Analysis
-
max time kernel
1364s -
max time network
1156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2024, 21:36
Static task
static1
Behavioral task
behavioral1
Sample
Plutonium.exe
Resource
win10v2004-20241007-en
General
-
Target
Plutonium.exe
-
Size
118KB
-
MD5
ce2b811ce157fd090b92b40aa9fcf98e
-
SHA1
a327d38ea8df99f094dc2faf52225e9a028fa2f7
-
SHA256
0fbe5c784e6fb46e8083f6d51136d1de2abeec5c6aa80d794b33854cc221fd3a
-
SHA512
9a0d8c81f6b7cde0c4266a0d2ef6aeffbf16c63f5ceb169f7f9196feacfdcabc3232ab7125e24335891662c22a9b36fe56ee76efabc9f9a0d7663cfb6bc3aae9
-
SSDEEP
1536:52Y0VNblnigen1FQGpaika1PASjg/ooRJ25MO:523rbZi/8GprF3jg/oKJ25MO
Malware Config
Signatures
-
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
pid Process 4956 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plutonium.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mode.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 672 wrote to memory of 4048 672 Plutonium.exe 85 PID 672 wrote to memory of 4048 672 Plutonium.exe 85 PID 672 wrote to memory of 4048 672 Plutonium.exe 85 PID 4048 wrote to memory of 2136 4048 cmd.exe 86 PID 4048 wrote to memory of 2136 4048 cmd.exe 86 PID 4048 wrote to memory of 2136 4048 cmd.exe 86 PID 672 wrote to memory of 992 672 Plutonium.exe 87 PID 672 wrote to memory of 992 672 Plutonium.exe 87 PID 672 wrote to memory of 992 672 Plutonium.exe 87 PID 672 wrote to memory of 4856 672 Plutonium.exe 88 PID 672 wrote to memory of 4856 672 Plutonium.exe 88 PID 672 wrote to memory of 4856 672 Plutonium.exe 88 PID 672 wrote to memory of 4236 672 Plutonium.exe 89 PID 672 wrote to memory of 4236 672 Plutonium.exe 89 PID 672 wrote to memory of 4236 672 Plutonium.exe 89 PID 672 wrote to memory of 4956 672 Plutonium.exe 90 PID 672 wrote to memory of 4956 672 Plutonium.exe 90 PID 672 wrote to memory of 4956 672 Plutonium.exe 90 PID 4956 wrote to memory of 1636 4956 cmd.exe 91 PID 4956 wrote to memory of 1636 4956 cmd.exe 91 PID 4956 wrote to memory of 1636 4956 cmd.exe 91 PID 672 wrote to memory of 2832 672 Plutonium.exe 92 PID 672 wrote to memory of 2832 672 Plutonium.exe 92 PID 672 wrote to memory of 2832 672 Plutonium.exe 92 PID 672 wrote to memory of 924 672 Plutonium.exe 93 PID 672 wrote to memory of 924 672 Plutonium.exe 93 PID 672 wrote to memory of 924 672 Plutonium.exe 93 PID 672 wrote to memory of 2660 672 Plutonium.exe 94 PID 672 wrote to memory of 2660 672 Plutonium.exe 94 PID 672 wrote to memory of 2660 672 Plutonium.exe 94 PID 672 wrote to memory of 3592 672 Plutonium.exe 95 PID 672 wrote to memory of 3592 672 Plutonium.exe 95 PID 672 wrote to memory of 3592 672 Plutonium.exe 95 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1636 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Plutonium.exe"C:\Users\Admin\AppData\Local\Temp\Plutonium.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=00302⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\mode.commode con:cols=0120 lines=00303⤵
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Plutonium2⤵
- System Location Discovery: System Language Discovery
PID:992
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"2⤵
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"2⤵
- System Location Discovery: System Language Discovery
PID:4236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd2⤵
- Hide Artifacts: Hidden Files and Directories
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t2⤵
- System Location Discovery: System Language Discovery
PID:2832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat2⤵
- System Location Discovery: System Language Discovery
PID:924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c2⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
- System Location Discovery: System Language Discovery
PID:3592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173B
MD50f8f70e88009593eefaa155a8e31b1d6
SHA1eabcc3f2135e0919e9456da0a4b1084f3382d4b6
SHA256941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b
SHA51294df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750