Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ToDeSK_X64....7.exe

windows7-x64

10

ToDeSK_X64....7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2024, 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ToDeSK_X64_4.7.4.7.exe

  • Size

    56.3MB

  • MD5

    9909bb084a348057725ad3e8ddb0a0e5

  • SHA1

    ccb9413442b58b3d34ac9299a82cd721c1acea29

  • SHA256

    0e494e451e402ab67b754b81a933600fe49c71a780c9aebb85153708938ba3b2

  • SHA512

    a7fc3a92a65f3b4f2d86138960ccaef2b9d1d44a02e0bf18a1d07f9687e15bcf390e3eb966fcfcbe7b940d60e455488f3e01d344fd7f3672d258e45db12ec404

  • SSDEEP

    786432:MF0RxYqkGWDfPUzHixmoxlKG/zUmKGCM5jz44CrM9qAG9uE0wj0YM2xmoxsfrXC2:A6kGMsH8m+ZKHMdC4989OwjEznjXDn

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 16 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 21 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ToDeSK_X64_4.7.4.7.exe
    "C:\Users\Admin\AppData\Local\Temp\ToDeSK_X64_4.7.4.7.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Hainan YouQu Technology Co., Ltd\ToDesk 4.8.4.8\install\ToDesk.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ToDeSK_X64_4.7.4.7.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:2560
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 96A7B6BA5CFC12DB3CC1494BD4273803 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1236
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 99B60EDDDFD0425752CF81B2295EAD89 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2248
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8CAB7605297DD0C154B2A31752B28B4C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2016
    • C:\Program Files\ToDesk\ToDesk.exe
      "C:\Program Files\ToDesk\ToDesk.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1560
    • C:\Program Files\ToDesk\Tools\wmicode.exe
      "C:\Program Files\ToDesk\Tools\wmicode.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe 100 2688
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:816
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1840
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000488" "00000000000003DC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2272
    • C:\ProgramData\NVIDIASmart\SxS.exe
      "C:\ProgramData\NVIDIASmart\SxS.exe" 200 0
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe 201 0
        2⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\system32\msiexec.exe 209 1988
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1008
    • C:\Program Files\ToDesk\ToDesk.exe
      "C:\Program Files\ToDesk\ToDesk.exe" --runservice
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2620
      • C:\Program Files\ToDesk\ToDesk.exe
        "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1808
      • C:\Program Files\ToDesk\ToDesk.exe
        "C:\Program Files\ToDesk\ToDesk.exe" --show --localPort=35600
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2172

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f772001.rbs
      Filesize

      11KB

      MD5

      31f219f332e6115ba9a0917a5f8eeeee

      SHA1

      b3e4cf613a446fc5d5cbb9fad6b6ce9b60cfca46

      SHA256

      e90d273628b65c2846a79b5204af59d85f51666a10c4737cb17888bec93a65a0

      SHA512

      d61665f3751979f2747e584e09d3df2e3d12d3288251c2f0da3740e3039cdd9eec469b310dbfae27c8a68b7660143c0d27c84ae59b5b7f95012089c9a129154b

      Download Submit

    • C:\Program Files\ToDesk\Tools\wmicode.exe
      Filesize

      122KB

      MD5

      d771741bb33ab0f2f364fd10e486df33

      SHA1

      fbb4d03ab6582627d341f76956fe995c182c98b1

      SHA256

      d5d9fefd7a79ba0c121ba76d0cd51f9520effc490424978bd341f130ec835455

      SHA512

      41f089d7ca755a385f68a65105e2aee0c9a34df03911746d59266db42bf3bf74372b168cebc40b034975ffe86dea93929e3a42155076bd8dcfbbefca78ba075e

      Download Submit

    • C:\Program Files\ToDesk\Tools\wmidll.dat
      Filesize

      134KB

      MD5

      7afeb0d7b74110ef2120b137340f84eb

      SHA1

      1c8da51ed33f720b0b9682f0b65988337ea38064

      SHA256

      627fe4631faa2d6f037228d60617c06d852b666ca2f8d48a4ae42a743454a21c

      SHA512

      54aad79d9a7999ebb0a5915b7d245a20d7c14c4e17bf55d21b14067c67eef4a0ab7d6fa39d2d35c48c9a126606bc4c05991555fc7f12cb653e3b19d355a9b592

      Download Submit

    • C:\Program Files\ToDesk\config.ini
      Filesize

      246B

      MD5

      2687dcf9a76f13ba0cca92b8f27331ca

      SHA1

      578f042f5a8793a5f82df4c4fb88fe444266eb58

      SHA256

      2925344dfd7108675b5af81ce0654950b11a2daa45f79bc77c572197b20b8182

      SHA512

      2012af817cad26665556f52295a7b16a3847c1e559d1009bcefcf66a26c99269ddcb0730318fcb57bd67bd292ab307d746a3b6262c640ff4b369e8f758b6a941

      Download Submit

    • C:\Program Files\ToDesk\config.ini
      Filesize

      394B

      MD5

      8dd20f41addbf03faf9e0412f8525db8

      SHA1

      8459ded5878a7181327ab98af9c30b3c5dc0147a

      SHA256

      ee57176127a78824ed20fced0c626a913e8a3cfb51ed0af87d22afcba9d41ea1

      SHA512

      fec4d52232a4396651c13b3cf6efe492a552ca40ecd5fe78923834ee4eb485d4f99030462f7d653f1f29f7ada75761e692f857991b125bfff613f39a93425fab

      Download Submit

    • C:\Program Files\ToDesk\config.ini
      Filesize

      529B

      MD5

      f5ec42c99f99a74cd1c5d0fb4562e277

      SHA1

      b0adcfc4a6c19d22fedb8b71c827bbfa90021dfb

      SHA256

      7c0bb0ab3a53495dd71bb7c38b921beb1873e59513d945d78f11bd97f7f26ed8

      SHA512

      1a65b1c3397aa95db89ce8d6bc78c41dfce4339bf979e1f14a8f68ac4024c4ce82215d874a6df45e107097d0263064dc6ecb2b6cc28a8296c0a9600bf90516cc

      Download Submit

    • C:\Program Files\ToDesk\config.ini
      Filesize

      589B

      MD5

      65cd4f63675a93e9c3d6e57cbef6869b

      SHA1

      e7c4e1f369719a4bfacfdb34c568f4b7ce4bb60b

      SHA256

      ddc88578c6fb9973afb3e61c9849df76b179e448939e235363d57c698183e3b2

      SHA512

      1798fed4e614e3b2327e0821a020c637b2d46df9dba1a13b23c53b6bd325f298f1929217a5ad483447c8515f078251cd58a4371a6ccf7474562f11e5aaca6c43

      Download Submit

    • C:\Program Files\ToDesk\zrtc.dll
      Filesize

      49.3MB

      MD5

      fab94e3b080e8d2dfc21b37278f73eb8

      SHA1

      73c55c05f53b9ead97a4a6acd497860efc119ca8

      SHA256

      d3f9c273b420be3ce59a8526d11827009215f559b39291844e3f98d8306c9a69

      SHA512

      41eb4ddb54e2e8d3e21921c06a83aa0e59cd371eaeda0708cea27a1f42e05df6e5b4aa7f8cef4d6c3185ac71e48a405f2e44c972341a9961ab8e06f91ccc0f3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIF9AA.tmp
      Filesize

      349KB

      MD5

      8752c01d76bc7b3a38b6acaf5b9c387b

      SHA1

      8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

      SHA256

      344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

      SHA512

      5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Hainan YouQu Technology Co., Ltd\ToDesk 4.8.4.8\install\ToDesk.msi
      Filesize

      1.5MB

      MD5

      bd1cea8173be8d2ff9ca7cb9bec5be31

      SHA1

      ef6d14694e84f425cbfdb7c48bc8c2e3681ec550

      SHA256

      5dead25512133ee8661c981be60e65f9d43fb39e88828416948b3358e213f23c

      SHA512

      f062e73c13ca464e8b543a3b8d37b0c87756f01acf8d674bc2dce0e451bfb7a1b5926d48cf882906e48ec475003bafd0d0cd1bd8eb077a24e392185985a443a9

      Download Submit

    • \Program Files\ToDesk\ToDesk.exe
      Filesize

      48.4MB

      MD5

      85b8e15b90d8bf333f0d49c11db9b1b0

      SHA1

      70ab7088257b0121a8e39dcab2a3846923f62ac0

      SHA256

      a9e56ee892beb3e0be3f2d412a2b4448c5a41b28fe2a15a40798faa119d4025c

      SHA512

      844b924351752992758d881f328176f4329f8f9182ced686e51fa1fe3413b8ea3f507eac031b997b07b8886cb978655443bd6da1c018181f25ca73d4e035f64b

      Download Submit

    • \Program Files\ToDesk\Tools\wmicodegen.dll
      Filesize

      9KB

      MD5

      8057f7bf4b7e5626517de5dee572b590

      SHA1

      e783934acc0e6a8aecc7711d7c21d186b807bb61

      SHA256

      984688673feded09962a0b4feeec8116ae860c520b0e5d630ff0df2de351b90b

      SHA512

      6fcd6fb80928d0fc3dc1fe1455723a8a82543f187f1bd6e45a28aa0045fe88e6f5b6ce8078a1adf89a46d49f90dc20e77a1ed99dc02eef4945775137f61752d6

      Download Submit

    • \Windows\Installer\MSI2271.tmp
      Filesize

      566KB

      MD5

      0e4db22ddc7c96801b65bc13e3a53455

      SHA1

      775da57600792fb18cd0e9626afc53bb2ba07abf

      SHA256

      675f7d999bf17ceedcd799bdf1b2fb02cc560cdc18c0609aa92eca0cd3a98961

      SHA512

      88ddb37880af878eddf7b82c919285dcec6360cea81c3755efeec7d0fb92c4e7ffe96ec654046ec9a4c6f1087d4e95b440b745621921041676bdc170663f3772

      Download Submit

    • \Windows\Installer\MSI22C0.tmp
      Filesize

      287KB

      MD5

      31a4f044c23a648c306df463302c49b5

      SHA1

      e014c21b4b0f3b054ee3f7b6bbba6b38974ab5da

      SHA256

      e12b2df53c66e4b3c5073682434fee7b1e070794f79e090ccc8fb803487f3a94

      SHA512

      e9d5606325a3e3fb371738bef66566f0491d080a5d6208482543f8729cd194d9dc11e3bc3989c3c19f359d3f34da977022b8a6457b6479ce5c51e3bf091a22fc

      Download Submit

    • memory/816-188-0x00000000001D0000-0x000000000020C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/816-132-0x00000000001D0000-0x000000000020C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/816-127-0x0000000000080000-0x0000000000082000-memory.dmp

      Filesize

      8KB

      Download

    • memory/816-129-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/816-130-0x00000000000A0000-0x00000000000C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1008-185-0x00000000002F0000-0x000000000032C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1008-183-0x00000000002F0000-0x000000000032C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1008-181-0x00000000002F0000-0x000000000032C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1008-184-0x00000000002F0000-0x000000000032C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1008-182-0x0000000000140000-0x0000000000141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1976-165-0x0000000000770000-0x00000000007AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1976-142-0x0000000000770000-0x00000000007AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1988-148-0x00000000001D0000-0x000000000020C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1988-162-0x00000000001D0000-0x000000000020C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1988-149-0x00000000001D0000-0x000000000020C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1988-159-0x0000000000020000-0x0000000000021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1988-163-0x00000000001D0000-0x000000000020C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1988-161-0x00000000001D0000-0x000000000020C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1988-160-0x00000000001D0000-0x000000000020C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2172-209-0x000007FFFFF50000-0x000007FFFFF60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2172-229-0x000007FFFFF40000-0x000007FFFFF50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2688-166-0x0000000000240000-0x000000000027C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2688-126-0x0000000000240000-0x000000000027C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2772-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2772-38-0x00000000002D0000-0x00000000002D1000-memory.dmp

      Filesize

      4KB

      Download