Analysis

  • max time kernel
    96s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 03:45

General

  • Target

    0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889.exe

  • Size

    199KB

  • MD5

    1876442db107de88ad1dd01cb6c764a3

  • SHA1

    232163c4c6e6455d22c57453166269dbf3140692

  • SHA256

    0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889

  • SHA512

    d8d7e12ffa90bf7b55250a0548bbc0586b132461b1e4b213e3a44cb8942c8f503c165614fc3c6ad7c1955fd216b3bdeede827ec70a98d589f88b7ded53a45432

  • SSDEEP

    3072:zqODUQEEqx+IlkVz1QOFTas5+U1o3I3WAc51zHT29HTBXNUpY4aqf:z5DUQEEqxnEz1lOA+UrcLHTQFXN

Malware Config

Signatures

  • Ploutus

    Ploutus is an ATM malware written in C#.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889.exe
    "C:\Users\Admin\AppData\Local\Temp\0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\SysWOW64\CMD.exe
      "CMD.exe" /C net localgroup administrators ATMMVUser /add
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\net.exe
        net localgroup administrators ATMMVUser /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup administrators ATMMVUser /add
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2684
    • C:\Windows\SysWOW64\CMD.exe
      "CMD.exe" /C secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose /add
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\SysWOW64\SecEdit.exe
        secedit /configure /cfg C:\Windows\repair\secsetup.inf /db secsetup.sdb /verbose /add
        3⤵
        • System Location Discovery: System Language Discovery
        PID:316
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Account Manipulation

1
T1098

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Log.txt
    Filesize

    330B

    MD5

    b6574e9fb6ec5916a4057c33743f1538

    SHA1

    5161267ace7c47decbb2188fe0f61be3267d1d60

    SHA256

    82e656ee267d7eb751c959ccb88420ede6dabad24ccaed16c347266a3e2705b9

    SHA512

    5b0c2850f2d10f05adb6be6fcb1ce522f4f3af3cd312de2910e86969c63db4db14d095f1e61ef2a3e30fdf8a593a51374e2ebc917c5dc57d5b0fab9ec3661eaf

  • memory/288-0-0x0000000074851000-0x0000000074852000-memory.dmp
    Filesize

    4KB

  • memory/288-1-0x0000000074850000-0x0000000074DFB000-memory.dmp
    Filesize

    5.7MB

  • memory/288-2-0x0000000074850000-0x0000000074DFB000-memory.dmp
    Filesize

    5.7MB

  • memory/288-12-0x0000000074850000-0x0000000074DFB000-memory.dmp
    Filesize

    5.7MB

  • memory/288-16-0x0000000074850000-0x0000000074DFB000-memory.dmp
    Filesize

    5.7MB

  • memory/288-17-0x0000000074850000-0x0000000074DFB000-memory.dmp
    Filesize

    5.7MB

  • memory/2984-18-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

  • memory/2984-19-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

  • memory/2984-20-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

  • memory/2984-21-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

  • memory/2984-22-0x0000000000330000-0x0000000000340000-memory.dmp
    Filesize

    64KB