Malware Analysis Report

2024-07-11 07:34

Sample ID 240410-sgpmnafd5v
Target fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f
SHA256 fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f

Threat Level: Known bad

The file fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f was found to be: Known bad.

Malicious Activity Summary

plugx trojan

Detects PlugX payload

PlugX

Loads dropped DLL

Unexpected DNS network traffic destination

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-10 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 15:06

Reported

2024-04-10 15:08

Platform

win7-20231129-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 8.217.48.154 N/A N/A
Destination IP 8.217.48.154 N/A N/A
Destination IP 8.217.48.154 N/A N/A
Destination IP 8.217.48.154 N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44004600390034004300390043004200370034004200340042003900380045000000 C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
PID 2180 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
PID 2180 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
PID 2180 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
PID 2788 wrote to memory of 2496 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2496 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2496 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2496 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2496 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2496 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 2496 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 2496 wrote to memory of 816 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe

"C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe"

C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe

"C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe"

C:\ProgramData\Bitdefender\USOPrivate.exe

"C:\ProgramData\Bitdefender\USOPrivate.exe" 100 2868

C:\ProgramData\Bitdefender\USOPrivate.exe

"C:\ProgramData\Bitdefender\USOPrivate.exe" 200 0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2496

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:53 fuckeryoumm.nmb.bet udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:53 fuckeryoumm.nmb.bet udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:443 fuckeryoumm.nmb.bet tcp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:443 fuckeryoumm.nmb.bet tcp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:53 fuckeryoumm.nmb.bet udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:53 fuckeryoumm.nmb.bet udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:443 fuckeryoumm.nmb.bet tcp

Files

\Users\Admin\AppData\Local\Temp\USOPrivate.exe

MD5 10866465a9b0c56af2cd093b80cdbc9f
SHA1 fc77be3e68a79b597ffed1b307d1b447787e7995
SHA256 9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512 975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

\Users\Admin\AppData\Local\Temp\log.dll

MD5 1cf26c4edf92541cee6dcb327a15ab97
SHA1 1838eb4a59e618e298a188347e37f76845c80cad
SHA256 be213cfb0795e8a645d50eec7e55520e952279963dcef4e11b49c022ec283129
SHA512 3bf8367435d51e0f8986bcfcabaf48780936f2baacaaa269496d77800364304d3bcf0edb9bcdb64ffe0130996f282b5ba40a232a15b799b01dda25f8a9504676

memory/2868-13-0x0000000077260000-0x0000000077261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\USOPrivate.dat

MD5 1a62834b9f2423effb90e133141b1f05
SHA1 fec09cab25b88e1566f0f766db29c6204acf63fc
SHA256 a897a20a35e9c449a45932a75b626de649605e132ff49c0dbc745930fc0bbb89
SHA512 4f674ae447a9c6dcced488fc3bf408a9173602b75c1bac492a60805ca536351052619393d9a72f7cfd958d9f5b1df8eb4085a0267f9cdd293a7c3b4486d25267

memory/2868-15-0x0000000000480000-0x0000000000580000-memory.dmp

memory/2868-17-0x0000000001E50000-0x0000000001E8A000-memory.dmp

memory/2460-35-0x0000000077260000-0x0000000077261000-memory.dmp

memory/2460-38-0x00000000002C0000-0x00000000002FA000-memory.dmp

memory/2460-39-0x00000000002C0000-0x00000000002FA000-memory.dmp

memory/2496-49-0x0000000000080000-0x00000000000A5000-memory.dmp

memory/2788-52-0x0000000000290000-0x00000000002CA000-memory.dmp

memory/2496-51-0x00000000000B0000-0x00000000000B2000-memory.dmp

memory/2496-54-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2496-55-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/2496-45-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2496-58-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/2788-44-0x0000000000290000-0x00000000002CA000-memory.dmp

memory/2868-70-0x0000000001E50000-0x0000000001E8A000-memory.dmp

memory/2496-69-0x0000000000060000-0x0000000000061000-memory.dmp

memory/2496-71-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/2496-76-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/2496-75-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/2496-74-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/2496-73-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/2496-72-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/2460-80-0x00000000002C0000-0x00000000002FA000-memory.dmp

memory/816-92-0x0000000000070000-0x0000000000071000-memory.dmp

memory/816-94-0x0000000000290000-0x00000000002CA000-memory.dmp

memory/816-95-0x0000000000290000-0x00000000002CA000-memory.dmp

memory/816-96-0x0000000000290000-0x00000000002CA000-memory.dmp

memory/816-93-0x0000000000290000-0x00000000002CA000-memory.dmp

memory/816-90-0x0000000000290000-0x00000000002CA000-memory.dmp

memory/2496-97-0x00000000002F0000-0x000000000032A000-memory.dmp

memory/816-98-0x0000000000290000-0x00000000002CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 15:06

Reported

2024-04-10 15:08

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 8.217.48.154 N/A N/A
Destination IP 8.217.48.154 N/A N/A
Destination IP 8.217.48.154 N/A N/A
Destination IP 8.217.48.154 N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\system32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31004400370041003000450035003100340032004500420032003500330032000000 C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Bitdefender\USOPrivate.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
PID 1748 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe
PID 4092 wrote to memory of 4856 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4092 wrote to memory of 4856 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4092 wrote to memory of 4856 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4092 wrote to memory of 4856 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4092 wrote to memory of 4856 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4092 wrote to memory of 4856 N/A C:\ProgramData\Bitdefender\USOPrivate.exe C:\Windows\system32\svchost.exe
PID 4856 wrote to memory of 3868 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 4856 wrote to memory of 3868 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 4856 wrote to memory of 3868 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 4856 wrote to memory of 3868 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 4856 wrote to memory of 3868 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe
PID 4856 wrote to memory of 3868 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe

"C:\Users\Admin\AppData\Local\Temp\fc1e2a0ed20ef3cb8a543b65cc0db5d05f5e107a6c43bf6f1c0b581e6167a59f.exe"

C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe

"C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe"

C:\ProgramData\Bitdefender\USOPrivate.exe

"C:\ProgramData\Bitdefender\USOPrivate.exe" 100 2124

C:\ProgramData\Bitdefender\USOPrivate.exe

"C:\ProgramData\Bitdefender\USOPrivate.exe" 200 0

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe 209 4856

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 202.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
N/A 10.127.255.255:53 udp
HK 8.217.48.154:53 fuckeryoumm.nmb.bet udp
US 8.8.8.8:53 154.48.217.8.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:53 fuckeryoumm.nmb.bet udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:443 fuckeryoumm.nmb.bet tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:443 fuckeryoumm.nmb.bet tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:53 fuckeryoumm.nmb.bet udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:53 fuckeryoumm.nmb.bet udp
US 8.8.8.8:53 fuckeryoumm.nmb.bet udp
HK 8.217.48.154:443 fuckeryoumm.nmb.bet tcp

Files

C:\Users\Admin\AppData\Local\Temp\USOPrivate.exe

MD5 10866465a9b0c56af2cd093b80cdbc9f
SHA1 fc77be3e68a79b597ffed1b307d1b447787e7995
SHA256 9831526e475a4ed0d149bec15f69193a48249c3cda1ddb2f2140292afd862cfa
SHA512 975c0c3abe71d29a1391bc9a258df9560466f40764ff6dd8b06db5234d45a6c12f27c77bd26409fda051de598cdc0087afd847e46818553c5ed3eff53cfe2091

C:\Users\Admin\AppData\Local\Temp\log.dll

MD5 1cf26c4edf92541cee6dcb327a15ab97
SHA1 1838eb4a59e618e298a188347e37f76845c80cad
SHA256 be213cfb0795e8a645d50eec7e55520e952279963dcef4e11b49c022ec283129
SHA512 3bf8367435d51e0f8986bcfcabaf48780936f2baacaaa269496d77800364304d3bcf0edb9bcdb64ffe0130996f282b5ba40a232a15b799b01dda25f8a9504676

C:\Users\Admin\AppData\Local\Temp\USOPrivate.dat

MD5 1a62834b9f2423effb90e133141b1f05
SHA1 fec09cab25b88e1566f0f766db29c6204acf63fc
SHA256 a897a20a35e9c449a45932a75b626de649605e132ff49c0dbc745930fc0bbb89
SHA512 4f674ae447a9c6dcced488fc3bf408a9173602b75c1bac492a60805ca536351052619393d9a72f7cfd958d9f5b1df8eb4085a0267f9cdd293a7c3b4486d25267

memory/2124-17-0x00007FF9A4480000-0x00007FF9A4481000-memory.dmp

memory/2124-19-0x000001A6E35C0000-0x000001A6E36C0000-memory.dmp

memory/2124-20-0x000001A6E3720000-0x000001A6E375A000-memory.dmp

memory/2124-21-0x000001A6E3720000-0x000001A6E375A000-memory.dmp

memory/2816-39-0x00007FF9A4480000-0x00007FF9A4481000-memory.dmp

memory/2816-41-0x000001D640C00000-0x000001D640C3A000-memory.dmp

memory/2816-42-0x000001D640C00000-0x000001D640C3A000-memory.dmp

memory/4092-46-0x000001F55E9C0000-0x000001F55E9FA000-memory.dmp

memory/4856-48-0x0000021008FD0000-0x0000021008FD1000-memory.dmp

memory/4092-47-0x000001F55E9C0000-0x000001F55E9FA000-memory.dmp

memory/4856-49-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/4856-52-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/2124-55-0x000001A6E3720000-0x000001A6E375A000-memory.dmp

memory/4856-63-0x0000021008FD0000-0x0000021008FD1000-memory.dmp

memory/4856-64-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/4856-65-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/4856-66-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/4856-67-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/4856-68-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/4856-69-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/4856-72-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/2816-73-0x000001D640C00000-0x000001D640C3A000-memory.dmp

memory/3868-75-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

memory/3868-79-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

memory/3868-78-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

memory/3868-81-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

memory/3868-80-0x000002170E9A0000-0x000002170E9DA000-memory.dmp

memory/3868-77-0x000002170E930000-0x000002170E931000-memory.dmp

memory/4856-82-0x0000021009190000-0x00000210091CA000-memory.dmp

memory/3868-83-0x000002170E9A0000-0x000002170E9DA000-memory.dmp