2560-59-0x0000000001E70000-0x0000000001EAC000-memory.dmp

memory/2828-68-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2828-70-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/2828-72-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2828-73-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/2828-74-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/2828-75-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/2444-76-0x0000000000480000-0x00000000004BC000-memory.dmp

memory/2828-77-0x0000000000290000-0x00000000002CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 12:01

Reported

2024-04-10 12:04

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 103.56.18.101 N/A N/A
Destination IP 103.56.18.101 N/A N/A
Destination IP 103.56.18.101 N/A N/A
Destination IP 103.56.18.101 N/A N/A
Destination IP 123.111.231.1 N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003700440031004600440032004200370037004300320035004400310046000000 C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 3468 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4288 wrote to memory of 3468 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4288 wrote to memory of 3468 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4288 wrote to memory of 3468 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4288 wrote to memory of 3468 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4288 wrote to memory of 3468 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4288 wrote to memory of 3468 N/A C:\ProgramData\Bitdefender\update\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 3468 wrote to memory of 1092 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 3468 wrote to memory of 1092 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 3468 wrote to memory of 1092 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 3468 wrote to memory of 1092 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 3468 wrote to memory of 1092 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 3468 wrote to memory of 1092 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe

"C:\Users\Admin\AppData\Local\Temp\update\USOPrivate.exe"

C:\ProgramData\Bitdefender\update\USOPrivate.exe

"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 100 4800

C:\ProgramData\Bitdefender\update\USOPrivate.exe

"C:\ProgramData\Bitdefender\update\USOPrivate.exe" 200 0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe 209 3468

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 202.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 localhost.11i.me udp
N/A 10.127.255.255:53 udp
KR 123.111.231.1:53 localhost.11i.me udp
US 8.8.4.4:53 localhost.11i.me udp
HK 103.56.18.101:53 localhost.11i.me udp
US 8.8.8.8:53 1.231.111.123.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 101.18.56.103.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:53 localhost.11i.me udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:443 localhost.11i.me tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:443 localhost.11i.me tcp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:53 localhost.11i.me udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 localhost.11i.me udp
HK 103.56.18.101:53 localhost.11i.me udp

Files

memory/4800-0-0x00007FFE047B0000-0x00007FFE047B1000-memory.dmp

memory/4800-1-0x000002835C510000-0x000002835C610000-memory.dmp

memory/4800-2-0x000002835C390000-0x000002835C3CC000-memory.dmp

memory/4800-3-0x000002835C390000-0x000002835C3CC000-memory.dmp

C:\ProgramData\Bitdefender\update\USOPrivate.exe

MD5 10866465a9b0c56af2cd093b80cdbc9f
SHA1 fc77be3e68a79b597ffed1b307d1b447787e7995
SHA256 9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512 975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

C:\ProgramData\Bitdefender\update\log.dll

MD5 2a747a6201189e133c18ae24e44476f3
SHA1 002be31d69cf30bc8a8e2ed51c038a5bdfd88141
SHA256 0cc36dd25e099cc6f1798dabe1d6a3e2d8c3883aa0e0d7296e94d035cdb74f3c
SHA512 36080f7595b6a1c05ecce348a75adbac4cdf8ccc441a724e3aa50130c62cd74d3948dabf8343b95cd90043f569b7f301f94102626942e9c0080133c486a830b3

C:\ProgramData\Bitdefender\update\USOPrivate.dat

MD5 1eb44d7ec4d7d2a13a81d7542ef6bc2b
SHA1 f35d30962790b99cc29d38ccf6e9e66c82e5aa80
SHA256 bdba1d2043bd89693895c079d57d2494a02d435eae2981bc20bd3b92e9c8dece
SHA512 9a570ced024157613d01ed30293b21b81155401790a160dd42446ad15119c6b2da4362435f39ffba404b266a7831bfb955edbf42412987769c2405655471e97c

memory/3092-20-0x00007FFE047B0000-0x00007FFE047B1000-memory.dmp

memory/3092-22-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp

memory/3092-23-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp

memory/4288-27-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp

memory/4288-28-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp

memory/3468-29-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3468-30-0x0000015042480000-0x0000015042481000-memory.dmp

memory/3468-31-0x0000015042840000-0x000001504287C000-memory.dmp

memory/4800-33-0x000002835C390000-0x000002835C3CC000-memory.dmp

memory/4288-35-0x000002A9E75D0000-0x000002A9E760C000-memory.dmp

memory/3468-32-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3468-45-0x0000015042480000-0x0000015042481000-memory.dmp

memory/3468-46-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3468-47-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3468-48-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3468-49-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3468-50-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3468-51-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3468-54-0x0000015042840000-0x000001504287C000-memory.dmp

memory/3092-55-0x0000024E4F730000-0x0000024E4F76C000-memory.dmp

memory/1092-56-0x0000020ADA680000-0x0000020ADA681000-memory.dmp

memory/1092-57-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp

memory/1092-61-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp

memory/1092-60-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp

memory/1092-59-0x0000020ADA9A0000-0x0000020ADA9A1000-memory.dmp

memory/1092-62-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp

memory/1092-63-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp

memory/3468-64-0x0000015042840000-0x000001504287C000-memory.dmp

memory/1092-65-0x0000020ADAA10000-0x0000020ADAA4C000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-10 12:01

Reported

2024-04-10 12:04

Platform

win7-20240221-en

Max time kernel

120s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\update\log.dll,#1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\update\log.dll,#1

Network

N/A

Files

memory/2296-0-0x0000000077320000-0x0000000077321000-memory.dmp