Malware Analysis Report

2024-10-19 02:31

Sample ID 220519-ephmesahc7
Target d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e
SHA256 d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e

Threat Level: Known bad

The file d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects Talisman variant of PlugX

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-19 04:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-19 04:06

Reported

2022-05-19 04:09

Platform

win7-20220414-en

Max time kernel

115s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe"

Signatures

Detects Talisman variant of PlugX

Description Indicator Process Target
N/A N/A N/A N/A

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Wscript.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe C:\Windows\SysWOW64\Wscript.exe
PID 748 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe C:\Windows\SysWOW64\Wscript.exe
PID 748 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe C:\Windows\SysWOW64\Wscript.exe
PID 748 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe C:\Windows\SysWOW64\Wscript.exe
PID 1612 wrote to memory of 1104 N/A C:\Windows\SysWOW64\Wscript.exe C:\Users\Admin\AppData\Local\Temp\msiexece.exe
PID 1612 wrote to memory of 1104 N/A C:\Windows\SysWOW64\Wscript.exe C:\Users\Admin\AppData\Local\Temp\msiexece.exe
PID 1612 wrote to memory of 1104 N/A C:\Windows\SysWOW64\Wscript.exe C:\Users\Admin\AppData\Local\Temp\msiexece.exe
PID 1612 wrote to memory of 1104 N/A C:\Windows\SysWOW64\Wscript.exe C:\Users\Admin\AppData\Local\Temp\msiexece.exe
PID 1104 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1464 wrote to memory of 544 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 544 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 544 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\schtasks.exe
PID 1464 wrote to memory of 544 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\schtasks.exe
PID 1104 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\msiexece.exe \??\c:\windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 1328 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 1328 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 1328 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\schtasks.exe
PID 1004 wrote to memory of 1328 N/A \??\c:\windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe

"C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe"

C:\Windows\SysWOW64\Wscript.exe

Wscript.exe msiexece.vbs "C:\Users\Admin\AppData\Local\Temp\d94f7339adc602aa67859fe8532cc87cc6f131af885ad678795490b1cf98fc8e.exe" msiexece.exe TmDbgLog.dll TmDbgLog.dll.html

C:\Users\Admin\AppData\Local\Temp\msiexece.exe

"C:\Users\Admin\AppData\Local\Temp\msiexece.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x144

\??\c:\windows\SysWOW64\cmd.exe

c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /delete /tn "msvvcss" /F

\??\c:\windows\SysWOW64\schtasks.exe

c:\windows\system32\schtasks.exe /delete /tn "msvvcss" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\msiexece.exe >> NUL

\??\c:\windows\SysWOW64\cmd.exe

c:\windows\system32\cmd.exe /c c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "msvvcss" /tr "\"C:\ProgramData\msiexece.exe\"" /ru "system"

\??\c:\windows\SysWOW64\schtasks.exe

c:\windows\system32\schtasks.exe /create /sc minute /mo 2 /tn "msvvcss" /tr "\"C:\ProgramData\msiexece.exe\"" /ru "system"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/1612-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\msiexece.vbs

MD5 32728f66e363230d40416ab546a35302
SHA1 0ea80036ebfc245002e0cbe88a1d30404595d87c
SHA256 bae4131ff753c0d5c015c863c8af26669f274ab45a1b55e50778c03981040cb9
SHA512 0a7da994276397942b1e5a3d28b7234eb366cb5af1478eee7bea53d3f7762711b77113fdc1c23ec1d92c8ca0050803e6dbfbc93005671f5449bf4cc7304dbc8c

memory/1612-56-0x00000000763E1000-0x00000000763E3000-memory.dmp

\Users\Admin\AppData\Local\Temp\msiexece.exe

MD5 86452f7f72e219adee8a21e9b512c090
SHA1 449497e2f7a247a236b4c22ff0cf71c4e7396bc9
SHA256 4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef
SHA512 063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

memory/1104-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\msiexece.exe

MD5 86452f7f72e219adee8a21e9b512c090
SHA1 449497e2f7a247a236b4c22ff0cf71c4e7396bc9
SHA256 4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef
SHA512 063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

C:\Users\Admin\AppData\Local\Temp\TmDbgLog.dll

MD5 c14bcdab18670eff2fa21445fe98ecf7
SHA1 8a6d58bc3809a2482075f6c768cb35e44e0bf36c
SHA256 e69f34005da6a59d437d2076233c3c0b4de42e3959a821498a5fc4303db6ed63
SHA512 926eea98fdb38d2bad6c18b96c556ec4de91cf83cfc84c18db784a3882c87fa41222a159e2306e1538dff234e010e2930001ee37bfaea7b916666da93704164b

\Users\Admin\AppData\Local\Temp\TmDbgLog.dll

MD5 c14bcdab18670eff2fa21445fe98ecf7
SHA1 8a6d58bc3809a2482075f6c768cb35e44e0bf36c
SHA256 e69f34005da6a59d437d2076233c3c0b4de42e3959a821498a5fc4303db6ed63
SHA512 926eea98fdb38d2bad6c18b96c556ec4de91cf83cfc84c18db784a3882c87fa41222a159e2306e1538dff234e010e2930001ee37bfaea7b916666da93704164b

C:\Users\Admin\AppData\Local\Temp\TmDbgLog.dll.html

MD5 4e6d4ba0f6a23939592039bdfc804248
SHA1 14cb62db5d0861c9a0b0f091546a068df0cde0a6
SHA256 c02aed5f18961634b9e63d8c9c30feeab7c828632262c943a123ad8e2a271a0d
SHA512 51a46e9702b3d90e82e6eb3cae44c171fd89258978656404c9955f8ddee224e37b8ec7beab824ca4268d5f0d0bef434e0fc9fb5c6eadbaabcd0559a6fcf94165

memory/1104-64-0x00000000000F0000-0x0000000000118000-memory.dmp

memory/2040-65-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

memory/1464-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\msiexece.exe

MD5 86452f7f72e219adee8a21e9b512c090
SHA1 449497e2f7a247a236b4c22ff0cf71c4e7396bc9
SHA256 4ae061506627e7e7416d8f1e59161188106abe345606108143e773e9a82c8eef
SHA512 063f538d4cf1bf3c217271326e54c29c9f7e293489c236d721cc2f250a155ddabaf87fdc3b0a1bb352c2ccabbcac000275b0ced0938b497e9d214905809b4ac8

memory/544-68-0x0000000000000000-mapping.dmp

memory/588-69-0x0000000000000000-mapping.dmp

memory/1004-70-0x0000000000000000-mapping.dmp

memory/1104-71-0x0000000000390000-0x00000000003D1000-memory.dmp

memory/1328-72-0x0000000000000000-mapping.dmp