Analysis

  • max time kernel
    1364s
  • max time network
    1156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2024, 21:36

General

  • Target

    Plutonium.exe

  • Size

    118KB

  • MD5

    ce2b811ce157fd090b92b40aa9fcf98e

  • SHA1

    a327d38ea8df99f094dc2faf52225e9a028fa2f7

  • SHA256

    0fbe5c784e6fb46e8083f6d51136d1de2abeec5c6aa80d794b33854cc221fd3a

  • SHA512

    9a0d8c81f6b7cde0c4266a0d2ef6aeffbf16c63f5ceb169f7f9196feacfdcabc3232ab7125e24335891662c22a9b36fe56ee76efabc9f9a0d7663cfb6bc3aae9

  • SSDEEP

    1536:52Y0VNblnigen1FQGpaika1PASjg/ooRJ25MO:523rbZi/8GprF3jg/oKJ25MO

Malware Config

Signatures

  • Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 33 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Plutonium.exe
    "C:\Users\Admin\AppData\Local\Temp\Plutonium.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mode con:cols=0120 lines=0030
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Windows\SysWOW64\mode.com
        mode con:cols=0120 lines=0030
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2136
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c title Plutonium
      2⤵
      • System Location Discovery: System Language Discovery
      PID:992
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\myfiles" mkdir "C:\Users\Admin\AppData\Local\Temp\myfiles"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4856
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\wtmpd" mkdir "C:\Users\Admin\AppData\Local\Temp\wtmpd"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4236
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h C:\Users\Admin\AppData\Local\Temp\wtmpd
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\i6.t
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\i6.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:924
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2660
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3592

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\i6.bat

          Filesize

          173B

          MD5

          0f8f70e88009593eefaa155a8e31b1d6

          SHA1

          eabcc3f2135e0919e9456da0a4b1084f3382d4b6

          SHA256

          941c169c07670650fc6c6148c1cae068b69bac209e05010594e164aafc7cdf8b

          SHA512

          94df468b963f3c9d133a25e1ffa57039fac01fe960f0f738552ca6440e6242ff48d0b410fe70dd05a62e4842c925c9f2b0220ca9eb9cb4ff5490ada443c9a750