Malware Analysis Report

2024-10-19 02:31

Sample ID 220407-hex6xacgb2
Target 7277576120.zip
SHA256 bca49713355aa5e4b14255f7f19e33dba2a0c5d81328e0c3726268ce362015ee
Tags
plugx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bca49713355aa5e4b14255f7f19e33dba2a0c5d81328e0c3726268ce362015ee

Threat Level: Known bad

The file 7277576120.zip was found to be: Known bad.

Malicious Activity Summary

plugx

PlugX Rat Payload

Plugx family

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-04-07 06:39

Signatures

PlugX Rat Payload

Description Indicator Process Target
N/A N/A N/A N/A

Plugx family

plugx

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-07 06:39

Reported

2022-04-07 06:42

Platform

win7-20220331-en

Max time kernel

36s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cf78a6d0244c33a14905f91f9912e2c7255c3247313456ca4eec93a7839abbd.dll,#1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1532 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1532 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1532 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1532 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1532 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1532 wrote to memory of 1420 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cf78a6d0244c33a14905f91f9912e2c7255c3247313456ca4eec93a7839abbd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cf78a6d0244c33a14905f91f9912e2c7255c3247313456ca4eec93a7839abbd.dll,#1

Network

N/A

Files

memory/1420-54-0x0000000000000000-mapping.dmp

memory/1420-55-0x0000000076A51000-0x0000000076A53000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-07 06:39

Reported

2022-04-07 06:42

Platform

win10v2004-20220331-en

Max time kernel

124s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cf78a6d0244c33a14905f91f9912e2c7255c3247313456ca4eec93a7839abbd.dll,#1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3048 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3048 wrote to memory of 2300 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cf78a6d0244c33a14905f91f9912e2c7255c3247313456ca4eec93a7839abbd.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cf78a6d0244c33a14905f91f9912e2c7255c3247313456ca4eec93a7839abbd.dll,#1

Network

Country Destination Domain Proto
FI 62.115.252.112:80 tcp
NL 87.248.202.1:80 tcp
US 52.168.117.169:443 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
FI 62.115.252.81:80 tcp
US 8.252.51.126:24951 ctldl.windowsupdate.com tcp
US 8.252.51.126:39117 ctldl.windowsupdate.com tcp
US 8.252.51.126:10536 ctldl.windowsupdate.com tcp

Files

memory/2300-124-0x0000000000000000-mapping.dmp