Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 20:14
Static task
static1
Behavioral task
behavioral1
Sample
07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe
Resource
win7-20240704-en
windows7-x64
10 signatures
150 seconds
General
-
Target
07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe
-
Size
290KB
-
MD5
e0ce4768c42e1f857b3a31016db2314b
-
SHA1
f8a08bca5b0e682db91c5ae90f48aedf30378de5
-
SHA256
07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9
-
SHA512
a7e60e65f723efdede2a593a15afbdb781924e5d92d8fe4d7ae6b3768ca5dde289efae064919765e28bb7464da50083668df9ab24c3d8851864ab57ba16bf5bd
-
SSDEEP
6144:I7m697rqzqqLEaGDqWoWrSuzidnKjrqnbqdn9:2t9krLEaGDqArXzidnHc
Malware Config
Signatures
-
Detects PlugX payload 17 IoCs
resource yara_rule behavioral1/memory/1232-0-0x0000000000550000-0x000000000058D000-memory.dmp family_plugx behavioral1/memory/2184-7-0x0000000000240000-0x000000000027D000-memory.dmp family_plugx behavioral1/memory/2188-13-0x0000000000450000-0x000000000048D000-memory.dmp family_plugx behavioral1/memory/1972-19-0x0000000000400000-0x000000000043D000-memory.dmp family_plugx behavioral1/memory/2188-26-0x0000000000450000-0x000000000048D000-memory.dmp family_plugx behavioral1/memory/1972-36-0x0000000000400000-0x000000000043D000-memory.dmp family_plugx behavioral1/memory/2184-40-0x0000000000240000-0x000000000027D000-memory.dmp family_plugx behavioral1/memory/1232-38-0x0000000000550000-0x000000000058D000-memory.dmp family_plugx behavioral1/memory/1972-35-0x0000000000400000-0x000000000043D000-memory.dmp family_plugx behavioral1/memory/1972-34-0x0000000000400000-0x000000000043D000-memory.dmp family_plugx behavioral1/memory/1972-33-0x0000000000400000-0x000000000043D000-memory.dmp family_plugx behavioral1/memory/1972-21-0x0000000000400000-0x000000000043D000-memory.dmp family_plugx behavioral1/memory/2908-47-0x0000000000330000-0x000000000036D000-memory.dmp family_plugx behavioral1/memory/2908-51-0x0000000000330000-0x000000000036D000-memory.dmp family_plugx behavioral1/memory/2908-50-0x0000000000330000-0x000000000036D000-memory.dmp family_plugx behavioral1/memory/2908-49-0x0000000000330000-0x000000000036D000-memory.dmp family_plugx behavioral1/memory/1972-52-0x0000000000400000-0x000000000043D000-memory.dmp family_plugx -
Executes dropped EXE 1 IoCs
pid Process 2188 SxS.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SxS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004600330036004400420039004600360045003300330031003300420043000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 2184 svchost.exe 2188 SxS.exe 2188 SxS.exe 2188 SxS.exe 1972 svchost.exe 1972 svchost.exe 1972 svchost.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 1972 svchost.exe 1972 svchost.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 1972 svchost.exe 1972 svchost.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 1972 svchost.exe 1972 svchost.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 1972 svchost.exe 1972 svchost.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe 2908 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1972 svchost.exe 2908 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe Token: SeTcbPrivilege 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe Token: SeDebugPrivilege 2184 svchost.exe Token: SeTcbPrivilege 2184 svchost.exe Token: SeDebugPrivilege 2188 SxS.exe Token: SeTcbPrivilege 2188 SxS.exe Token: SeDebugPrivilege 1972 svchost.exe Token: SeTcbPrivilege 1972 svchost.exe Token: SeDebugPrivilege 2908 msiexec.exe Token: SeTcbPrivilege 2908 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 2188 SxS.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 1232 wrote to memory of 2184 1232 07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe 30 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 2188 wrote to memory of 1972 2188 SxS.exe 32 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33 PID 1972 wrote to memory of 2908 1972 svchost.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe"C:\Users\Admin\AppData\Local\Temp\07f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe 100 12322⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\ProgramData\NVIDIASmart\SxS.exe"C:\ProgramData\NVIDIASmart\SxS.exe" 200 01⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe 201 02⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 19723⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
290KB
MD5e0ce4768c42e1f857b3a31016db2314b
SHA1f8a08bca5b0e682db91c5ae90f48aedf30378de5
SHA25607f68a6d0c1b1e97c5ec147b21c0a9646013b1c9e90789c51dd3d87469cdcfd9
SHA512a7e60e65f723efdede2a593a15afbdb781924e5d92d8fe4d7ae6b3768ca5dde289efae064919765e28bb7464da50083668df9ab24c3d8851864ab57ba16bf5bd