Overview

overview

10

Static

static

4b71451551...01.exe

windows7_x64

10

4b71451551...01.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 00:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe

  • Size

    263KB

  • MD5

    582fb65add01ce95d827b96006a3ff42

  • SHA1

    d8931a791f8ef3d4015aec2bffa47808e28877b5

  • SHA256

    4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01

  • SHA512

    6e2194abfba98c6723040b9d4e801a8d4e75cc8449d408638fa80edfa11865cad9d01b768c21919ed863f3e7f97d258930ccbbf6acbc0e65c730ead79f5c7141

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX Payload 5 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe
    "C:\Users\Admin\AppData\Local\Temp\4b71451551fc49cb793675c1333df2023a2b0dfd67976a5ebe52600524794f01.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4564
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 100 4564
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:4476
  • C:\ProgramData\SxS\Nv.exe
    "C:\ProgramData\SxS\Nv.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:488
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 488
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\ProgramData\SxS\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\ProgramData\SxS\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\ProgramData\SxS\Nv.mp3
    Filesize

    120KB

    MD5

    e1e6d954482a108020c8e471bd0790e4

    SHA1

    138def3945437e9d81902f00b1119795140ae8bf

    SHA256

    9f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954

    SHA512

    7573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5

    Download Submit

  • C:\ProgramData\SxS\NvSmartMax.dll
    Filesize

    41KB

    MD5

    92b5a067fc1866b933eade6ebd4e1564

    SHA1

    91c38bb2d1993dde1068550e42580c4d2993a5c1

    SHA256

    632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

    SHA512

    3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

    Download Submit

  • C:\ProgramData\SxS\NvSmartMax.dll
    Filesize

    41KB

    MD5

    92b5a067fc1866b933eade6ebd4e1564

    SHA1

    91c38bb2d1993dde1068550e42580c4d2993a5c1

    SHA256

    632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

    SHA512

    3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

    Download Submit

  • C:\ProgramData\SxS\NvSmartMax.dll
    Filesize

    41KB

    MD5

    92b5a067fc1866b933eade6ebd4e1564

    SHA1

    91c38bb2d1993dde1068550e42580c4d2993a5c1

    SHA256

    632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

    SHA512

    3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    622B

    MD5

    ffaabfc118251d40d6ce604accba1287

    SHA1

    68236c9e83665730a033e5daaff096294b382a7c

    SHA256

    700c6e09ac4e09fad5c1adaa2416dbdba0ff276e9944cda447e529276e6c838b

    SHA512

    b7216388b4443c7561f6700b9606fa52261ef196cf1514603b11e50c648d6da19177667e54047df94ea229c245021c0ede331574590717566fe80655b5da5605

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.mp3
    Filesize

    120KB

    MD5

    e1e6d954482a108020c8e471bd0790e4

    SHA1

    138def3945437e9d81902f00b1119795140ae8bf

    SHA256

    9f5663bdcd5217b16597a53c763359c63d867202df572f23493d54a1c082c954

    SHA512

    7573eba59791c978c45e5af1abd70c3a7d454e6fe1de9962f737679e8ddf5e9694d548bb8f0bbc4ffc236921a984f97bc1d11b0b0f239b25bb4253f88e2862e5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    41KB

    MD5

    92b5a067fc1866b933eade6ebd4e1564

    SHA1

    91c38bb2d1993dde1068550e42580c4d2993a5c1

    SHA256

    632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

    SHA512

    3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    41KB

    MD5

    92b5a067fc1866b933eade6ebd4e1564

    SHA1

    91c38bb2d1993dde1068550e42580c4d2993a5c1

    SHA256

    632341931e3fe5eb85693c088bc3aaefffe9e5a64131af8fd214e66b247079c6

    SHA512

    3f7e2a85db7503196ceb84605758caef87162d8935be0c909afcd45b388605ca85c76e9b134b08e158f8cfaf23b65d27969fa907ba7aeeecc988ac94cb0bb691

    Download Submit

  • memory/488-151-0x0000000000ED0000-0x0000000000F00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4476-150-0x00000000006E0000-0x0000000000710000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4564-137-0x0000000001FA0000-0x0000000001FD0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4564-136-0x0000000002110000-0x0000000002210000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4580-148-0x0000000000E40000-0x0000000000E70000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4760-153-0x0000000000750000-0x0000000000780000-memory.dmp

    Filesize

    192KB

    Download