Overview

overview

10

Static

static

3

ToDeSK_X64....7.exe

windows7-x64

10

ToDeSK_X64....7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ToDeSK_X64_4.7.4.7.exe

  • Size

    56.3MB

  • MD5

    9909bb084a348057725ad3e8ddb0a0e5

  • SHA1

    ccb9413442b58b3d34ac9299a82cd721c1acea29

  • SHA256

    0e494e451e402ab67b754b81a933600fe49c71a780c9aebb85153708938ba3b2

  • SHA512

    a7fc3a92a65f3b4f2d86138960ccaef2b9d1d44a02e0bf18a1d07f9687e15bcf390e3eb966fcfcbe7b940d60e455488f3e01d344fd7f3672d258e45db12ec404

  • SSDEEP

    786432:MF0RxYqkGWDfPUzHixmoxlKG/zUmKGCM5jz44CrM9qAG9uE0wj0YM2xmoxsfrXC2:A6kGMsH8m+ZKHMdC4989OwjEznjXDn

Score
10/10
plugxdiscoverytrojan

Malware Config

Signatures

  • Detects PlugX payload 16 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 18 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ToDeSK_X64_4.7.4.7.exe
    "C:\Users\Admin\AppData\Local\Temp\ToDeSK_X64_4.7.4.7.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Hainan YouQu Technology Co., Ltd\ToDesk 4.8.4.8\install\ToDesk.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ToDeSK_X64_4.7.4.7.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:1364
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 4647F1860DAB83ECD213F1C36C6B005C C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4948
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 0FD19396F336EA8FF364C6887C86BC2C C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3824
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1524
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 07030727D6FEF055F72C6356E27FFB79
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3444
      • C:\Program Files\ToDesk\ToDesk.exe
        "C:\Program Files\ToDesk\ToDesk.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3156
      • C:\Program Files\ToDesk\Tools\wmicode.exe
        "C:\Program Files\ToDesk\Tools\wmicode.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe 100 1464
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1232
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2588
    • C:\ProgramData\NVIDIASmart\SxS.exe
      "C:\ProgramData\NVIDIASmart\SxS.exe" 200 0
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe 201 0
        2⤵
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:112
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\system32\msiexec.exe 209 112
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          PID:556
    • C:\Program Files\ToDesk\ToDesk.exe
      "C:\Program Files\ToDesk\ToDesk.exe" --runservice
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:228
      • C:\Program Files\ToDesk\ToDesk.exe
        "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:4060
      • C:\Program Files\ToDesk\ToDesk.exe
        "C:\Program Files\ToDesk\ToDesk.exe" --show --localPort=35600
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3904

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57cd05.rbs
      Filesize

      12KB

      MD5

      710ea8221636decdc7684a50df19538a

      SHA1

      897f37d1f48019c99219ba60a8dd639160ecaf1b

      SHA256

      5e05c57ca979d371388c8db94fefca27e9cff00fe51e5cf5212d6ddfb1cb5b82

      SHA512

      7bd2ea5bd223556cb32039200854b67c84003988f2d1de06d6ba4cd3ed63d2bad6958e133a8dcda009cb6d2a3d3bb73367b658283c54c9ee689f9d621a3d597d

      Download Submit

    • C:\Program Files\ToDesk\ToDesk.exe
      Filesize

      48.4MB

      MD5

      85b8e15b90d8bf333f0d49c11db9b1b0

      SHA1

      70ab7088257b0121a8e39dcab2a3846923f62ac0

      SHA256

      a9e56ee892beb3e0be3f2d412a2b4448c5a41b28fe2a15a40798faa119d4025c

      SHA512

      844b924351752992758d881f328176f4329f8f9182ced686e51fa1fe3413b8ea3f507eac031b997b07b8886cb978655443bd6da1c018181f25ca73d4e035f64b

      Download Submit

    • C:\Program Files\ToDesk\Tools\wmicode.exe
      Filesize

      122KB

      MD5

      d771741bb33ab0f2f364fd10e486df33

      SHA1

      fbb4d03ab6582627d341f76956fe995c182c98b1

      SHA256

      d5d9fefd7a79ba0c121ba76d0cd51f9520effc490424978bd341f130ec835455

      SHA512

      41f089d7ca755a385f68a65105e2aee0c9a34df03911746d59266db42bf3bf74372b168cebc40b034975ffe86dea93929e3a42155076bd8dcfbbefca78ba075e

      Download Submit

    • C:\Program Files\ToDesk\Tools\wmicodegen.dll
      Filesize

      9KB

      MD5

      8057f7bf4b7e5626517de5dee572b590

      SHA1

      e783934acc0e6a8aecc7711d7c21d186b807bb61

      SHA256

      984688673feded09962a0b4feeec8116ae860c520b0e5d630ff0df2de351b90b

      SHA512

      6fcd6fb80928d0fc3dc1fe1455723a8a82543f187f1bd6e45a28aa0045fe88e6f5b6ce8078a1adf89a46d49f90dc20e77a1ed99dc02eef4945775137f61752d6

      Download Submit

    • C:\Program Files\ToDesk\Tools\wmidll.dat
      Filesize

      134KB

      MD5

      7afeb0d7b74110ef2120b137340f84eb

      SHA1

      1c8da51ed33f720b0b9682f0b65988337ea38064

      SHA256

      627fe4631faa2d6f037228d60617c06d852b666ca2f8d48a4ae42a743454a21c

      SHA512

      54aad79d9a7999ebb0a5915b7d245a20d7c14c4e17bf55d21b14067c67eef4a0ab7d6fa39d2d35c48c9a126606bc4c05991555fc7f12cb653e3b19d355a9b592

      Download Submit

    • C:\Program Files\ToDesk\config.ini
      Filesize

      246B

      MD5

      1c49795eac703f0f1f5f5b0d3bf199d5

      SHA1

      2411608301ec1c4583e16b5ef651611e8da3a940

      SHA256

      4a2e4aee4f49df94521127c40d3b12dae0bd599195a346b909ca9aa2d16e154a

      SHA512

      94d041baa7178eb5ba1b9f0e7cd0d455cac0e680a06fedc0e85f55b66e64313ccdaa631d4a0b275a30458f8cae9b1b8b1b9168709b3958a607fbaf3aad99efb5

      Download Submit

    • C:\Program Files\ToDesk\config.ini
      Filesize

      394B

      MD5

      6bcdbe3c04756870fdaa591f2d3c4496

      SHA1

      947da5826c99dde0e81e71340298a515d2a9c208

      SHA256

      7f317c7dc3e9acbe188e942f141036efffcfaf7270cb7d0a03fda60889701995

      SHA512

      579de36acd0f9a2a8cec5317c99eb856e572a00d4a20152eb99fdc1d0cb77e2353a0a58e655053686d679ab31afebe6e2569f2d21a2d538e0fa5bd6d0707e783

      Download Submit

    • C:\Program Files\ToDesk\config.ini
      Filesize

      529B

      MD5

      b79db07e9142a8f8296f518b2c6222cb

      SHA1

      0c3ecc30cb9ff5aa457a1603489a5090e12c9485

      SHA256

      b660821f00dad204e1460a426456b4f88b498eda60eddd8a80d105bb70521faa

      SHA512

      5325303f7de66702434c3bab6ca92ee59812690757852807bb3a26b341a5c5d5c0b69007bcef776a158de3ebf1ed6c9728bd6c55232afe36b8cfcfaf84417f1b

      Download Submit

    • C:\Program Files\ToDesk\config.ini
      Filesize

      589B

      MD5

      d4c85d1dd4f959f7fe2129f7a2036e29

      SHA1

      2d60cbbb8df859b95b378fc3c673ee54cb28b126

      SHA256

      561501959d6a97fc588510c929a1d55c37e9ac78157d56b1e704c75036be670f

      SHA512

      1bae89f1ea73320a4e0fd5781dcd9c43e18b86598483d2accc9113e5e1501f188c08ce30eb7b303acaa5c36404775eb6328da8040d8b24f25ccb24877da2a75b

      Download Submit

    • C:\Program Files\ToDesk\zrtc.dll
      Filesize

      49.3MB

      MD5

      fab94e3b080e8d2dfc21b37278f73eb8

      SHA1

      73c55c05f53b9ead97a4a6acd497860efc119ca8

      SHA256

      d3f9c273b420be3ce59a8526d11827009215f559b39291844e3f98d8306c9a69

      SHA512

      41eb4ddb54e2e8d3e21921c06a83aa0e59cd371eaeda0708cea27a1f42e05df6e5b4aa7f8cef4d6c3185ac71e48a405f2e44c972341a9961ab8e06f91ccc0f3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI83F6.tmp
      Filesize

      349KB

      MD5

      8752c01d76bc7b3a38b6acaf5b9c387b

      SHA1

      8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

      SHA256

      344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

      SHA512

      5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Hainan YouQu Technology Co., Ltd\ToDesk 4.8.4.8\install\ToDesk.msi
      Filesize

      1.5MB

      MD5

      bd1cea8173be8d2ff9ca7cb9bec5be31

      SHA1

      ef6d14694e84f425cbfdb7c48bc8c2e3681ec550

      SHA256

      5dead25512133ee8661c981be60e65f9d43fb39e88828416948b3358e213f23c

      SHA512

      f062e73c13ca464e8b543a3b8d37b0c87756f01acf8d674bc2dce0e451bfb7a1b5926d48cf882906e48ec475003bafd0d0cd1bd8eb077a24e392185985a443a9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-us\default.dic
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Windows\Installer\MSICE11.tmp
      Filesize

      566KB

      MD5

      0e4db22ddc7c96801b65bc13e3a53455

      SHA1

      775da57600792fb18cd0e9626afc53bb2ba07abf

      SHA256

      675f7d999bf17ceedcd799bdf1b2fb02cc560cdc18c0609aa92eca0cd3a98961

      SHA512

      88ddb37880af878eddf7b82c919285dcec6360cea81c3755efeec7d0fb92c4e7ffe96ec654046ec9a4c6f1087d4e95b440b745621921041676bdc170663f3772

      Download Submit

    • C:\Windows\Installer\MSICE9E.tmp
      Filesize

      287KB

      MD5

      31a4f044c23a648c306df463302c49b5

      SHA1

      e014c21b4b0f3b054ee3f7b6bbba6b38974ab5da

      SHA256

      e12b2df53c66e4b3c5073682434fee7b1e070794f79e090ccc8fb803487f3a94

      SHA512

      e9d5606325a3e3fb371738bef66566f0491d080a5d6208482543f8729cd194d9dc11e3bc3989c3c19f359d3f34da977022b8a6457b6479ce5c51e3bf091a22fc

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      4bded2b2dff02dad74afcdc5dc71f72a

      SHA1

      5f5dc7d0754913f571cb5f04cd9132f1c5ad9672

      SHA256

      4ba8e900a2a48f7bed1ce4d884bf0cfbeac0a6ea33a57f4fcab24dfc8e01a5b0

      SHA512

      d705d23576e15808dcec3d825271a5eaee6758f44faf0f3665d84c4c42e18e96e62c73de56d6b182734b47f400c9a38afca54e06c38b6948d4f863ee6eff1cab

      Download Submit

    • \??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ab24ec10-844e-4f51-8477-e6a282807f12}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      6c9beb65ca47e9c7c92b60de413eb6e0

      SHA1

      190534716fbcf0bf52efcb2e6ada1e02b9629cc6

      SHA256

      a0d6bca6cbbef45ec261d27302bec4eed10b8c980073c36863be69fff6efa474

      SHA512

      15ef3528cb470bb147ac39fe746d5bd98db3714eb1b5471688a7ef0814d7898bad3b3936f02fc4e70c58c3e066bbc4f971abf246df1cd50e8204ab084086e60e

      Download Submit

    • memory/112-161-0x0000000000F90000-0x0000000000FCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/112-160-0x0000000000F90000-0x0000000000FCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/112-157-0x0000000000950000-0x0000000000951000-memory.dmp

      Filesize

      4KB

      Download

    • memory/112-145-0x0000000000F90000-0x0000000000FCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/112-147-0x0000000000F90000-0x0000000000FCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/112-159-0x0000000000F90000-0x0000000000FCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/112-158-0x0000000000F90000-0x0000000000FCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/556-188-0x00000000027A0000-0x00000000027DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/556-185-0x00000000010D0000-0x00000000010D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/556-184-0x00000000027A0000-0x00000000027DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/556-187-0x00000000027A0000-0x00000000027DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/556-186-0x00000000027A0000-0x00000000027DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1232-174-0x0000000000EA0000-0x0000000000EDC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1232-127-0x0000000000EA0000-0x0000000000EDC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1464-162-0x0000000002870000-0x00000000028AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1464-126-0x0000000002870000-0x00000000028AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4296-146-0x0000000000E90000-0x0000000000ECC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4296-143-0x0000000000E90000-0x0000000000ECC000-memory.dmp

      Filesize

      240KB

      Download