Overview

overview

10

Static

static

264f0a6d47...bf.dll

windows7_x64

10

264f0a6d47...bf.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf.dll

  • Size

    381KB

  • MD5

    b17b80898eedfe9d51ac5f8da1b55a08

  • SHA1

    1227c764f46482f5e30e5a53433f45cb1a7eabdb

  • SHA256

    264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf

  • SHA512

    e5afaf0e885efaf44d391bc63c46d97611af1119f5979f0f06ae109afe042af91944cdbd49ed6c84069f262ee8a5882d2450b1fcd929c6b61714665472192750

Score
10/10
plugxsuricatatrojan

Malware Config

Signatures

  • Detects PlugX Payload 9 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • suricata: ET MALWARE PlugX CnC Beacon

    suricata: ET MALWARE PlugX CnC Beacon

    suricata
  • suricata: ET MALWARE PlugX/Destory HTTP traffic

    suricata: ET MALWARE PlugX/Destory HTTP traffic

    suricata
  • suricata: ET MALWARE Possible PlugX Common Header Struct

    suricata: ET MALWARE Possible PlugX Common Header Struct

    suricata
  • suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2

    suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2

    suricata
  • Blocklisted process makes network request 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 22 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\264f0a6d47f8c4578be602be1ea01dd634eace574afd7d44d854431721ffcabf.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
        C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
  • C:\Program Files (x86)\Common Files\Google\ktmhelp.exe
    "C:\Program Files (x86)\Common Files\Google\ktmhelp.exe" 100 4644
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4904
  • C:\Program Files (x86)\Common Files\Google\ktmhelp.exe
    "C:\Program Files (x86)\Common Files\Google\ktmhelp.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\SysWOW64\dllhost.exe
      C:\Windows\system32\dllhost.exe 201 0
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 4044
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2356

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Google\RoboForm.DLL
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\Program Files (x86)\Common Files\Google\ktmhelp.exe
    Filesize

    96KB

    MD5

    0ba73a0db3913ba14be521f82c1b2c6c

    SHA1

    15920f9b5c190b70f927d18fa9d03793cb1f6332

    SHA256

    212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

    SHA512

    51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

    Download Submit

  • C:\Program Files (x86)\Common Files\Google\ktmhelp.exe
    Filesize

    96KB

    MD5

    0ba73a0db3913ba14be521f82c1b2c6c

    SHA1

    15920f9b5c190b70f927d18fa9d03793cb1f6332

    SHA256

    212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

    SHA512

    51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

    Download Submit

  • C:\Program Files (x86)\Common Files\Google\roboform.dll
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\Program Files (x86)\Common Files\Google\roboform.dll
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\Program Files (x86)\Common Files\Google\update.log
    Filesize

    115KB

    MD5

    fc34d2fd567e8d1815d8d67cbbb4b32e

    SHA1

    0e83054a19f683ccea20b6ee48726030ef550b36

    SHA256

    59ac056c4174c3065b8ca01ebcbb8b4c0c93b0a4f2f16de75de89865915bd6d8

    SHA512

    f968bebfd09bbba63480ae1c84fe77dce8890d447d211fbfa54ab61933ff75ed79a18088d3835888061dbe7c154d435ecb1ef5d881cc3d9c097b71475bf37257

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLL
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
    Filesize

    96KB

    MD5

    0ba73a0db3913ba14be521f82c1b2c6c

    SHA1

    15920f9b5c190b70f927d18fa9d03793cb1f6332

    SHA256

    212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

    SHA512

    51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
    Filesize

    96KB

    MD5

    0ba73a0db3913ba14be521f82c1b2c6c

    SHA1

    15920f9b5c190b70f927d18fa9d03793cb1f6332

    SHA256

    212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

    SHA512

    51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\roboform.dll
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\update.log
    Filesize

    115KB

    MD5

    fc34d2fd567e8d1815d8d67cbbb4b32e

    SHA1

    0e83054a19f683ccea20b6ee48726030ef550b36

    SHA256

    59ac056c4174c3065b8ca01ebcbb8b4c0c93b0a4f2f16de75de89865915bd6d8

    SHA512

    f968bebfd09bbba63480ae1c84fe77dce8890d447d211fbfa54ab61933ff75ed79a18088d3835888061dbe7c154d435ecb1ef5d881cc3d9c097b71475bf37257

    Download Submit

  • memory/2356-154-0x0000000002AB0000-0x0000000002ADE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2356-156-0x0000000002AB0000-0x0000000002ADE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3868-149-0x0000000001110000-0x000000000113E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3868-151-0x0000000001110000-0x000000000113E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4044-150-0x0000000001270000-0x000000000129E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4044-155-0x0000000001270000-0x000000000129E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4644-137-0x0000000002700000-0x000000000272E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4644-136-0x00000000025B0000-0x00000000026B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4904-148-0x00000000028B0000-0x00000000028DE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4904-152-0x00000000028B0000-0x00000000028DE000-memory.dmp

    Filesize

    184KB

    Download