Overview

overview

10

Static

static

748a09ee75...66.exe

windows7_x64

10

748a09ee75...66.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    748a09ee75795e741e3d15dfa38b4869ae4bb4c574c30197f9c7d0f023e8eb66.exe

  • Size

    322KB

  • MD5

    deacce089de71aa3d685e4b5fd84cccb

  • SHA1

    0e59ed3c487e54e188012ad9990553b4eae04624

  • SHA256

    748a09ee75795e741e3d15dfa38b4869ae4bb4c574c30197f9c7d0f023e8eb66

  • SHA512

    34ac9e7d7a2d05d82726d54d1325dc46aa230ceea164b8de725c0660947b90fcadb69ad59225af00275f6384d13b841dc6ceb756772f20a608fd602bd4c615b4

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX Payload 6 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\ProgramData\Citrix\system32\ssonsvr.exe
        C:\ProgramData\Citrix\system32\ssonsvr.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe 201 0
          3⤵
          • Deletes itself
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Windows\TEMP\AOFVPMJXVT.exe
            "C:\Windows\TEMP\AOFVPMJXVT.exe" cpsvcs
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:796
          • C:\Windows\SysWOW64\msiexec.exe
            C:\Windows\system32\msiexec.exe 209 1228
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:516
    • C:\Users\Admin\AppData\Local\Temp\748a09ee75795e741e3d15dfa38b4869ae4bb4c574c30197f9c7d0f023e8eb66.exe
      "C:\Users\Admin\AppData\Local\Temp\748a09ee75795e741e3d15dfa38b4869ae4bb4c574c30197f9c7d0f023e8eb66.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:2032

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Citrix\system32\PNIPCN.dll
      Filesize

      4KB

      MD5

      a76fbb2a878893b41f70962073fbdcca

      SHA1

      0b58c21bfd06866365b7e423173fa1e170f4474b

      SHA256

      3e987f2505da7ddc77d206ac8a7cea86697fc5dfcfb6673ff08b25f2946f39df

      SHA512

      2d6ec27db4323a7c15b9263b9c021afa11c8340f0f005748e1978a03e1021977647afcb085dfcf41c06277d7faf0078e8211acf0f4f3a1c08901039f666774b7

      Download Submit
    • C:\ProgramData\Citrix\system32\PipSEC
      Filesize

      212KB

      MD5

      ee9d96f6a545fe8dee85ec568bca55d9

      SHA1

      95b3e29697d04d6c005be0327b2fd99161aaaf82

      SHA256

      f50a36f032f7ecd6426a3463d8b1070ee3ada96f6ff52dd053aeb605ecb1da22

      SHA512

      a5b077483b2664b7ff95b2712bed3e55cdc84119fe53ffc2280891a020f630009724160b02702f4f7db6a349e1293fcbb1a0202024567e3e12cc67eb9cff11a9

      Download Submit
    • C:\ProgramData\Citrix\system32\ssonsvr.exe
      Filesize

      33KB

      MD5

      9388e298ac0ba3b6a0784a9be3919515

      SHA1

      195a2621131d526b582ad8bb34bfa70eb499ba70

      SHA256

      d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

      SHA512

      9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PNIPCN.dll
      Filesize

      4KB

      MD5

      a76fbb2a878893b41f70962073fbdcca

      SHA1

      0b58c21bfd06866365b7e423173fa1e170f4474b

      SHA256

      3e987f2505da7ddc77d206ac8a7cea86697fc5dfcfb6673ff08b25f2946f39df

      SHA512

      2d6ec27db4323a7c15b9263b9c021afa11c8340f0f005748e1978a03e1021977647afcb085dfcf41c06277d7faf0078e8211acf0f4f3a1c08901039f666774b7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PipSEC
      Filesize

      212KB

      MD5

      ee9d96f6a545fe8dee85ec568bca55d9

      SHA1

      95b3e29697d04d6c005be0327b2fd99161aaaf82

      SHA256

      f50a36f032f7ecd6426a3463d8b1070ee3ada96f6ff52dd053aeb605ecb1da22

      SHA512

      a5b077483b2664b7ff95b2712bed3e55cdc84119fe53ffc2280891a020f630009724160b02702f4f7db6a349e1293fcbb1a0202024567e3e12cc67eb9cff11a9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
      Filesize

      33KB

      MD5

      9388e298ac0ba3b6a0784a9be3919515

      SHA1

      195a2621131d526b582ad8bb34bfa70eb499ba70

      SHA256

      d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

      SHA512

      9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
      Filesize

      33KB

      MD5

      9388e298ac0ba3b6a0784a9be3919515

      SHA1

      195a2621131d526b582ad8bb34bfa70eb499ba70

      SHA256

      d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

      SHA512

      9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

      Download Submit
    • C:\Windows\Temp\AOFVPMJXVT.exe
      Filesize

      11KB

      MD5

      6622918d92a44e67175f7aeb3fcb5a05

      SHA1

      0b226563fa229783bea7aa27e28f908967c729e6

      SHA256

      b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

      SHA512

      65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

      Download Submit
    • \ProgramData\Citrix\system32\PNIPCN.dll
      Filesize

      4KB

      MD5

      a76fbb2a878893b41f70962073fbdcca

      SHA1

      0b58c21bfd06866365b7e423173fa1e170f4474b

      SHA256

      3e987f2505da7ddc77d206ac8a7cea86697fc5dfcfb6673ff08b25f2946f39df

      SHA512

      2d6ec27db4323a7c15b9263b9c021afa11c8340f0f005748e1978a03e1021977647afcb085dfcf41c06277d7faf0078e8211acf0f4f3a1c08901039f666774b7

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\PNIPCN.dll
      Filesize

      4KB

      MD5

      a76fbb2a878893b41f70962073fbdcca

      SHA1

      0b58c21bfd06866365b7e423173fa1e170f4474b

      SHA256

      3e987f2505da7ddc77d206ac8a7cea86697fc5dfcfb6673ff08b25f2946f39df

      SHA512

      2d6ec27db4323a7c15b9263b9c021afa11c8340f0f005748e1978a03e1021977647afcb085dfcf41c06277d7faf0078e8211acf0f4f3a1c08901039f666774b7

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
      Filesize

      33KB

      MD5

      9388e298ac0ba3b6a0784a9be3919515

      SHA1

      195a2621131d526b582ad8bb34bfa70eb499ba70

      SHA256

      d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

      SHA512

      9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
      Filesize

      33KB

      MD5

      9388e298ac0ba3b6a0784a9be3919515

      SHA1

      195a2621131d526b582ad8bb34bfa70eb499ba70

      SHA256

      d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

      SHA512

      9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
      Filesize

      33KB

      MD5

      9388e298ac0ba3b6a0784a9be3919515

      SHA1

      195a2621131d526b582ad8bb34bfa70eb499ba70

      SHA256

      d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

      SHA512

      9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
      Filesize

      33KB

      MD5

      9388e298ac0ba3b6a0784a9be3919515

      SHA1

      195a2621131d526b582ad8bb34bfa70eb499ba70

      SHA256

      d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

      SHA512

      9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

      Download Submit
    • \Windows\Temp\AOFVPMJXVT.exe
      Filesize

      11KB

      MD5

      6622918d92a44e67175f7aeb3fcb5a05

      SHA1

      0b226563fa229783bea7aa27e28f908967c729e6

      SHA256

      b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

      SHA512

      65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

      Download Submit
    • \Windows\Temp\AOFVPMJXVT.exe
      Filesize

      11KB

      MD5

      6622918d92a44e67175f7aeb3fcb5a05

      SHA1

      0b226563fa229783bea7aa27e28f908967c729e6

      SHA256

      b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

      SHA512

      65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

      Download Submit
    • memory/516-87-0x0000000000390000-0x00000000003E1000-memory.dmp
      Filesize

      324KB

      Download
    • memory/516-89-0x0000000000390000-0x00000000003E1000-memory.dmp
      Filesize

      324KB

      Download
    • memory/516-85-0x0000000000000000-mapping.dmp
      Download
    • memory/796-81-0x0000000000000000-mapping.dmp
      Download
    • memory/1228-88-0x00000000002E0000-0x0000000000331000-memory.dmp
      Filesize

      324KB

      Download
    • memory/1228-73-0x00000000000A0000-0x00000000000D2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1228-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1228-78-0x00000000002E0000-0x0000000000331000-memory.dmp
      Filesize

      324KB

      Download
    • memory/1648-54-0x00000000755B1000-0x00000000755B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1884-77-0x0000000001C30000-0x0000000001C81000-memory.dmp
      Filesize

      324KB

      Download
    • memory/2032-67-0x0000000000460000-0x00000000004B1000-memory.dmp
      Filesize

      324KB

      Download
    • memory/2032-66-0x0000000000280000-0x00000000002B6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2032-59-0x0000000000000000-mapping.dmp
      Download