Overview

overview

10

Static

static

5F9F8AC1F7...D_.doc

windows7_x64

4

5F9F8AC1F7...D_.doc

windows10-2004_x64

1

6B97B3CD2F...et.exe

windows7_x64

1

6B97B3CD2F...et.exe

windows10-2004_x64

1

901FA02FFD...ar.dll

windows7_x64

1

901FA02FFD...ar.dll

windows10-2004_x64

1

C116CD0832..._2.exe

windows7_x64

10

C116CD0832..._2.exe

windows10-2004_x64

10

PlugX_3C74...20.dll

windows7_x64

10

PlugX_3C74...20.dll

windows10-2004_x64

10

originalfi...ae.rtf

windows7_x64

4

originalfi...ae.rtf

windows10-2004_x64

1

Analysis

  • max time kernel
    180s
  • max time network
    269s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    28-05-2022 02:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    originalfile/PlugX_RTF_dropper_42fba80f105aa53dfbf50aeba2d73cae.rtf

  • Size

    507KB

  • MD5

    42fba80f105aa53dfbf50aeba2d73cae

  • SHA1

    a49b135a66afba5713936d4758ca5d40f19b9e71

  • SHA256

    ac7d02465d0b1992809e16aaae2cd779470a99e0860c4d8a2785d97ce988667b

  • SHA512

    b42b529585da21bae4d36fb1e9b5f2471e77d87505db91f8859068816d355fdd8b4aaaa922512a8a39259b247b9aeaeba92cfb0ab5140122f83dd163b8ed00cf

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\originalfile\PlugX_RTF_dropper_42fba80f105aa53dfbf50aeba2d73cae.rtf" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:4872

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4720-130-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-131-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-132-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-133-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-134-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-135-0x00007FFE32930000-0x00007FFE32940000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-136-0x00007FFE32930000-0x00007FFE32940000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-139-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-140-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-141-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4720-142-0x00007FFE34990000-0x00007FFE349A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4872-137-0x0000000000000000-mapping.dmp
      Download