Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 08:55
General
-
Target
264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf.dll
-
Size
381KB
-
MD5
b17b80898eedfe9d51ac5f8da1b55a08
-
SHA1
1227c764f46482f5e30e5a53433f45cb1a7eabdb
-
SHA256
264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf
-
SHA512
e5afaf0e885efaf44d391bc63c46d97611af1119f5979f0f06ae109afe042af91944cdbd49ed6c84069f262ee8a5882d2450b1fcd929c6b61714665472192750
Malware Config
Signatures
-
Detects PlugX Payload 9 IoCs
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
suricata: ET MALWARE PlugX CnC Beacon
suricata: ET MALWARE PlugX CnC Beacon
-
suricata: ET MALWARE PlugX/Destory HTTP traffic
suricata: ET MALWARE PlugX/Destory HTTP traffic
-
suricata: ET MALWARE Possible PlugX Common Header Struct
suricata: ET MALWARE Possible PlugX Common Header Struct
-
suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2
suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 4 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 33 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf.dll,#12⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exeC:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Google\ktmhelp.exe"C:\Program Files (x86)\Common Files\Google\ktmhelp.exe" 100 20441⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Common Files\Google\ktmhelp.exe"C:\Program Files (x86)\Common Files\Google\ktmhelp.exe" 200 01⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\system32\dllhost.exe 201 02⤵
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exeC:\Windows\system32\msiexec.exe 209 16843⤵
- Blocklisted process makes network request
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Google\RoboForm.DLLFilesize
74KB
MD5ee1887696c8445caaaad13bdb39d5dba
SHA1bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA2562e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA51294ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db
-
C:\Program Files (x86)\Common Files\Google\ktmhelp.exeFilesize
96KB
MD50ba73a0db3913ba14be521f82c1b2c6c
SHA115920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA51251472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a
-
C:\Program Files (x86)\Common Files\Google\ktmhelp.exeFilesize
96KB
MD50ba73a0db3913ba14be521f82c1b2c6c
SHA115920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA51251472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a
-
C:\Program Files (x86)\Common Files\Google\update.logFilesize
115KB
MD5fc34d2fd567e8d1815d8d67cbbb4b32e
SHA10e83054a19f683ccea20b6ee48726030ef550b36
SHA25659ac056c4174c3065b8ca01ebcbb8b4c0c93b0a4f2f16de75de89865915bd6d8
SHA512f968bebfd09bbba63480ae1c84fe77dce8890d447d211fbfa54ab61933ff75ed79a18088d3835888061dbe7c154d435ecb1ef5d881cc3d9c097b71475bf37257
-
C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLLFilesize
74KB
MD5ee1887696c8445caaaad13bdb39d5dba
SHA1bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA2562e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA51294ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db
-
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exeFilesize
96KB
MD50ba73a0db3913ba14be521f82c1b2c6c
SHA115920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA51251472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a
-
C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exeFilesize
96KB
MD50ba73a0db3913ba14be521f82c1b2c6c
SHA115920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA51251472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a
-
C:\Users\Admin\AppData\Local\Temp\OUT\update.logFilesize
115KB
MD5fc34d2fd567e8d1815d8d67cbbb4b32e
SHA10e83054a19f683ccea20b6ee48726030ef550b36
SHA25659ac056c4174c3065b8ca01ebcbb8b4c0c93b0a4f2f16de75de89865915bd6d8
SHA512f968bebfd09bbba63480ae1c84fe77dce8890d447d211fbfa54ab61933ff75ed79a18088d3835888061dbe7c154d435ecb1ef5d881cc3d9c097b71475bf37257
-
\Program Files (x86)\Common Files\Google\roboform.dllFilesize
74KB
MD5ee1887696c8445caaaad13bdb39d5dba
SHA1bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA2562e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA51294ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db
-
\Program Files (x86)\Common Files\Google\roboform.dllFilesize
74KB
MD5ee1887696c8445caaaad13bdb39d5dba
SHA1bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA2562e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA51294ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db
-
\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exeFilesize
96KB
MD50ba73a0db3913ba14be521f82c1b2c6c
SHA115920f9b5c190b70f927d18fa9d03793cb1f6332
SHA256212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
SHA51251472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a
-
\Users\Admin\AppData\Local\Temp\OUT\roboform.dllFilesize
74KB
MD5ee1887696c8445caaaad13bdb39d5dba
SHA1bc09e8530d2497befaeacbf4d50022181ffc59cc
SHA2562e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b
SHA51294ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db
-
memory/432-91-0x00000000001E0000-0x000000000020E000-memory.dmpFilesize
184KB
-
memory/432-88-0x00000000001E0000-0x000000000020E000-memory.dmpFilesize
184KB
-
memory/432-85-0x0000000000000000-mapping.dmp
-
memory/1684-76-0x00000000000D0000-0x00000000000EC000-memory.dmpFilesize
112KB
-
memory/1684-78-0x0000000000000000-mapping.dmp
-
memory/1684-82-0x00000000001C0000-0x00000000001EE000-memory.dmpFilesize
184KB
-
memory/1684-90-0x00000000001C0000-0x00000000001EE000-memory.dmpFilesize
184KB
-
memory/1784-80-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/1784-89-0x0000000000230000-0x000000000025E000-memory.dmpFilesize
184KB
-
memory/1828-81-0x00000000001B0000-0x00000000001DE000-memory.dmpFilesize
184KB
-
memory/1828-87-0x00000000001B0000-0x00000000001DE000-memory.dmpFilesize
184KB
-
memory/2020-55-0x0000000075DB1000-0x0000000075DB3000-memory.dmpFilesize
8KB
-
memory/2020-54-0x0000000000000000-mapping.dmp
-
memory/2044-62-0x0000000000830000-0x0000000000930000-memory.dmpFilesize
1024KB
-
memory/2044-57-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000000190000-0x00000000001BE000-memory.dmpFilesize
184KB