Overview

overview

10

Static

static

8ac0df62c7...0d.exe

windows7_x64

10

8ac0df62c7...0d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe

  • Size

    340KB

  • MD5

    b2dc23e3ac76194e9ad5aee22b35267f

  • SHA1

    98ab0d3125556c7fd2cc5e1ac95f8e53e1598c2e

  • SHA256

    8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d

  • SHA512

    f4bf84930d6d5ae1da8624be63d3d6cea2b94eda3a09dfc978a3e0556d7e077052bc03ea1195a50f6037a5c36567a8656d519f7f1d6e36482487caf5854cc86d

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX Payload 4 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 22 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe
    "C:\Users\Admin\AppData\Local\Temp\8ac0df62c7312e542490a309a0c2479c1fb24f5ebc2ed9cf907e7e782602490d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:3608
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe
    "C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Windows\TEMP\check_run_environment.exe
      "C:\Windows\TEMP\check_run_environment.exe" "jhi_service"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4252
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im check_run_environment.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5112
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2320
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMax.dll
    Filesize

    4KB

    MD5

    c62c4b09c8543821e0ff2213c633f5e5

    SHA1

    ff59b219fa140c48536d79a9a73027d4acf40bc9

    SHA256

    5afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c

    SHA512

    8e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e

    Download Submit
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMax.dll
    Filesize

    4KB

    MD5

    c62c4b09c8543821e0ff2213c633f5e5

    SHA1

    ff59b219fa140c48536d79a9a73027d4acf40bc9

    SHA256

    5afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c

    SHA512

    8e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e

    Download Submit
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.Config
    Filesize

    212KB

    MD5

    cdbf515d885c303ff2b2c6cf182fa19b

    SHA1

    9bc67dd9f4718f0dd3a995b5a41eac788f8ae76b

    SHA256

    3203294c334b0cc5db4e2bf09fdab1dc9bbcb6f536cef4db5c9ae275c0ac569c

    SHA512

    d8a4c196ff9cf708fe394519b27d4ed1b156b03ab43d1aae11b5ec49c557e9b6332194f74671010ab778beea39db3fcd78b8a98e9e4ed2fcc5360226d1e9f359

    Download Submit
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe
    Filesize

    60KB

    MD5

    4e3cae0eda4c873b0afdb803ea981a0d

    SHA1

    06ddb2a4a1c4d119efeed10147666afa0c4eda25

    SHA256

    11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

    SHA512

    c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

    Download Submit
  • C:\ProgramData\Intel\Intel(R) Management Engine Components\NvSmartMaxAPP.exe
    Filesize

    60KB

    MD5

    4e3cae0eda4c873b0afdb803ea981a0d

    SHA1

    06ddb2a4a1c4d119efeed10147666afa0c4eda25

    SHA256

    11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

    SHA512

    c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    4KB

    MD5

    c62c4b09c8543821e0ff2213c633f5e5

    SHA1

    ff59b219fa140c48536d79a9a73027d4acf40bc9

    SHA256

    5afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c

    SHA512

    8e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    4KB

    MD5

    c62c4b09c8543821e0ff2213c633f5e5

    SHA1

    ff59b219fa140c48536d79a9a73027d4acf40bc9

    SHA256

    5afa8e6c54f264eb87c75e3c2a5b9b192fca608cb4b0ebeaf5c92a384c1e135c

    SHA512

    8e7ec29bbc3ed496821fa1ff4e95360b2ec33e093a74ed9021329d0f018cd07153e44a644b45674e808d04ad8b71bc4d75ff9cb34f9231f07fd0dadd0cb86c4e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.Config
    Filesize

    212KB

    MD5

    cdbf515d885c303ff2b2c6cf182fa19b

    SHA1

    9bc67dd9f4718f0dd3a995b5a41eac788f8ae76b

    SHA256

    3203294c334b0cc5db4e2bf09fdab1dc9bbcb6f536cef4db5c9ae275c0ac569c

    SHA512

    d8a4c196ff9cf708fe394519b27d4ed1b156b03ab43d1aae11b5ec49c557e9b6332194f74671010ab778beea39db3fcd78b8a98e9e4ed2fcc5360226d1e9f359

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
    Filesize

    60KB

    MD5

    4e3cae0eda4c873b0afdb803ea981a0d

    SHA1

    06ddb2a4a1c4d119efeed10147666afa0c4eda25

    SHA256

    11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

    SHA512

    c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMaxAPP.exe
    Filesize

    60KB

    MD5

    4e3cae0eda4c873b0afdb803ea981a0d

    SHA1

    06ddb2a4a1c4d119efeed10147666afa0c4eda25

    SHA256

    11a57102b1a3cee266b9ea7390c5fd8dc218f1842c6c8c428a60b8fa2a26ed4e

    SHA512

    c8fba7cf63b8f127ebe622d58f3c66d4a35fb391ff32beb8c11a59bf71cae4f26af4b9426617aacc4ab502e741cffdb930f50a2c03860f24240da96fb3c10431

    Download Submit
  • C:\Windows\TEMP\check_run_environment.exe
    Filesize

    11KB

    MD5

    6622918d92a44e67175f7aeb3fcb5a05

    SHA1

    0b226563fa229783bea7aa27e28f908967c729e6

    SHA256

    b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

    SHA512

    65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

    Download Submit
  • C:\Windows\Temp\check_run_environment.exe
    Filesize

    11KB

    MD5

    6622918d92a44e67175f7aeb3fcb5a05

    SHA1

    0b226563fa229783bea7aa27e28f908967c729e6

    SHA256

    b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

    SHA512

    65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

    Download Submit
  • memory/2320-150-0x00000000012D0000-0x0000000001321000-memory.dmp
    Filesize

    324KB

    Download
  • memory/2320-149-0x0000000000000000-mapping.dmp
    Download
  • memory/2416-152-0x0000000002EC0000-0x0000000002F11000-memory.dmp
    Filesize

    324KB

    Download
  • memory/2416-151-0x0000000000000000-mapping.dmp
    Download
  • memory/3608-140-0x0000000000CD0000-0x0000000000D06000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3608-144-0x00000000028B0000-0x0000000002901000-memory.dmp
    Filesize

    324KB

    Download
  • memory/3608-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4252-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4968-142-0x00000000016B0000-0x00000000016E6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4968-143-0x00000000017A0000-0x00000000017F1000-memory.dmp
    Filesize

    324KB

    Download
  • memory/5112-148-0x0000000000000000-mapping.dmp
    Download