Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 04:43
Static task
static1
Behavioral task
behavioral1
Sample
PLogger+V5.0/PLogger P8 gold Edi.6.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
PLogger+V5.0/PLogger P8 gold Edi.6.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
PLogger+V5.0/patch.exe
Resource
win7-20240704-en
General
-
Target
PLogger+V5.0/patch.exe
-
Size
212KB
-
MD5
6c4e602268e4b8bd575b7db917e48831
-
SHA1
870ff297863a9248b5a12339a38328eed6390d13
-
SHA256
26dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740
-
SHA512
b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e
-
SSDEEP
3072:0X3djKBqb240NW1qzmgqojoJlS5OzNSLBS9sqLFm+kVXslJMsgE:0X3IWTqzmgoJlS5Oz4BS9sqLFuV8j
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
parsa123456nnn
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops file in Drivers directory 1 IoCs
Processes:
Windows Update.exedescription ioc process File opened for modification C:\Windows\system32\Drivers\etc\hosts Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
patch.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation patch.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 1052 Windows Update.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 1052 Windows Update.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Update.exepid process 1052 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1052 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1052 Windows Update.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
patch.exedescription pid process target process PID 2620 wrote to memory of 1052 2620 patch.exe Windows Update.exe PID 2620 wrote to memory of 1052 2620 patch.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"C:\Users\Admin\AppData\Local\Temp\PLogger+V5.0\patch.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
56B
MD5c356a02c7f1a1918794aef71af9b4b2c
SHA16de454586b976a4adafb43de81fe706b0b93a949
SHA256fae91d54033d51368550f98b10bf7ffc6c54db3a7c2a09c735a3b41f017fd2e7
SHA512a1c388cc46b6a656f8e116d99568c117279dfb96c322ddaafb4a0a4bb5b9dd208e7fb8a9815c85d1aa988702ccfba419fd5d566f1aa500a486a2fe6e25fc1d5f
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
212KB
MD56c4e602268e4b8bd575b7db917e48831
SHA1870ff297863a9248b5a12339a38328eed6390d13
SHA25626dbe46819c4271f45c830b3d214e513f9b27722c337ffd76cb2c3a719794740
SHA512b9a6a9b626b27d5002496fa5ca15307e021e339d18b89dbf2bdf03915a6693feb28100fc7ae8eb946caa7d00057d7a1160a35d26f1ef32515c8b4e0ae12ea71e
-
memory/1052-29-0x000000001FD00000-0x000000002000E000-memory.dmpFilesize
3.1MB
-
memory/1052-34-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/1052-25-0x000000001C710000-0x000000001C738000-memory.dmpFilesize
160KB
-
memory/1052-24-0x000000001CF60000-0x000000001CFFC000-memory.dmpFilesize
624KB
-
memory/1052-35-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/1052-19-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/1052-20-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/1052-30-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/1052-36-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/1052-23-0x000000001C7B0000-0x000000001C812000-memory.dmpFilesize
392KB
-
memory/1052-21-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/1052-28-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/1052-27-0x000000001D4C0000-0x000000001D50C000-memory.dmpFilesize
304KB
-
memory/1052-26-0x000000001C6D0000-0x000000001C6D8000-memory.dmpFilesize
32KB
-
memory/2620-4-0x000000001C7D0000-0x000000001C876000-memory.dmpFilesize
664KB
-
memory/2620-2-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/2620-0-0x00007FFB90155000-0x00007FFB90156000-memory.dmpFilesize
4KB
-
memory/2620-3-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/2620-18-0x00007FFB8FEA0000-0x00007FFB90841000-memory.dmpFilesize
9.6MB
-
memory/2620-1-0x000000001C210000-0x000000001C6DE000-memory.dmpFilesize
4.8MB