Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

30/12/2024, 19:54

241230-ymjw9ayme1 10

24/09/2024, 08:26

240924-kcchja1cla 10

19/09/2024, 16:17

240919-trjptsybql 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 19:54

General

  • Target

    ToDesk_x64_4.7.4.8.exe

  • Size

    56.3MB

  • MD5

    e43eaf8183e538eb28e5dfd31ba074bc

  • SHA1

    4d90bca79dbb3994fc1cf99921b1942520bee490

  • SHA256

    3771d6a0594a42845193f182b177151b295e458f17749e74ae5a5320210a2fe8

  • SHA512

    d43c32749ff1db235f063cc071c33af41dde25fd1c92d1fb670ad8ee0c5b7ab24f172138d7a18b0f61d9e4e959d4b765965ca3e38f0aa9cbb4e51125d6de70a5

  • SSDEEP

    1572864:A4959RiO7XJ5d5crS8/JruPXzKgz5zejq4/OiV0xNnw:lT7XJ5gTJrOzKs5y//OiVwZw

Score
10/10

Malware Config

Signatures

  • Detects PlugX payload 16 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

  • Plugx family
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 21 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ToDesk_x64_4.7.4.8.exe
    "C:\Users\Admin\AppData\Local\Temp\ToDesk_x64_4.7.4.8.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Hainan YouQu Technology Co., Ltd\ToDesk 4.8.4.8\install\ToDesk.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ToDesk_x64_4.7.4.8.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:2876
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5653FC42D9BA0E5FFCADC7CAD17731F3 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2880
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding D003FC4603DCDB00D0F827E9B717201B C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2640
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1CDBDECF5C38A4A05129AEB72785A8A5
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2052
    • C:\Program Files\ToDesk\ToDesk.exe
      "C:\Program Files\ToDesk\ToDesk.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2172
    • C:\Program Files\ToDesk\Tools\wmicode.exe
      "C:\Program Files\ToDesk\Tools\wmicode.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:108
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe 100 108
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2556
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1104
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000005B4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1936
    • C:\ProgramData\NVIDIASmart\SxS.exe
      "C:\ProgramData\NVIDIASmart\SxS.exe" 200 0
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe 201 0
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\system32\msiexec.exe 209 2724
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2504
    • C:\Program Files\ToDesk\ToDesk.exe
      "C:\Program Files\ToDesk\ToDesk.exe" --runservice
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Program Files\ToDesk\ToDesk.exe
        "C:\Program Files\ToDesk\ToDesk.exe" --hide --localPort=35600
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1544
      • C:\Program Files\ToDesk\ToDesk.exe
        "C:\Program Files\ToDesk\ToDesk.exe" --show --localPort=35600
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f7720fa.rbs

      Filesize

      11KB

      MD5

      53007f014c36cc27bb4cb3c30de77d69

      SHA1

      4cf78e447557cfd516c2e8531f90a78127eb658c

      SHA256

      ba565941794b2f4a24567685c910a2e691b9493d9723713945228ebd6e82c6f3

      SHA512

      80c9af28cc071e8cdfd13454eba80a7050fa00761d7055aa0941159e982f1fa9ab191d52aef8432aa1783aa94c4fc9cfc37665dcf6ad49541559cd418f1ff4f5

    • C:\Program Files\ToDesk\Tools\wmicode.exe

      Filesize

      122KB

      MD5

      d771741bb33ab0f2f364fd10e486df33

      SHA1

      fbb4d03ab6582627d341f76956fe995c182c98b1

      SHA256

      d5d9fefd7a79ba0c121ba76d0cd51f9520effc490424978bd341f130ec835455

      SHA512

      41f089d7ca755a385f68a65105e2aee0c9a34df03911746d59266db42bf3bf74372b168cebc40b034975ffe86dea93929e3a42155076bd8dcfbbefca78ba075e

    • C:\Program Files\ToDesk\Tools\wmidll.dat

      Filesize

      130KB

      MD5

      b1231c5483c4e1ac2e4832047364355d

      SHA1

      37b697dbee932d6cfc813ef91a8014c129df44e7

      SHA256

      19795c19808560ea7f8595c77bf00f6db848479469ee9255bd80ee564e34867b

      SHA512

      edee0b31b1b391baeba69bfec883de659a7aec9cf33c46d88dbbb389b9ebbf07ee4d4fcc8acd13ca611c8c16bdbd3b015834577f0b8f6dc55ab7315b6051df62

    • C:\Program Files\ToDesk\config.ini

      Filesize

      98B

      MD5

      a827ce443c1de31e595c7a9a21f7bde3

      SHA1

      6643bcb0aec960b3ca51d0e5e3f7fc8fe98f321e

      SHA256

      64c5e1a26c85d2775c56b9612d4923286e1aba7a9df2a11663f177848c775f44

      SHA512

      eec653335cc33af41d370ccc08cd9cc9f5df51b169b7dbb93d7fb414829815ac96aae172b34337b48433e85fcdb7c3cb10a10e25581c112de978637154d77ce7

    • C:\Program Files\ToDesk\config.ini

      Filesize

      225B

      MD5

      daab74df217e0c877b424d1de09ca8da

      SHA1

      e912566ca7c58439d4a5c306a3a8ebb53d4646a1

      SHA256

      590b652b2489e4eb26e77568ad8b466fa95f28b6eb73dfc791a5db78396b3656

      SHA512

      6972005c0b8e9e4472fb561c4ceae253d381e07843f9f17a73d532f922d59058962ee80a769a6c518cc0a43ecd97204a2295a3f91da8ad136bef2a676a76dc23

    • C:\Program Files\ToDesk\config.ini

      Filesize

      420B

      MD5

      e99e011ec073518528360e244690a702

      SHA1

      70b0eb52d73b1e130287893817fa9e685e5da0db

      SHA256

      c22137eba68d634ccdf7f4f9b5b34024d87754e4130c18c34c2ce9068336d9a8

      SHA512

      20efad78ce4c506a1b3781d12ee173fdbb97c4aa0cb8d96462e8d1bf7789495f544221f7585d8e5d6bb8a9af66a486d2b43d9257dde399a905f2e11206ac2712

    • C:\Program Files\ToDesk\zrtc.dll

      Filesize

      49.3MB

      MD5

      fab94e3b080e8d2dfc21b37278f73eb8

      SHA1

      73c55c05f53b9ead97a4a6acd497860efc119ca8

      SHA256

      d3f9c273b420be3ce59a8526d11827009215f559b39291844e3f98d8306c9a69

      SHA512

      41eb4ddb54e2e8d3e21921c06a83aa0e59cd371eaeda0708cea27a1f42e05df6e5b4aa7f8cef4d6c3185ac71e48a405f2e44c972341a9961ab8e06f91ccc0f3a

    • C:\Users\Admin\AppData\Local\Temp\MSI9F3C.tmp

      Filesize

      349KB

      MD5

      8752c01d76bc7b3a38b6acaf5b9c387b

      SHA1

      8c7b2b5ffdf3c46d2e9a5803f3b8ac20533e7778

      SHA256

      344abeb71ddccfdb70786849cca660982fd2ab099dcd74fd0d608a05139c8db1

      SHA512

      5a88de5be489088d8108dc45903e5d8368b53109c45646ab14ffe8fff41d5e3f5d19dc13ee1394dedb494e36f76824424602c8c65c6227741c952c2ffb7f4a0f

    • C:\Users\Admin\AppData\Roaming\Hainan YouQu Technology Co., Ltd\ToDesk 4.8.4.8\install\ToDesk.msi

      Filesize

      1.5MB

      MD5

      fd114784173437f9c5f462c62751fc63

      SHA1

      a34e669da0342deb4c8fcbb27fb07bf604ee2a26

      SHA256

      e7e55be0c02d71e4188782471402557e7bbbaab85cdd95dfd08aa5b16a49f6a2

      SHA512

      086e63466761b326ff1749bffd11a1361c0171a62018e525ae35e7838b15db34b8df32e5abbe5e10f05926eb4ff221531d685c23a84aa4a56d565c178df8b845

    • C:\Windows\Installer\MSI23B8.tmp

      Filesize

      566KB

      MD5

      0e4db22ddc7c96801b65bc13e3a53455

      SHA1

      775da57600792fb18cd0e9626afc53bb2ba07abf

      SHA256

      675f7d999bf17ceedcd799bdf1b2fb02cc560cdc18c0609aa92eca0cd3a98961

      SHA512

      88ddb37880af878eddf7b82c919285dcec6360cea81c3755efeec7d0fb92c4e7ffe96ec654046ec9a4c6f1087d4e95b440b745621921041676bdc170663f3772

    • C:\Windows\Installer\MSI24F1.tmp

      Filesize

      287KB

      MD5

      31a4f044c23a648c306df463302c49b5

      SHA1

      e014c21b4b0f3b054ee3f7b6bbba6b38974ab5da

      SHA256

      e12b2df53c66e4b3c5073682434fee7b1e070794f79e090ccc8fb803487f3a94

      SHA512

      e9d5606325a3e3fb371738bef66566f0491d080a5d6208482543f8729cd194d9dc11e3bc3989c3c19f359d3f34da977022b8a6457b6479ce5c51e3bf091a22fc

    • \Program Files\ToDesk\ToDesk.exe

      Filesize

      48.4MB

      MD5

      85b8e15b90d8bf333f0d49c11db9b1b0

      SHA1

      70ab7088257b0121a8e39dcab2a3846923f62ac0

      SHA256

      a9e56ee892beb3e0be3f2d412a2b4448c5a41b28fe2a15a40798faa119d4025c

      SHA512

      844b924351752992758d881f328176f4329f8f9182ced686e51fa1fe3413b8ea3f507eac031b997b07b8886cb978655443bd6da1c018181f25ca73d4e035f64b

    • \Program Files\ToDesk\Tools\wmicodegen.dll

      Filesize

      9KB

      MD5

      cf23d084f48349158cb8f837a02369bd

      SHA1

      bf2d8cee1ecbf85c29ab1ef4f157eebfb91f79e4

      SHA256

      c9f2fd4ffc334d6e952b04b2d799714d034d6696dcff18c39f7e597ab9279451

      SHA512

      48624f2e085dee127dc3499465ac1500d1daa8759e705af24a6f8dcfc417929a47ef973a62b79065312a2e5cda35819ef81c3fd98e62ea48c4db993943da545e

    • memory/108-128-0x0000000000700000-0x000000000073A000-memory.dmp

      Filesize

      232KB

    • memory/108-162-0x0000000000700000-0x000000000073A000-memory.dmp

      Filesize

      232KB

    • memory/2504-190-0x00000000004D0000-0x000000000050A000-memory.dmp

      Filesize

      232KB

    • memory/2504-189-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

    • memory/2504-188-0x00000000004D0000-0x000000000050A000-memory.dmp

      Filesize

      232KB

    • memory/2504-191-0x00000000004D0000-0x000000000050A000-memory.dmp

      Filesize

      232KB

    • memory/2504-192-0x00000000004D0000-0x000000000050A000-memory.dmp

      Filesize

      232KB

    • memory/2556-179-0x0000000000250000-0x000000000028A000-memory.dmp

      Filesize

      232KB

    • memory/2556-129-0x0000000000080000-0x0000000000082000-memory.dmp

      Filesize

      8KB

    • memory/2556-132-0x00000000000F0000-0x000000000010F000-memory.dmp

      Filesize

      124KB

    • memory/2556-134-0x0000000000250000-0x000000000028A000-memory.dmp

      Filesize

      232KB

    • memory/2556-131-0x0000000000090000-0x0000000000091000-memory.dmp

      Filesize

      4KB

    • memory/2692-216-0x000007FFFFF60000-0x000007FFFFF70000-memory.dmp

      Filesize

      64KB

    • memory/2724-166-0x0000000000180000-0x00000000001BA000-memory.dmp

      Filesize

      232KB

    • memory/2724-167-0x0000000000180000-0x00000000001BA000-memory.dmp

      Filesize

      232KB

    • memory/2724-164-0x0000000000180000-0x00000000001BA000-memory.dmp

      Filesize

      232KB

    • memory/2724-150-0x0000000000180000-0x00000000001BA000-memory.dmp

      Filesize

      232KB

    • memory/2724-152-0x0000000000180000-0x00000000001BA000-memory.dmp

      Filesize

      232KB

    • memory/2724-165-0x0000000000180000-0x00000000001BA000-memory.dmp

      Filesize

      232KB

    • memory/2724-163-0x0000000000020000-0x0000000000021000-memory.dmp

      Filesize

      4KB

    • memory/2884-144-0x0000000000240000-0x000000000027A000-memory.dmp

      Filesize

      232KB

    • memory/2884-151-0x0000000000240000-0x000000000027A000-memory.dmp

      Filesize

      232KB

    • memory/2972-0-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB

    • memory/2972-30-0x00000000001E0000-0x00000000001E1000-memory.dmp

      Filesize

      4KB