Overview

overview

10

Static

static

2a8d18a59c...f6.exe

windows7_x64

10

2a8d18a59c...f6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-06-2022 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe

  • Size

    248KB

  • MD5

    cc7b091b94c4f0641b180417b017fec2

  • SHA1

    17c59c9bdc7ac4ef8abdca087fdfeefef816f597

  • SHA256

    2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6

  • SHA512

    5c5106833eec8cc386171ff519be0af91493305af9fd2bb632ef19907b88c1633bc7a1b30b068659db3fc8d378b918363c5d8c79064600e4b5f1a83cf93b2461

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX Payload 7 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe
    "C:\Users\Admin\AppData\Local\Temp\2a8d18a59cd648637deb830079b460008d81411681f0eb41dc327c3f447326f6.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2124
  • C:\Program Files (x86)\Common Files\NvSmart.exe
    "C:\Program Files (x86)\Common Files\NvSmart.exe" 100 2124
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:1632
  • C:\Program Files (x86)\Common Files\NvSmart.exe
    "C:\Program Files (x86)\Common Files\NvSmart.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2364
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\Program Files (x86)\Common Files\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\Program Files (x86)\Common Files\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    3KB

    MD5

    44b4d9c4782f883fa8c0a1da3ff6a07e

    SHA1

    275237d091bb2e363ca93f4f06de5046f7373362

    SHA256

    69c58341551bd76578085b961f01cac3607d9c16b3f9d23f90862b6d0328eeab

    SHA512

    267a11c1bcdd97e4cd8dffb45f935c6de07008485522ac1af5130bebdbebb496ede792b9e1ee6799c53b3778157d1f08c2713e4f1f0d6c1a7fb9ac3b84dceed4

    Download Submit
  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    3KB

    MD5

    44b4d9c4782f883fa8c0a1da3ff6a07e

    SHA1

    275237d091bb2e363ca93f4f06de5046f7373362

    SHA256

    69c58341551bd76578085b961f01cac3607d9c16b3f9d23f90862b6d0328eeab

    SHA512

    267a11c1bcdd97e4cd8dffb45f935c6de07008485522ac1af5130bebdbebb496ede792b9e1ee6799c53b3778157d1f08c2713e4f1f0d6c1a7fb9ac3b84dceed4

    Download Submit
  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    3KB

    MD5

    44b4d9c4782f883fa8c0a1da3ff6a07e

    SHA1

    275237d091bb2e363ca93f4f06de5046f7373362

    SHA256

    69c58341551bd76578085b961f01cac3607d9c16b3f9d23f90862b6d0328eeab

    SHA512

    267a11c1bcdd97e4cd8dffb45f935c6de07008485522ac1af5130bebdbebb496ede792b9e1ee6799c53b3778157d1f08c2713e4f1f0d6c1a7fb9ac3b84dceed4

    Download Submit
  • C:\Program Files (x86)\Common Files\boot.ldr
    Filesize

    155KB

    MD5

    d0f2dc03884bea2697f1ce65453c82d6

    SHA1

    d37de393c9b5d90ce3a1c4c751fee64360599b2f

    SHA256

    0ac3176b7bb40140e593feda97e9ed8bbf420daeaa6043151dbaacddf503b52a

    SHA512

    cad8a52baaa5a4032515aa3c34a2c528d76d09d1f8fb81b3a100f47a80cbdc381158766723f09c33f4974009a211512ab4cc103c423e61b683ba8454330edd50

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    622B

    MD5

    f1a57daef261ba417accebcb81a2c3f5

    SHA1

    f45b5d95dd80ce307aafaf06420ed09306acc952

    SHA256

    d3546ed7c8e98d833e2e3153d5cbe3f6f5b585e928ff5cdb39d63ff6ce8716aa

    SHA512

    115b6dc3ca569663210b90e1547cdc72abccc8ac42bec0608602f149a028b7273630445fd494a882e4cc8cf25f4033bdcb98454f816a814863a580e0525c0357

    Download Submit
  • memory/1632-136-0x0000000002010000-0x0000000002110000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1632-144-0x0000000002180000-0x00000000021B8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2124-130-0x00000000005A0000-0x00000000005C7000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2124-143-0x0000000000750000-0x0000000000788000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2364-140-0x0000000000000000-mapping.dmp
    Download
  • memory/2364-145-0x0000000000E00000-0x0000000000E38000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2364-148-0x0000000000E00000-0x0000000000E38000-memory.dmp
    Filesize

    224KB

    Download
  • memory/3480-146-0x0000000000000000-mapping.dmp
    Download
  • memory/3480-147-0x0000000000870000-0x00000000008A8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/3480-149-0x0000000000870000-0x00000000008A8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/4528-141-0x0000000000E70000-0x0000000000EA8000-memory.dmp
    Filesize

    224KB

    Download