Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 12:15
Static task
static1
Behavioral task
behavioral1
Sample
81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe
Resource
win7-20240221-en
General
-
Target
81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe
-
Size
430KB
-
MD5
aeb38328ffe5bd3bf5766a8fad075d08
-
SHA1
cf96c505059f6c384833250bf813f23d8fc6458f
-
SHA256
81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9
-
SHA512
87f3b91a974af59179a483eddc519388aa02634ec586028850cdea4dad749b93ba072208cb94fed81ccd704cec55b309725e91ff96302957c939a5571777a582
-
SSDEEP
6144:hsxanyfX5k7JlJDlABKUtfU/WQcb5KRsHWFveHKJaR28qlnGekSFKv5mmW4M3Fn:y0nyfXuIBDtfuM2iSG6KYmkB
Malware Config
Signatures
-
Detects PlugX payload 23 IoCs
resource yara_rule behavioral2/memory/4468-20-0x0000000000FC0000-0x0000000000FF5000-memory.dmp family_plugx behavioral2/memory/4468-21-0x0000000000FC0000-0x0000000000FF5000-memory.dmp family_plugx behavioral2/memory/2960-41-0x0000000000B50000-0x0000000000B85000-memory.dmp family_plugx behavioral2/memory/4472-46-0x0000000000E90000-0x0000000000EC5000-memory.dmp family_plugx behavioral2/memory/4656-48-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4472-49-0x0000000000E90000-0x0000000000EC5000-memory.dmp family_plugx behavioral2/memory/4656-50-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-62-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-63-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-64-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-65-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-66-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-67-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-68-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-69-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/4656-71-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/2960-72-0x0000000000B50000-0x0000000000B85000-memory.dmp family_plugx behavioral2/memory/1436-74-0x00000000013B0000-0x00000000013E5000-memory.dmp family_plugx behavioral2/memory/1436-76-0x00000000013B0000-0x00000000013E5000-memory.dmp family_plugx behavioral2/memory/1436-77-0x00000000013B0000-0x00000000013E5000-memory.dmp family_plugx behavioral2/memory/1436-78-0x00000000013B0000-0x00000000013E5000-memory.dmp family_plugx behavioral2/memory/4656-80-0x0000000000AC0000-0x0000000000AF5000-memory.dmp family_plugx behavioral2/memory/1436-81-0x00000000013B0000-0x00000000013E5000-memory.dmp family_plugx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation 81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe -
Executes dropped EXE 3 IoCs
pid Process 4468 wsc_proxy.exe 2960 wsc_proxy.exe 4472 wsc_proxy.exe -
Loads dropped DLL 3 IoCs
pid Process 4468 wsc_proxy.exe 2960 wsc_proxy.exe 4472 wsc_proxy.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 103.43.18.220 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 34003600370037004400310045004300390044003800370041003000460034000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4656 svchost.exe 4656 svchost.exe 4656 svchost.exe 4656 svchost.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 4656 svchost.exe 4656 svchost.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 4656 svchost.exe 4656 svchost.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 4656 svchost.exe 4656 svchost.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 4656 svchost.exe 4656 svchost.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 1436 msiexec.exe 4656 svchost.exe 4656 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4656 svchost.exe 1436 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4468 wsc_proxy.exe Token: SeTcbPrivilege 4468 wsc_proxy.exe Token: SeDebugPrivilege 2960 wsc_proxy.exe Token: SeTcbPrivilege 2960 wsc_proxy.exe Token: SeDebugPrivilege 4472 wsc_proxy.exe Token: SeTcbPrivilege 4472 wsc_proxy.exe Token: SeDebugPrivilege 4656 svchost.exe Token: SeTcbPrivilege 4656 svchost.exe Token: SeDebugPrivilege 1436 msiexec.exe Token: SeTcbPrivilege 1436 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4808 wrote to memory of 4468 4808 81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe 88 PID 4808 wrote to memory of 4468 4808 81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe 88 PID 4808 wrote to memory of 4468 4808 81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe 88 PID 4472 wrote to memory of 4656 4472 wsc_proxy.exe 93 PID 4472 wrote to memory of 4656 4472 wsc_proxy.exe 93 PID 4472 wrote to memory of 4656 4472 wsc_proxy.exe 93 PID 4472 wrote to memory of 4656 4472 wsc_proxy.exe 93 PID 4472 wrote to memory of 4656 4472 wsc_proxy.exe 93 PID 4472 wrote to memory of 4656 4472 wsc_proxy.exe 93 PID 4472 wrote to memory of 4656 4472 wsc_proxy.exe 93 PID 4472 wrote to memory of 4656 4472 wsc_proxy.exe 93 PID 4656 wrote to memory of 1436 4656 svchost.exe 97 PID 4656 wrote to memory of 1436 4656 svchost.exe 97 PID 4656 wrote to memory of 1436 4656 svchost.exe 97 PID 4656 wrote to memory of 1436 4656 svchost.exe 97 PID 4656 wrote to memory of 1436 4656 svchost.exe 97 PID 4656 wrote to memory of 1436 4656 svchost.exe 97 PID 4656 wrote to memory of 1436 4656 svchost.exe 97 PID 4656 wrote to memory of 1436 4656 svchost.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe"C:\Users\Admin\AppData\Local\Temp\81d2be1565c05f77e829e1296d17d9456ae672459e4283315cdd0dfae01626a9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\wsc_proxy.exe"C:\wsc_proxy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe"C:\ProgramData\Avast Software\Avast\wsc_proxy.exe" 100 44681⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
C:\ProgramData\Avast Software\Avast\wsc_proxy.exe"C:\ProgramData\Avast Software\Avast\wsc_proxy.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 46563⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD5a3be5ee9a505a2fc1260521d150cbb19
SHA1710617c387500735b8aa44ba7ff001fa43a2a16f
SHA256c664a816771b8d058796bdddbc0554510c430cc7fc98bae5153a21b1797bf39c
SHA512ea0cda4e543a4838cd9ac258a91b471c6e5ee266b5ef1cca3bb341ab4a8131dcb632ca570c449e6b0aa5cd7e5d59d229e5078965c5f4f7cee1a79cc003f3da0c
-
Filesize
148KB
MD507a9a4b7068d7a4406a00656a762ca55
SHA1981ef9b7f98b949d16a3b4e6eefe2575dcf784e1
SHA256e48af8d3a597b947d145e8a2e8e94eff003a5eb8544918955f65ac5af37cd331
SHA512ae8c7f5a5c7354a1800c47ca7c124982a354fbe2b2a520f6f8a1968d924ff66dd45e5dbe6f2e4048ee53cc21a25b83ff4639b5d4d35918bd48dd4dc140fd7b4e
-
Filesize
56KB
MD5c2902be3472adb3014c2bd07f4d4d034
SHA1bfc6c0eda00da8537fa94b8dead9fd7b2b2436b7
SHA2561948bb0df11f768d6dd30ae7ecec5550db7c817d09cb31b5e2cee9b86a4047da
SHA5122ac83a1dd89c6028eab125ca98d078c4df18291eec4054211297a6b6968470c5066fca8469e489ac8295f63298cbe40d30f369300b004c69e0c7e62f3b693b54