Analysis
-
max time kernel
4294128s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
29-03-2022 08:17
General
-
Target
8bd9d.exe
-
Size
133KB
-
MD5
99ee1e21a34b0536b120d4a6977fd252
-
SHA1
24c50b507febd6e2b81154d3d80401dd9207e3e1
-
SHA256
8bd9dfcfd59b0e2073caf8c0fc8740a01f8c7eabb6239a9b714d3b41a3793b95
-
SHA512
03cafd628d19cda98db021fb009500105906617ab414c9ba6087c693cacdb36159d1973d21af2b275da136dbb10157f97c243ca1ae7ea198ae99d74427e26408
Malware Config
Signatures
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
PlugX Rat Payload 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bd9d.exe"C:\Users\Admin\AppData\Local\Temp\8bd9d.exe"1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 100 19562⤵
- Deletes itself
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Packages\vcredist_x64.exe"C:\ProgramData\Packages\vcredist_x64.exe" 200 01⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe 201 02⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 632 13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Packages\vcredist_x64.exeFilesize
133KB
MD599ee1e21a34b0536b120d4a6977fd252
SHA124c50b507febd6e2b81154d3d80401dd9207e3e1
SHA2568bd9dfcfd59b0e2073caf8c0fc8740a01f8c7eabb6239a9b714d3b41a3793b95
SHA51203cafd628d19cda98db021fb009500105906617ab414c9ba6087c693cacdb36159d1973d21af2b275da136dbb10157f97c243ca1ae7ea198ae99d74427e26408
-
memory/536-80-0x00000000002C0000-0x00000000002EE000-memory.dmpFilesize
184KB
-
memory/536-69-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/580-58-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/580-61-0x00000000000F0000-0x000000000010C000-memory.dmpFilesize
112KB
-
memory/580-64-0x0000000000000000-mapping.dmp
-
memory/580-81-0x0000000000210000-0x000000000023E000-memory.dmpFilesize
184KB
-
memory/632-78-0x0000000000000000-mapping.dmp
-
memory/632-82-0x00000000003D0000-0x00000000003FE000-memory.dmpFilesize
184KB
-
memory/1180-89-0x0000000000000000-mapping.dmp
-
memory/1180-91-0x0000000000810000-0x000000000083E000-memory.dmpFilesize
184KB
-
memory/1956-54-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB
-
memory/1956-66-0x00000000003C0000-0x00000000003EE000-memory.dmpFilesize
184KB
-
memory/1956-57-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/1956-56-0x0000000000350000-0x000000000036D000-memory.dmpFilesize
116KB
-
memory/1956-55-0x0000000000400000-0x0000000000473000-memory.dmpFilesize
460KB