Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-01-2025 16:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
General
-
Target
65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe
-
Size
169KB
-
MD5
e6e08021ab723911c125aaa41e9e498c
-
SHA1
bc0787835d7324b02da0dd3e285acd90d442b6ab
-
SHA256
65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36
-
SHA512
249e5ed74f74f5269d864839620a1f81e25783e122ee20df0e00c8278a8ddc8652dbadd7538bee3ef1e5ff54f776a6cb111ac7cb696f70049386e0fc5be87b1b
-
SSDEEP
1536:HYNndKj8fKeVPkFJeKT4W+UcTJ0ffzSeXIv1zSBF89HZzQGdTaOL+afoBJlXQp+p:1j8frmdcTOVKpIFG+GdIKoZi+EY9F
Malware Config
Signatures
-
Detects PlugX payload 21 IoCs
resource yara_rule behavioral1/memory/1172-0-0x00000000001C0000-0x00000000001F0000-memory.dmp family_plugx behavioral1/memory/2096-11-0x0000000000100000-0x0000000000130000-memory.dmp family_plugx behavioral1/memory/2972-17-0x0000000000170000-0x00000000001A0000-memory.dmp family_plugx behavioral1/memory/1172-16-0x00000000001C0000-0x00000000001F0000-memory.dmp family_plugx behavioral1/memory/2220-27-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-30-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-45-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-46-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-43-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-41-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-44-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2972-29-0x0000000000170000-0x00000000001A0000-memory.dmp family_plugx behavioral1/memory/2096-47-0x0000000000100000-0x0000000000130000-memory.dmp family_plugx behavioral1/memory/2268-61-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx behavioral1/memory/2268-59-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx behavioral1/memory/2268-57-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx behavioral1/memory/2268-60-0x00000000002A0000-0x00000000002D0000-memory.dmp family_plugx behavioral1/memory/2220-62-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-63-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-64-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx behavioral1/memory/2220-65-0x0000000000200000-0x0000000000230000-memory.dmp family_plugx -
Plugx family
-
Deletes itself 1 IoCs
pid Process 2096 svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2972 SxS.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SxS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Modifies data under HKEY_USERS 30 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadDecisionTime = 90dc8662005edb01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26\WpadDetectedUrl svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26\WpadDecisionTime = f0cecb8e005edb01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26\WpadDecisionTime = 90dc8662005edb01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26\WpadDecision = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadNetworkName = "Network 3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\e6-0f-6b-52-b9-26 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadDecisionTime = f0cecb8e005edb01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadDecisionReason = "1" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26 svchost.exe -
Modifies registry class 2 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 45004600300042004500440044004100440038004200350035003600450031000000 svchost.exe Key created \REGISTRY\MACHINE\Software\CLASSES\FAST svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2972 SxS.exe 2972 SxS.exe 2220 svchost.exe 2220 svchost.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2220 svchost.exe 2220 svchost.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2220 svchost.exe 2220 svchost.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2220 svchost.exe 2220 svchost.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2220 svchost.exe 2220 svchost.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2268 msiexec.exe 2220 svchost.exe 2220 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2220 svchost.exe 2268 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe Token: SeTcbPrivilege 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe Token: SeDebugPrivilege 2096 svchost.exe Token: SeTcbPrivilege 2096 svchost.exe Token: SeDebugPrivilege 2972 SxS.exe Token: SeTcbPrivilege 2972 SxS.exe Token: SeDebugPrivilege 2220 svchost.exe Token: SeTcbPrivilege 2220 svchost.exe Token: SeDebugPrivilege 2268 msiexec.exe Token: SeTcbPrivilege 2268 msiexec.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 1172 wrote to memory of 2096 1172 65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe 30 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2972 wrote to memory of 2220 2972 SxS.exe 32 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33 PID 2220 wrote to memory of 2268 2220 svchost.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe"C:\Users\Admin\AppData\Local\Temp\65f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 100 11722⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\ProgramData\NVIDIASmart\SxS.exe"C:\ProgramData\NVIDIASmart\SxS.exe" 200 01⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 22203⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
169KB
MD5e6e08021ab723911c125aaa41e9e498c
SHA1bc0787835d7324b02da0dd3e285acd90d442b6ab
SHA25665f75ee79e0e4dd7a199eadfc5ccc337eb4a830d064ec9e4c66b63297d8bca36
SHA512249e5ed74f74f5269d864839620a1f81e25783e122ee20df0e00c8278a8ddc8652dbadd7538bee3ef1e5ff54f776a6cb111ac7cb696f70049386e0fc5be87b1b