Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 14:08
Behavioral task
behavioral1
Sample
kdump64.dll
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
kdump64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
wps.exe
Resource
win7-20240903-en
General
-
Target
wps.exe
-
Size
177KB
-
MD5
f44992d14033a2b5b1064104658a29e1
-
SHA1
62673aa6e8bde17f218524cbe3bf50cb5b949f3b
-
SHA256
331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4
-
SHA512
9a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b
-
SSDEEP
3072:65nSsRkXPsSadfviPNPVY5bYm1wkUBL/1cAR+oOb5vENb/fZOKeb0WhmNNdnLeny:65SsRkXPYGPG5cm6Bd3oEt/fZOaBi/fi
Malware Config
Signatures
-
Detects PlugX payload 24 IoCs
resource yara_rule behavioral4/memory/3224-5-0x00000000008D0000-0x000000000090A000-memory.dmp family_plugx behavioral4/memory/3224-6-0x00000000008D0000-0x000000000090A000-memory.dmp family_plugx behavioral4/memory/2884-29-0x00000000020A0000-0x00000000020DA000-memory.dmp family_plugx behavioral4/memory/2536-35-0x0000000000C70000-0x0000000000CAA000-memory.dmp family_plugx behavioral4/memory/4708-62-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/3224-67-0x00000000008D0000-0x000000000090A000-memory.dmp family_plugx behavioral4/memory/4708-61-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/4708-60-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/4708-57-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/2536-56-0x0000000000C70000-0x0000000000CAA000-memory.dmp family_plugx behavioral4/memory/4708-55-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/4708-54-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/4708-53-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/4708-42-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/4708-41-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/4708-39-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx behavioral4/memory/2536-36-0x0000000000C70000-0x0000000000CAA000-memory.dmp family_plugx behavioral4/memory/2884-27-0x00000000020A0000-0x00000000020DA000-memory.dmp family_plugx behavioral4/memory/2884-71-0x00000000020A0000-0x00000000020DA000-memory.dmp family_plugx behavioral4/memory/2820-73-0x000002B8D51A0000-0x000002B8D51DA000-memory.dmp family_plugx behavioral4/memory/2820-76-0x000002B8D51A0000-0x000002B8D51DA000-memory.dmp family_plugx behavioral4/memory/2820-78-0x000002B8D51A0000-0x000002B8D51DA000-memory.dmp family_plugx behavioral4/memory/2820-77-0x000002B8D51A0000-0x000002B8D51DA000-memory.dmp family_plugx behavioral4/memory/4708-79-0x00000182AC3B0000-0x00000182AC3EA000-memory.dmp family_plugx -
Plugx family
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 103.43.18.19 -
resource yara_rule behavioral4/memory/3224-0-0x00007FFEBF9C0000-0x00007FFEBFA04000-memory.dmp vmprotect behavioral4/memory/3224-1-0x00007FFEBF9C0000-0x00007FFEBFA04000-memory.dmp vmprotect behavioral4/files/0x0007000000023c7a-21.dat vmprotect behavioral4/memory/2884-23-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp vmprotect behavioral4/memory/2536-59-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp vmprotect behavioral4/memory/3224-37-0x00007FFEBF9C0000-0x00007FFEBFA04000-memory.dmp vmprotect behavioral4/memory/2536-33-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp vmprotect behavioral4/memory/2536-32-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp vmprotect behavioral4/memory/2884-24-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp vmprotect behavioral4/memory/2884-70-0x00007FFEBF520000-0x00007FFEBF564000-memory.dmp vmprotect -
Deletes itself 1 IoCs
pid Process 2884 wps.exe -
Executes dropped EXE 2 IoCs
pid Process 2884 wps.exe 2536 wps.exe -
Loads dropped DLL 2 IoCs
pid Process 2884 wps.exe 2536 wps.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHZ svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 39003000390032004300310043003100450035004300300044004500350030000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3224 wps.exe 3224 wps.exe 3224 wps.exe 3224 wps.exe 2884 wps.exe 2884 wps.exe 2884 wps.exe 2884 wps.exe 2536 wps.exe 2536 wps.exe 2536 wps.exe 2536 wps.exe 4708 svchost.exe 4708 svchost.exe 4708 svchost.exe 4708 svchost.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 4708 svchost.exe 4708 svchost.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 4708 svchost.exe 4708 svchost.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 4708 svchost.exe 4708 svchost.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 2820 msiexec.exe 4708 svchost.exe 4708 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4708 svchost.exe 2820 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3224 wps.exe Token: SeTcbPrivilege 3224 wps.exe Token: SeDebugPrivilege 2884 wps.exe Token: SeTcbPrivilege 2884 wps.exe Token: SeDebugPrivilege 2536 wps.exe Token: SeTcbPrivilege 2536 wps.exe Token: SeDebugPrivilege 4708 svchost.exe Token: SeTcbPrivilege 4708 svchost.exe Token: SeDebugPrivilege 2820 msiexec.exe Token: SeTcbPrivilege 2820 msiexec.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2536 wrote to memory of 4708 2536 wps.exe 86 PID 2536 wrote to memory of 4708 2536 wps.exe 86 PID 2536 wrote to memory of 4708 2536 wps.exe 86 PID 2536 wrote to memory of 4708 2536 wps.exe 86 PID 2536 wrote to memory of 4708 2536 wps.exe 86 PID 2536 wrote to memory of 4708 2536 wps.exe 86 PID 4708 wrote to memory of 2820 4708 svchost.exe 96 PID 4708 wrote to memory of 2820 4708 svchost.exe 96 PID 4708 wrote to memory of 2820 4708 svchost.exe 96 PID 4708 wrote to memory of 2820 4708 svchost.exe 96 PID 4708 wrote to memory of 2820 4708 svchost.exe 96 PID 4708 wrote to memory of 2820 4708 svchost.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\wps.exe"C:\Users\Admin\AppData\Local\Temp\wps.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
C:\ProgramData\Kingsoft\office6\wps.exe"C:\ProgramData\Kingsoft\office6\wps.exe" 100 32241⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\ProgramData\Kingsoft\office6\wps.exe"C:\ProgramData\Kingsoft\office6\wps.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe 209 47083⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5d5dcfc5ac42bcba55a1170756f3493f4
SHA11bcefa919e0c9c1d114ed6384e4aff8f316482de
SHA2568ba00843b9aba2cff6f2234a7daf040aadfebce4c05b13061da63b48f63bfa4f
SHA512dbaf78188b53629d667bdcb4fcdc0c35045e77330bbe209739c86fbe2d7c2ba04b3adeedc6576186e1af20f8eb373a9788ed3b0050f80f61485475dcf23b0a24
-
Filesize
152KB
MD5a1ed676cf36394b6b4fb449309b91b5b
SHA14cf7a01b132e4855581e39f5d0da204301fdae98
SHA2568da2085b60e44aa5fa46c8613757e1582df098e27373b2c8916d2725f28b46de
SHA512ce224d2376a7d78777691f9eceb8a48755787b390b73e309d48337b8d097a9370e66780237e2884294c76205f93f27e82744804781abe8eaee255c9e2f0f3f11
-
Filesize
177KB
MD5f44992d14033a2b5b1064104658a29e1
SHA162673aa6e8bde17f218524cbe3bf50cb5b949f3b
SHA256331f64d6d6bf7883ed8a3c29ab8ce3bf947aaecf49748a7a2b5113ced68607a4
SHA5129a57d5765e9dcff8caccf8b51449bfd8d35f9c346c9a09a5c64a7229136490bc1cb5a3f07c8d9c75aaf48e16e01700c3d6674fc1b8d170ce927913c4130bc31b