Overview

overview

10

Static

static

8ac0df62c7...0d.exe

windows7_x64

10

8ac0df62c7...0d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    76s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe

  • Size

    340KB

  • MD5

    b2dc23e3ac76194e9ad5aee22b35267f

  • SHA1

    98ab0d3125556c7fd2cc5e1ac95f8e53e1598c2e

  • SHA256

    8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d

  • SHA512

    f4bf84930d6d5ae1da8624be63d3d6cea2b94eda3a09dfc978a3e0556d7e077052bc03ea1195a50f6037a5c36567a8656d519f7f1d6e36482487caf5854cc86d

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX Payload 4 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 55 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe
        "C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\TEMP\check_run_environment.exe
          "C:\Windows\TEMP\check_run_environment.exe" "jhi_service"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1984
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe 201 0
          3⤵
          • Deletes itself
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:680
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\system32\msiexec.exe 209 680
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1724
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im check_run_environment.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1816
    • C:\Users\Admin\AppData\Local\Temp\8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe
      "C:\Users\Admin\AppData\Local\Temp\8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:800
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:1972

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMax.dll
      Filesize

      4KB

      MD5

      c62c4b09c8543821e0ff2213c633f5e5

      SHA1

      ff59b219fa140c48536d79a9a73027d4acf40bc9

      SHA256

      5afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c

      SHA512

      8e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e

      Download Submit
    • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.Config
      Filesize

      212KB

      MD5

      cdbf515d885c303ff2b2c6cf182fa19b

      SHA1

      9bc67dd9f4718f0dd3a995b5a41eac788f8ae76b

      SHA256

      3203294c334b0cc5db4e2bf09fdab1dc9bbcb6f536cef4db5c9ae275c0ac569c

      SHA512

      d8a4c196ff9cf708fe394519b27d4ed1b156b03ab43d1aae11b5ec49c557e9b6332194f74671010ab778beea39db3fcd78b8a98e9e4ed2fcc5360226d1e9f359

      Download Submit
    • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe
      Filesize

      60KB

      MD5

      4e3cae0eda4c873b0afdb803ea981a0d

      SHA1

      06ddb2a4a1c4d119efeed10147666afa0c4eda25

      SHA256

      11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

      SHA512

      c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
      Filesize

      4KB

      MD5

      c62c4b09c8543821e0ff2213c633f5e5

      SHA1

      ff59b219fa140c48536d79a9a73027d4acf40bc9

      SHA256

      5afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c

      SHA512

      8e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.Config
      Filesize

      212KB

      MD5

      cdbf515d885c303ff2b2c6cf182fa19b

      SHA1

      9bc67dd9f4718f0dd3a995b5a41eac788f8ae76b

      SHA256

      3203294c334b0cc5db4e2bf09fdab1dc9bbcb6f536cef4db5c9ae275c0ac569c

      SHA512

      d8a4c196ff9cf708fe394519b27d4ed1b156b03ab43d1aae11b5ec49c557e9b6332194f74671010ab778beea39db3fcd78b8a98e9e4ed2fcc5360226d1e9f359

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
      Filesize

      60KB

      MD5

      4e3cae0eda4c873b0afdb803ea981a0d

      SHA1

      06ddb2a4a1c4d119efeed10147666afa0c4eda25

      SHA256

      11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

      SHA512

      c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
      Filesize

      60KB

      MD5

      4e3cae0eda4c873b0afdb803ea981a0d

      SHA1

      06ddb2a4a1c4d119efeed10147666afa0c4eda25

      SHA256

      11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

      SHA512

      c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

      Download Submit
    • C:\Windows\Temp\check_run_environment.exe
      Filesize

      11KB

      MD5

      6622918d92a44e67175f7aeb3fcb5a05

      SHA1

      0b226563fa229783bea7aa27e28f908967c729e6

      SHA256

      b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

      SHA512

      65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

      Download Submit
    • \ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMax.dll
      Filesize

      4KB

      MD5

      c62c4b09c8543821e0ff2213c633f5e5

      SHA1

      ff59b219fa140c48536d79a9a73027d4acf40bc9

      SHA256

      5afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c

      SHA512

      8e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
      Filesize

      4KB

      MD5

      c62c4b09c8543821e0ff2213c633f5e5

      SHA1

      ff59b219fa140c48536d79a9a73027d4acf40bc9

      SHA256

      5afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c

      SHA512

      8e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
      Filesize

      60KB

      MD5

      4e3cae0eda4c873b0afdb803ea981a0d

      SHA1

      06ddb2a4a1c4d119efeed10147666afa0c4eda25

      SHA256

      11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

      SHA512

      c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
      Filesize

      60KB

      MD5

      4e3cae0eda4c873b0afdb803ea981a0d

      SHA1

      06ddb2a4a1c4d119efeed10147666afa0c4eda25

      SHA256

      11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

      SHA512

      c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
      Filesize

      60KB

      MD5

      4e3cae0eda4c873b0afdb803ea981a0d

      SHA1

      06ddb2a4a1c4d119efeed10147666afa0c4eda25

      SHA256

      11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

      SHA512

      c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
      Filesize

      60KB

      MD5

      4e3cae0eda4c873b0afdb803ea981a0d

      SHA1

      06ddb2a4a1c4d119efeed10147666afa0c4eda25

      SHA256

      11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

      SHA512

      c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
      Filesize

      60KB

      MD5

      4e3cae0eda4c873b0afdb803ea981a0d

      SHA1

      06ddb2a4a1c4d119efeed10147666afa0c4eda25

      SHA256

      11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

      SHA512

      c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

      Download Submit
    • \Windows\Temp\check_run_environment.exe
      Filesize

      11KB

      MD5

      6622918d92a44e67175f7aeb3fcb5a05

      SHA1

      0b226563fa229783bea7aa27e28f908967c729e6

      SHA256

      b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

      SHA512

      65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

      Download Submit
    • \Windows\Temp\check_run_environment.exe
      Filesize

      11KB

      MD5

      6622918d92a44e67175f7aeb3fcb5a05

      SHA1

      0b226563fa229783bea7aa27e28f908967c729e6

      SHA256

      b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

      SHA512

      65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

      Download Submit
    • memory/680-82-0x0000000000000000-mapping.dmp
      Download
    • memory/680-80-0x00000000000A0000-0x00000000000D2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/680-84-0x0000000000390000-0x00000000003E1000-memory.dmp
      Filesize

      324KB

      Download
    • memory/800-54-0x00000000765F1000-0x00000000765F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1712-78-0x0000000000830000-0x0000000000881000-memory.dmp
      Filesize

      324KB

      Download
    • memory/1724-87-0x0000000000000000-mapping.dmp
      Download
    • memory/1724-89-0x00000000003B0000-0x0000000000401000-memory.dmp
      Filesize

      324KB

      Download
    • memory/1816-79-0x0000000000000000-mapping.dmp
      Download
    • memory/1972-77-0x0000000000880000-0x00000000008D1000-memory.dmp
      Filesize

      324KB

      Download
    • memory/1972-76-0x0000000000280000-0x00000000002B6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1972-60-0x0000000000000000-mapping.dmp
      Download
    • memory/1984-74-0x0000000000000000-mapping.dmp
      Download