Overview

overview

10

Static

static

10

0e37b8a671...89.exe

windows7-x64

10

0e37b8a671...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 03:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889.exe

  • Size

    199KB

  • MD5

    1876442db107de88ad1dd01cb6c764a3

  • SHA1

    232163c4c6e6455d22c57453166269dbf3140692

  • SHA256

    0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889

  • SHA512

    d8d7e12ffa90bf7b55250a0548bbc0586b132461b1e4b213e3a44cb8942c8f503c165614fc3c6ad7c1955fd216b3bdeede827ec70a98d589f88b7ded53a45432

  • SSDEEP

    3072:zqODUQEEqx+IlkVz1QOFTas5+U1o3I3WAc51zHT29HTBXNUpY4aqf:z5DUQEEqxnEz1lOA+UrcLHTQFXN

Score
10/10
ploutusatmbackdoordiscovery

Malware Config

Signatures

  • Ploutus

    Ploutus is an ATM malware written in C#.

    backdooratmploutus
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889.exe
    "C:\Users\Admin\AppData\Local\Temp\0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3492
    • C:\Windows\SysWOW64\CMD.exe
      "CMD.exe" /C net localgroup administrators ATMMVUser /add
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\net.exe
        net localgroup administrators ATMMVUser /add
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4124
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 localgroup administrators ATMMVUser /add
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1592
    • C:\Windows\SysWOW64\CMD.exe
      "CMD.exe" /C secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose /add
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\SysWOW64\SecEdit.exe
        secedit /configure /cfg C:\Windows\repair\secsetup.inf /db secsetup.sdb /verbose /add
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

1
T1098

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Log.txt
    Filesize

    298B

    MD5

    5875b0473446166c63454dead1f7fc7a

    SHA1

    64b8911daafd4faa3247f73684c2a94ea721c334

    SHA256

    ede144880346bcdc8e852652114bc46323d9e6318505466c2e79ead6b091ba97

    SHA512

    722eef817e840b31b8dd91be8f27ece80d809098ccc83296d04f2bc15e98a0a4213a3331150a356445636c5db7afcda38d0a5b4c250363e4d78c9d7c714e3fe2

    Download Submit
  • memory/3492-0-0x00000000745C2000-0x00000000745C3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3492-1-0x00000000745C0000-0x0000000074B71000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3492-2-0x00000000745C0000-0x0000000074B71000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3492-11-0x00000000745C0000-0x0000000074B71000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3492-14-0x00000000745C2000-0x00000000745C3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3492-15-0x00000000745C0000-0x0000000074B71000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3492-16-0x00000000745C0000-0x0000000074B71000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3492-18-0x00000000745C0000-0x0000000074B71000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3492-19-0x00000000745C0000-0x0000000074B71000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3492-21-0x00000000745C0000-0x0000000074B71000-memory.dmp
    Filesize

    5.7MB

    Download