Overview
overview
6Static
static
3pingplotte...ll.exe
windows7-x64
6pingplotte...ll.exe
windows10-2004-x64
6$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$_4_.msi
windows7-x64
6$_4_.msi
windows10-2004-x64
6Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 05:07
Static task
static1
Behavioral task
behavioral1
Sample
pingplotter_install.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
pingplotter_install.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/DotNetChecker.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
$_4_.msi
Resource
win7-20231129-en
Behavioral task
behavioral12
Sample
$_4_.msi
Resource
win10v2004-20240508-en
General
-
Target
pingplotter_install.exe
-
Size
21.4MB
-
MD5
ae2015bc36bb8a0b872d049430c622c2
-
SHA1
c11db0f26d3554dea55b601eecdc50f90eae785d
-
SHA256
3586e0620442b8dfe2ae80f14dd389c224a7b9db7e6b9b29779a5b3d28e4a47f
-
SHA512
85c3b9380c2a803bb2f3f64a667bc062f0ee786f9bc5d50f6ce5157055eae20c76f6c6ae3d0ead0a89f011925dd7bb8097d5c6014c2fb5b077cf5ff734cceaf0
-
SSDEEP
393216:SeHSB8FeRF1NDgVEoZM9m5boLMMzgO+8+X7gj/pIBibcqBKOCCtbP:YzXay9UoL5+RgjLRgEP
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: pingplotter_install.exe File opened (read-only) \??\Z: pingplotter_install.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: pingplotter_install.exe File opened (read-only) \??\M: pingplotter_install.exe File opened (read-only) \??\R: pingplotter_install.exe File opened (read-only) \??\T: pingplotter_install.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: pingplotter_install.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: pingplotter_install.exe File opened (read-only) \??\Q: pingplotter_install.exe File opened (read-only) \??\U: pingplotter_install.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: pingplotter_install.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: pingplotter_install.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: pingplotter_install.exe File opened (read-only) \??\H: pingplotter_install.exe File opened (read-only) \??\J: pingplotter_install.exe File opened (read-only) \??\S: pingplotter_install.exe File opened (read-only) \??\W: pingplotter_install.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: pingplotter_install.exe File opened (read-only) \??\V: pingplotter_install.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: pingplotter_install.exe File opened (read-only) \??\L: pingplotter_install.exe File opened (read-only) \??\P: pingplotter_install.exe File opened (read-only) \??\Y: pingplotter_install.exe File opened (read-only) \??\H: msiexec.exe -
Loads dropped DLL 9 IoCs
pid Process 3868 pingplotter_install.exe 3868 pingplotter_install.exe 2356 MsiExec.exe 2356 MsiExec.exe 2356 MsiExec.exe 2356 MsiExec.exe 2356 MsiExec.exe 2356 MsiExec.exe 2356 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3868 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 3868 pingplotter_install.exe Token: SeSecurityPrivilege 2424 msiexec.exe Token: SeCreateTokenPrivilege 3868 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 3868 pingplotter_install.exe Token: SeLockMemoryPrivilege 3868 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 3868 pingplotter_install.exe Token: SeMachineAccountPrivilege 3868 pingplotter_install.exe Token: SeTcbPrivilege 3868 pingplotter_install.exe Token: SeSecurityPrivilege 3868 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 3868 pingplotter_install.exe Token: SeLoadDriverPrivilege 3868 pingplotter_install.exe Token: SeSystemProfilePrivilege 3868 pingplotter_install.exe Token: SeSystemtimePrivilege 3868 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 3868 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 3868 pingplotter_install.exe Token: SeCreatePagefilePrivilege 3868 pingplotter_install.exe Token: SeCreatePermanentPrivilege 3868 pingplotter_install.exe Token: SeBackupPrivilege 3868 pingplotter_install.exe Token: SeRestorePrivilege 3868 pingplotter_install.exe Token: SeShutdownPrivilege 3868 pingplotter_install.exe Token: SeDebugPrivilege 3868 pingplotter_install.exe Token: SeAuditPrivilege 3868 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 3868 pingplotter_install.exe Token: SeChangeNotifyPrivilege 3868 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 3868 pingplotter_install.exe Token: SeUndockPrivilege 3868 pingplotter_install.exe Token: SeSyncAgentPrivilege 3868 pingplotter_install.exe Token: SeEnableDelegationPrivilege 3868 pingplotter_install.exe Token: SeManageVolumePrivilege 3868 pingplotter_install.exe Token: SeImpersonatePrivilege 3868 pingplotter_install.exe Token: SeCreateGlobalPrivilege 3868 pingplotter_install.exe Token: SeCreateTokenPrivilege 3868 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 3868 pingplotter_install.exe Token: SeLockMemoryPrivilege 3868 pingplotter_install.exe Token: SeIncreaseQuotaPrivilege 3868 pingplotter_install.exe Token: SeMachineAccountPrivilege 3868 pingplotter_install.exe Token: SeTcbPrivilege 3868 pingplotter_install.exe Token: SeSecurityPrivilege 3868 pingplotter_install.exe Token: SeTakeOwnershipPrivilege 3868 pingplotter_install.exe Token: SeLoadDriverPrivilege 3868 pingplotter_install.exe Token: SeSystemProfilePrivilege 3868 pingplotter_install.exe Token: SeSystemtimePrivilege 3868 pingplotter_install.exe Token: SeProfSingleProcessPrivilege 3868 pingplotter_install.exe Token: SeIncBasePriorityPrivilege 3868 pingplotter_install.exe Token: SeCreatePagefilePrivilege 3868 pingplotter_install.exe Token: SeCreatePermanentPrivilege 3868 pingplotter_install.exe Token: SeBackupPrivilege 3868 pingplotter_install.exe Token: SeRestorePrivilege 3868 pingplotter_install.exe Token: SeShutdownPrivilege 3868 pingplotter_install.exe Token: SeDebugPrivilege 3868 pingplotter_install.exe Token: SeAuditPrivilege 3868 pingplotter_install.exe Token: SeSystemEnvironmentPrivilege 3868 pingplotter_install.exe Token: SeChangeNotifyPrivilege 3868 pingplotter_install.exe Token: SeRemoteShutdownPrivilege 3868 pingplotter_install.exe Token: SeUndockPrivilege 3868 pingplotter_install.exe Token: SeSyncAgentPrivilege 3868 pingplotter_install.exe Token: SeEnableDelegationPrivilege 3868 pingplotter_install.exe Token: SeManageVolumePrivilege 3868 pingplotter_install.exe Token: SeImpersonatePrivilege 3868 pingplotter_install.exe Token: SeCreateGlobalPrivilege 3868 pingplotter_install.exe Token: SeCreateTokenPrivilege 3868 pingplotter_install.exe Token: SeAssignPrimaryTokenPrivilege 3868 pingplotter_install.exe Token: SeLockMemoryPrivilege 3868 pingplotter_install.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3868 pingplotter_install.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2424 wrote to memory of 2356 2424 msiexec.exe 95 PID 2424 wrote to memory of 2356 2424 msiexec.exe 95 PID 2424 wrote to memory of 2356 2424 msiexec.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe"C:\Users\Admin\AppData\Local\Temp\pingplotter_install.exe"1⤵
- Enumerates connected drives
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3868
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5433BB223DBE34F3BCF9867FA22E4F0B C2⤵
- Loads dropped DLL
PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4756 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:1468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364KB
MD5ca95f207ec70ba34b46c785f7bcb5570
SHA125c0d45cb9f94892e2877033d06fe8909e5b9972
SHA2568ac4b42fb36d10194a14c32f6f499a6ac6acb79adbec858647495ba64f6dd2bb
SHA512c7003a2159f5adab0a3b4a4f3c0dd494d916062a57e84a23ccc18410fa394438d49208769027c641569b3025616e99ca1730a540846aaf1c5d91338b90008831
-
Filesize
561KB
MD55576bf4d22dc695564e49a68cbc98bc2
SHA180e0e045162a65d84939e22a821ecbbbde3f31d6
SHA25620f76ffd846155a41633d75cb2e784e54f6ec77ca9ca9d52d9510c3e2e918801
SHA5124b952ce6ef08c86d8594fadd1069c3af39c3465314716dc7e7d9937befab8f4db5e4920a901920af4f937e5bb80ca02c33406d54cc766920b8ebba3855500972
-
Filesize
84KB
MD5f18364fa5084add86c6e73e457404f18
SHA16d87c4b9dbf78af88fddf0d4d5febe845c8e4e6a
SHA25639c43d67f546fc898f7406d213b73dcb1bc30fc811ddfa3a02b6b50c29d11f91
SHA512716892492390fe4314f3289286f733d07b8b84de1f5af0676b26e68c0be01808682d35ad2bb9e9491247b7bb5a0ea297a6850e26de9baf88621c789206107db3
-
Filesize
11KB
MD5ca332bb753b0775d5e806e236ddcec55
SHA1f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA5122de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00