Overview

overview

10

Static

static

msvvcs/msvvcs.exe

windows7_x64

10

msvvcs/msvvcs.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    30-05-2022 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msvvcs/msvvcs.exe

  • Size

    36KB

  • MD5

    5ad9c956883633298c8e435d90d8394c

  • SHA1

    d666343073acf7b97884bff37b2a902a78901b07

  • SHA256

    b364c54bb671c0979964e13bf429ba4b128f0d3534d0b9c8de4958f2f37b93d4

  • SHA512

    9def3c08808addcc232aabe6594297ddf25953e3002c44170387fcda942c26e83de87bda509d85dd4bdf6fc741172c0d27789a55efa5c41d171ab9205ba70882

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects Talisman variant of PlugX 2 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 35 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\msvvcs\msvvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\msvvcs\msvvcs.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:276
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c schtasks /create /sc minute /mo 2 /tn "msvvcs" /tr "\"C:\ProgramData\msvvcs\msvvcs.exe\"" /ru "system"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 2 /tn "msvvcs" /tr "\"C:\ProgramData\msvvcs\msvvcs.exe\"" /ru "system"
        3⤵
        • Creates scheduled task(s)
        PID:1608
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {22708FF8-7725-41A9-9AE6-88A875DD5C32} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\ProgramData\msvvcs\msvvcs.exe
      C:\ProgramData\msvvcs\msvvcs.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\msvvcs\msvvcs.dat
    Filesize

    205KB

    MD5

    95056f4bbd695d9b871799748b1da85d

    SHA1

    739e0a4d7e890f7a0e83aa7cd82fb35cf2f8a85c

    SHA256

    683cc375477485a47ceb6940b08b6844f58bd02eed03ad29ab89428bfb38884f

    SHA512

    37285f29cc97b63092e067d7c7b58031f1324c5ee2c57cff55a1345d9b923969d7257eaf2804dafd73c8c43799a16fc0b1dfafef017a637d2115da14572b0af8

    Download Submit
  • C:\ProgramData\msvvcs\msvvcs.exe
    Filesize

    36KB

    MD5

    5ad9c956883633298c8e435d90d8394c

    SHA1

    d666343073acf7b97884bff37b2a902a78901b07

    SHA256

    b364c54bb671c0979964e13bf429ba4b128f0d3534d0b9c8de4958f2f37b93d4

    SHA512

    9def3c08808addcc232aabe6594297ddf25953e3002c44170387fcda942c26e83de87bda509d85dd4bdf6fc741172c0d27789a55efa5c41d171ab9205ba70882

    Download Submit
  • C:\ProgramData\msvvcs\msvvcs.exe
    Filesize

    36KB

    MD5

    5ad9c956883633298c8e435d90d8394c

    SHA1

    d666343073acf7b97884bff37b2a902a78901b07

    SHA256

    b364c54bb671c0979964e13bf429ba4b128f0d3534d0b9c8de4958f2f37b93d4

    SHA512

    9def3c08808addcc232aabe6594297ddf25953e3002c44170387fcda942c26e83de87bda509d85dd4bdf6fc741172c0d27789a55efa5c41d171ab9205ba70882

    Download Submit
  • memory/276-54-0x0000000010000000-0x0000000010038000-memory.dmp
    Filesize

    224KB

    Download
  • memory/276-58-0x0000000075721000-0x0000000075723000-memory.dmp
    Filesize

    8KB

    Download
  • memory/276-59-0x0000000000220000-0x0000000000254000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1352-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1508-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1608-61-0x0000000000000000-mapping.dmp
    Download