Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe
Resource
win7-20240215-en
General
-
Target
7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe
-
Size
554KB
-
MD5
9310477537d5d7c92bc711547a4c9621
-
SHA1
5b90d064de8955cf26ac9c1e59a60c106871aa79
-
SHA256
7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f
-
SHA512
31b3367c2736e4549bfe7a7511c76ced47f14faf2200439e973f1b7c96dacb90412bad4bf3467e9d8e2b3b38367a674075360940d5749a5e697bb92e4ecd5707
-
SSDEEP
12288:YUomEFRu3xEPE6HuRurMRFs7hm7p0fdINC//TZSIy:YmOMSPE6ORIMPT0fdIkHTZSR
Malware Config
Signatures
-
Detects PlugX payload 22 IoCs
resource yara_rule behavioral1/memory/2976-26-0x0000000000230000-0x0000000000265000-memory.dmp family_plugx behavioral1/memory/2976-39-0x0000000000230000-0x0000000000265000-memory.dmp family_plugx behavioral1/memory/2648-48-0x00000000008E0000-0x0000000000915000-memory.dmp family_plugx behavioral1/memory/2372-55-0x00000000001A0000-0x00000000001D5000-memory.dmp family_plugx behavioral1/memory/2372-56-0x00000000001A0000-0x00000000001D5000-memory.dmp family_plugx behavioral1/memory/2848-66-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2848-68-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2372-67-0x00000000001A0000-0x00000000001D5000-memory.dmp family_plugx behavioral1/memory/2848-80-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2848-81-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2848-82-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2848-84-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2848-85-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2848-86-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2848-89-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/2648-90-0x00000000008E0000-0x0000000000915000-memory.dmp family_plugx behavioral1/memory/1616-100-0x00000000002F0000-0x0000000000325000-memory.dmp family_plugx behavioral1/memory/1616-103-0x00000000002F0000-0x0000000000325000-memory.dmp family_plugx behavioral1/memory/1616-104-0x00000000002F0000-0x0000000000325000-memory.dmp family_plugx behavioral1/memory/1616-105-0x00000000002F0000-0x0000000000325000-memory.dmp family_plugx behavioral1/memory/2848-107-0x0000000000280000-0x00000000002B5000-memory.dmp family_plugx behavioral1/memory/1616-108-0x00000000002F0000-0x0000000000325000-memory.dmp family_plugx -
Executes dropped EXE 3 IoCs
pid Process 2976 SoftManager.exe 2648 SoftManager.exe 2372 SoftManager.exe -
Loads dropped DLL 13 IoCs
pid Process 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 2976 SoftManager.exe 2976 SoftManager.exe 2976 SoftManager.exe 2648 SoftManager.exe 2648 SoftManager.exe 2648 SoftManager.exe 2372 SoftManager.exe 2372 SoftManager.exe 2372 SoftManager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003700310033003200330030003300330039003000440046003000310033000000 svchost.exe Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 2848 svchost.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 2848 svchost.exe 2848 svchost.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 2848 svchost.exe 2848 svchost.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 2848 svchost.exe 2848 svchost.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 2848 svchost.exe 2848 svchost.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 1616 msiexec.exe 2848 svchost.exe 2848 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2848 svchost.exe 1616 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2976 SoftManager.exe Token: SeTcbPrivilege 2976 SoftManager.exe Token: SeDebugPrivilege 2648 SoftManager.exe Token: SeTcbPrivilege 2648 SoftManager.exe Token: SeDebugPrivilege 2372 SoftManager.exe Token: SeTcbPrivilege 2372 SoftManager.exe Token: SeDebugPrivilege 2848 svchost.exe Token: SeTcbPrivilege 2848 svchost.exe Token: SeDebugPrivilege 1616 msiexec.exe Token: SeTcbPrivilege 1616 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2016 wrote to memory of 2976 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 28 PID 2016 wrote to memory of 2976 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 28 PID 2016 wrote to memory of 2976 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 28 PID 2016 wrote to memory of 2976 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 28 PID 2016 wrote to memory of 2976 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 28 PID 2016 wrote to memory of 2976 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 28 PID 2016 wrote to memory of 2976 2016 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 28 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2372 wrote to memory of 2848 2372 SoftManager.exe 32 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33 PID 2848 wrote to memory of 1616 2848 svchost.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\ProgramData\360SoftManager\softmgr\SoftManager.exe"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 100 29761⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
C:\ProgramData\360SoftManager\softmgr\SoftManager.exe"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 28483⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5e46f18ec2a13ef883c1b6a50ec157971
SHA1816e48a51827797bf3ab2204b962ab1edcb018d6
SHA25631ba90be019b15895da9b3a0943e88115fc08769d7857fc2fedc6eb7b13fd9c9
SHA5126c9da9296390c050af8255f1dead0bc18835bc5dbe2fd0e2baa6d00ed5c58b5109f06b4edd76e826b1976ce513cb0c097243ce5812f17b6be518469b10e35b0d
-
Filesize
33KB
MD5ce07ef4ef68a65715bb2c2beabdd289e
SHA1bc9565fc5b790cb6e6c7097248a3f4063db33ce6
SHA256ddd19d60f37f04e33fb74f6ef2e45f24be1bab8423aba608987804eed9316567
SHA512d24023ac21524e5e9d7d885c65038533ef055a9ada45a0a6f5b8218a88328dec27ea83fbff0423daf331b038da4fae2df3b450e3bfe41882b29e57fbea689227
-
Filesize
337KB
MD5cffab901ec1573799473a7b4d110cf08
SHA14dae9fc43de6bb4b3b47fcac5348a104c4792988
SHA2565ea1bb2021e94cd70d21bc51d586a1edc0cc1e584986cfc4460a2a98a828db97
SHA5128ab0334dbad12047e743c51cd44aec3287e4c938b904b01b9586e73c10d3aa1f36347f00045c89a2ca2399d140b804be789c502251b9d5b9dc7610ab9dc9cd60