Analysis Overview
SHA256
6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953
Threat Level: Known bad
The file 6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953 was found to be: Known bad.
Malicious Activity Summary
PlugX Rat Payload
PlugX
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-29 08:31
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-29 08:31
Reported
2022-03-29 08:34
Platform
win10v2004-en-20220113
Max time kernel
35s
Max time network
143s
Command Line
Signatures
PlugX
PlugX Rat Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Routes\Routes.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Routes = "C:\\Users\\Admin\\AppData\\Roaming\\Routes\\Routes.exe --oVWJq23b" | C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5100 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe | C:\Users\Admin\AppData\Roaming\Routes\Routes.exe |
| PID 5100 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe | C:\Users\Admin\AppData\Roaming\Routes\Routes.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe
"C:\Users\Admin\AppData\Local\Temp\6dbe565349ee5e8e2acc827ba34d82dd76e37f819dc9618902906ecd9d43d953.exe"
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
"C:\Users\Admin\AppData\Roaming\Routes\Routes.exe" "--oVWJq23b"
Network
| Country | Destination | Domain | Proto |
| NL | 142.250.179.206:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | paybiz.herokuapp.com | udp |
| US | 54.224.34.30:443 | paybiz.herokuapp.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\System.dll
| MD5 | fbe295e5a1acfbd0a6271898f885fe6a |
| SHA1 | d6d205922e61635472efb13c2bb92c9ac6cb96da |
| SHA256 | a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1 |
| SHA512 | 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06 |
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\NsisCrypt.dll
| MD5 | a3e9024e53c55893b1e4f62a2bd93ca8 |
| SHA1 | aa289e93d68bd15bfcdec3bb00cf1ef930074a1e |
| SHA256 | 7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad |
| SHA512 | a124cf63e9db33de10fda6ba0c78cbb366d9cc7ef26f90031dba03c111dfdcd4a9bd378e1075211fd12e63da2beffa973f8c3f5b283be5debb06e820aa02750b |
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
| MD5 | 21d576908f453edf021aa530e722b326 |
| SHA1 | d88d7ff3db017b86dc0c97120718c9672e12f2da |
| SHA256 | d7e1e0f54ba52510489aaa75b005bc80412989288075f28532229b33fdeb2980 |
| SHA512 | 5ec7431b87c85d1e5c514ef0f9725fe4bb166d2dcc052f25808a95645c453b4ab3c39745ec396af66c2b84c85bd64c3ef0088aa629010e482f1d7b015951c47e |
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
C:\Users\Admin\AppData\Roaming\Routes\nw_elf.dll
| MD5 | 493a0d17daaa2f1a0c2e5723ed748e05 |
| SHA1 | 316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4 |
| SHA256 | a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7 |
| SHA512 | 7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84 |
C:\Users\Admin\AppData\Roaming\Routes\nw.dll
| MD5 | 1f05c1781050415f90f28bc960f69a7b |
| SHA1 | 3f148269bd26e5b598cbfe4aa50139e67747b282 |
| SHA256 | 39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19 |
| SHA512 | 64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd |
C:\Users\Admin\AppData\Roaming\Routes\nw_elf.dll
| MD5 | 493a0d17daaa2f1a0c2e5723ed748e05 |
| SHA1 | 316f77ac6e8aea60e76ebd4bbbe4ff5c65a59ae4 |
| SHA256 | a0f65b98cf5425335345c736fd026d5cf8984283e402dc746092c1edd7f4ebd7 |
| SHA512 | 7c87e1cf803dbe785f58be5f633c19e00d0c61f3a7759e5da3a90cc5e97165d833866872c50a0a52e42b80056a98e1020d02cd6c8f81efe4e76452f20a139f84 |
memory/1852-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
C:\Users\Admin\AppData\Roaming\Routes\ffmpeg.dll
| MD5 | 0644850e99415a97cab58768d748882a |
| SHA1 | cb499d7e6e63c0486cfdafa7ffe1b8a2335e1f6a |
| SHA256 | 935fcb56f2451633061a0418b8f65d966de2d2688788eac1ca8419ae5c5752c0 |
| SHA512 | 88241c79023583c5baa1f931f14286c25ae583552ab2e881f4ed5c1208679ac11d98c9d4452525289db9ecae4aa663819ce7a923094d5d872bd4a0b2f79ac448 |
C:\Users\Admin\AppData\Roaming\Routes\Routes.exe
| MD5 | 21d576908f453edf021aa530e722b326 |
| SHA1 | d88d7ff3db017b86dc0c97120718c9672e12f2da |
| SHA256 | d7e1e0f54ba52510489aaa75b005bc80412989288075f28532229b33fdeb2980 |
| SHA512 | 5ec7431b87c85d1e5c514ef0f9725fe4bb166d2dcc052f25808a95645c453b4ab3c39745ec396af66c2b84c85bd64c3ef0088aa629010e482f1d7b015951c47e |
C:\Users\Admin\AppData\Roaming\Routes\ffmpeg.dll
| MD5 | 0644850e99415a97cab58768d748882a |
| SHA1 | cb499d7e6e63c0486cfdafa7ffe1b8a2335e1f6a |
| SHA256 | 935fcb56f2451633061a0418b8f65d966de2d2688788eac1ca8419ae5c5752c0 |
| SHA512 | 88241c79023583c5baa1f931f14286c25ae583552ab2e881f4ed5c1208679ac11d98c9d4452525289db9ecae4aa663819ce7a923094d5d872bd4a0b2f79ac448 |
C:\Users\Admin\AppData\Roaming\Routes\nw.dll
| MD5 | 1f05c1781050415f90f28bc960f69a7b |
| SHA1 | 3f148269bd26e5b598cbfe4aa50139e67747b282 |
| SHA256 | 39b11a34a235038b943b043de6dd8ca1d16182f934cff74cd7b2967ae8c7bb19 |
| SHA512 | 64169f010c9e42c4dba068d5f2da762537cb2094483a55c6de2a304d0dbbff5462ff40afd889571227b8844256999dfb4277d4029b2292d22347641b27ff78dd |
C:\Users\Admin\AppData\Local\Temp\nsx6ADF.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |