Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 06:13
Static task
static1
Behavioral task
behavioral1
Sample
PlasmaPerm.exe
Resource
win7-20240903-en
General
-
Target
PlasmaPerm.exe
-
Size
2.0MB
-
MD5
53f60234d2f23b0a56a4c4d01c235281
-
SHA1
edcf730e5a6e9d251135217cab566fee8b2089ad
-
SHA256
157022d90bfb8809c6f371c36d54fb90650dda68241f85890983e2a0c0021dc7
-
SHA512
465290c68b38991ba454c2149704330557496cd63951ca80b6520dfe9c8121a8a99e8ead8125fbc7462f514ee4994fcd2c70d57c30e87be106a5d71f98105461
-
SSDEEP
49152:LyFS0D21lmt9V7dmKZ+I/AjVMm5MVHWlC0g/2sv:o5sl89V7D+I/aMm5MmC0gusv
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions PlasmaPerm.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools PlasmaPerm.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PlasmaPerm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PlasmaPerm.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PlasmaPerm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 PlasmaPerm.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PlasmaPerm.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS PlasmaPerm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer PlasmaPerm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion PlasmaPerm.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe 1404 PlasmaPerm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1404 PlasmaPerm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PlasmaPerm.exe"C:\Users\Admin\AppData\Local\Temp\PlasmaPerm.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404