Analysis
-
max time kernel
159s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe
Resource
win7-20240215-en
General
-
Target
7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe
-
Size
554KB
-
MD5
9310477537d5d7c92bc711547a4c9621
-
SHA1
5b90d064de8955cf26ac9c1e59a60c106871aa79
-
SHA256
7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f
-
SHA512
31b3367c2736e4549bfe7a7511c76ced47f14faf2200439e973f1b7c96dacb90412bad4bf3467e9d8e2b3b38367a674075360940d5749a5e697bb92e4ecd5707
-
SSDEEP
12288:YUomEFRu3xEPE6HuRurMRFs7hm7p0fdINC//TZSIy:YmOMSPE6ORIMPT0fdIkHTZSR
Malware Config
Signatures
-
Detects PlugX payload 27 IoCs
resource yara_rule behavioral2/memory/4488-22-0x0000000002C10000-0x0000000002C45000-memory.dmp family_plugx behavioral2/memory/4488-23-0x0000000002C10000-0x0000000002C45000-memory.dmp family_plugx behavioral2/memory/4512-46-0x00000000010E0000-0x0000000001110000-memory.dmp family_plugx behavioral2/memory/4512-45-0x0000000001110000-0x0000000001145000-memory.dmp family_plugx behavioral2/memory/1044-52-0x0000000000F60000-0x0000000000F95000-memory.dmp family_plugx behavioral2/memory/1044-53-0x0000000000F60000-0x0000000000F95000-memory.dmp family_plugx behavioral2/memory/2312-55-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/1044-56-0x0000000000F60000-0x0000000000F95000-memory.dmp family_plugx behavioral2/memory/2312-57-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/2312-59-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/2312-70-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/2312-71-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/2312-72-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/2312-74-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/4488-75-0x0000000002C10000-0x0000000002C45000-memory.dmp family_plugx behavioral2/memory/2312-76-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/4512-78-0x0000000001110000-0x0000000001145000-memory.dmp family_plugx behavioral2/memory/2312-80-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/2312-81-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/2312-83-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/4572-84-0x0000000002A40000-0x0000000002A75000-memory.dmp family_plugx behavioral2/memory/4572-88-0x0000000002A40000-0x0000000002A75000-memory.dmp family_plugx behavioral2/memory/4572-89-0x0000000002A40000-0x0000000002A75000-memory.dmp family_plugx behavioral2/memory/4572-87-0x0000000002A40000-0x0000000002A75000-memory.dmp family_plugx behavioral2/memory/4572-90-0x0000000002A40000-0x0000000002A75000-memory.dmp family_plugx behavioral2/memory/2312-92-0x00000000018F0000-0x0000000001925000-memory.dmp family_plugx behavioral2/memory/4572-93-0x0000000002A40000-0x0000000002A75000-memory.dmp family_plugx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe -
Executes dropped EXE 3 IoCs
pid Process 4488 SoftManager.exe 4512 SoftManager.exe 1044 SoftManager.exe -
Loads dropped DLL 9 IoCs
pid Process 4488 SoftManager.exe 4488 SoftManager.exe 4488 SoftManager.exe 4512 SoftManager.exe 4512 SoftManager.exe 4512 SoftManager.exe 1044 SoftManager.exe 1044 SoftManager.exe 1044 SoftManager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42004400460031003200390043003700310034004400300041003000330041000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2312 svchost.exe 2312 svchost.exe 2312 svchost.exe 2312 svchost.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 2312 svchost.exe 2312 svchost.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 2312 svchost.exe 2312 svchost.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 2312 svchost.exe 2312 svchost.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 2312 svchost.exe 2312 svchost.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 4572 msiexec.exe 2312 svchost.exe 2312 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2312 svchost.exe 4572 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4488 SoftManager.exe Token: SeTcbPrivilege 4488 SoftManager.exe Token: SeDebugPrivilege 4512 SoftManager.exe Token: SeTcbPrivilege 4512 SoftManager.exe Token: SeDebugPrivilege 1044 SoftManager.exe Token: SeTcbPrivilege 1044 SoftManager.exe Token: SeDebugPrivilege 2312 svchost.exe Token: SeTcbPrivilege 2312 svchost.exe Token: SeDebugPrivilege 4572 msiexec.exe Token: SeTcbPrivilege 4572 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2060 wrote to memory of 4488 2060 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 95 PID 2060 wrote to memory of 4488 2060 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 95 PID 2060 wrote to memory of 4488 2060 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe 95 PID 1044 wrote to memory of 2312 1044 SoftManager.exe 101 PID 1044 wrote to memory of 2312 1044 SoftManager.exe 101 PID 1044 wrote to memory of 2312 1044 SoftManager.exe 101 PID 1044 wrote to memory of 2312 1044 SoftManager.exe 101 PID 1044 wrote to memory of 2312 1044 SoftManager.exe 101 PID 1044 wrote to memory of 2312 1044 SoftManager.exe 101 PID 1044 wrote to memory of 2312 1044 SoftManager.exe 101 PID 1044 wrote to memory of 2312 1044 SoftManager.exe 101 PID 2312 wrote to memory of 4572 2312 svchost.exe 103 PID 2312 wrote to memory of 4572 2312 svchost.exe 103 PID 2312 wrote to memory of 4572 2312 svchost.exe 103 PID 2312 wrote to memory of 4572 2312 svchost.exe 103 PID 2312 wrote to memory of 4572 2312 svchost.exe 103 PID 2312 wrote to memory of 4572 2312 svchost.exe 103 PID 2312 wrote to memory of 4572 2312 svchost.exe 103 PID 2312 wrote to memory of 4572 2312 svchost.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\ProgramData\360SoftManager\softmgr\SoftManager.exe"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 100 44881⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
C:\ProgramData\360SoftManager\softmgr\SoftManager.exe"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 23123⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:5000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5e46f18ec2a13ef883c1b6a50ec157971
SHA1816e48a51827797bf3ab2204b962ab1edcb018d6
SHA25631ba90be019b15895da9b3a0943e88115fc08769d7857fc2fedc6eb7b13fd9c9
SHA5126c9da9296390c050af8255f1dead0bc18835bc5dbe2fd0e2baa6d00ed5c58b5109f06b4edd76e826b1976ce513cb0c097243ce5812f17b6be518469b10e35b0d
-
Filesize
337KB
MD5cffab901ec1573799473a7b4d110cf08
SHA14dae9fc43de6bb4b3b47fcac5348a104c4792988
SHA2565ea1bb2021e94cd70d21bc51d586a1edc0cc1e584986cfc4460a2a98a828db97
SHA5128ab0334dbad12047e743c51cd44aec3287e4c938b904b01b9586e73c10d3aa1f36347f00045c89a2ca2399d140b804be789c502251b9d5b9dc7610ab9dc9cd60
-
Filesize
33KB
MD5ce07ef4ef68a65715bb2c2beabdd289e
SHA1bc9565fc5b790cb6e6c7097248a3f4063db33ce6
SHA256ddd19d60f37f04e33fb74f6ef2e45f24be1bab8423aba608987804eed9316567
SHA512d24023ac21524e5e9d7d885c65038533ef055a9ada45a0a6f5b8218a88328dec27ea83fbff0423daf331b038da4fae2df3b450e3bfe41882b29e57fbea689227