Overview

overview

10

Static

static

748a09ee75...66.exe

windows7_x64

10

748a09ee75...66.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    187s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    748a09ee75795e741e3d15dfa38b4869ae4bb4c574c30197f9c7d0f023e8eb66.exe

  • Size

    322KB

  • MD5

    deacce089de71aa3d685e4b5fd84cccb

  • SHA1

    0e59ed3c487e54e188012ad9990553b4eae04624

  • SHA256

    748a09ee75795e741e3d15dfa38b4869ae4bb4c574c30197f9c7d0f023e8eb66

  • SHA512

    34ac9e7d7a2d05d82726d54d1325dc46aa230ceea164b8de725c0660947b90fcadb69ad59225af00275f6384d13b841dc6ceb756772f20a608fd602bd4c615b4

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX Payload 6 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\748a09ee75795e741e3d15dfa38b4869ae4bb4c574c30197f9c7d0f023e8eb66.exe
    "C:\Users\Admin\AppData\Local\Temp\748a09ee75795e741e3d15dfa38b4869ae4bb4c574c30197f9c7d0f023e8eb66.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4116
  • C:\ProgramData\Citrix\system32\ssonsvr.exe
    C:\ProgramData\Citrix\system32\ssonsvr.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5108
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\TEMP\AOFVPMJXVT.exe
        "C:\Windows\TEMP\AOFVPMJXVT.exe" cpsvcs
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3352
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 2172
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Citrix\system32\PNIPCN.dll
    Filesize

    4KB

    MD5

    a76fbb2a878893b41f70962073fbdcca

    SHA1

    0b58c21bfd06866365b7e423173fa1e170f4474b

    SHA256

    3e987f2505da7ddc77d206ac8a7cea86697fc5dfcfb6673ff08b25f2946f39df

    SHA512

    2d6ec27db4323a7c15b9263b9c021afa11c8340f0f005748e1978a03e1021977647afcb085dfcf41c06277d7faf0078e8211acf0f4f3a1c08901039f666774b7

    Download Submit

  • C:\ProgramData\Citrix\system32\PNIPCN.dll
    Filesize

    4KB

    MD5

    a76fbb2a878893b41f70962073fbdcca

    SHA1

    0b58c21bfd06866365b7e423173fa1e170f4474b

    SHA256

    3e987f2505da7ddc77d206ac8a7cea86697fc5dfcfb6673ff08b25f2946f39df

    SHA512

    2d6ec27db4323a7c15b9263b9c021afa11c8340f0f005748e1978a03e1021977647afcb085dfcf41c06277d7faf0078e8211acf0f4f3a1c08901039f666774b7

    Download Submit

  • C:\ProgramData\Citrix\system32\PipSEC
    Filesize

    212KB

    MD5

    ee9d96f6a545fe8dee85ec568bca55d9

    SHA1

    95b3e29697d04d6c005be0327b2fd99161aaaf82

    SHA256

    f50a36f032f7ecd6426a3463d8b1070ee3ada96f6ff52dd053aeb605ecb1da22

    SHA512

    a5b077483b2664b7ff95b2712bed3e55cdc84119fe53ffc2280891a020f630009724160b02702f4f7db6a349e1293fcbb1a0202024567e3e12cc67eb9cff11a9

    Download Submit

  • C:\ProgramData\Citrix\system32\ssonsvr.exe
    Filesize

    33KB

    MD5

    9388e298ac0ba3b6a0784a9be3919515

    SHA1

    195a2621131d526b582ad8bb34bfa70eb499ba70

    SHA256

    d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

    SHA512

    9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

    Download Submit

  • C:\ProgramData\Citrix\system32\ssonsvr.exe
    Filesize

    33KB

    MD5

    9388e298ac0ba3b6a0784a9be3919515

    SHA1

    195a2621131d526b582ad8bb34bfa70eb499ba70

    SHA256

    d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

    SHA512

    9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PNIPCN.dll
    Filesize

    4KB

    MD5

    a76fbb2a878893b41f70962073fbdcca

    SHA1

    0b58c21bfd06866365b7e423173fa1e170f4474b

    SHA256

    3e987f2505da7ddc77d206ac8a7cea86697fc5dfcfb6673ff08b25f2946f39df

    SHA512

    2d6ec27db4323a7c15b9263b9c021afa11c8340f0f005748e1978a03e1021977647afcb085dfcf41c06277d7faf0078e8211acf0f4f3a1c08901039f666774b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PNIPCN.dll
    Filesize

    4KB

    MD5

    a76fbb2a878893b41f70962073fbdcca

    SHA1

    0b58c21bfd06866365b7e423173fa1e170f4474b

    SHA256

    3e987f2505da7ddc77d206ac8a7cea86697fc5dfcfb6673ff08b25f2946f39df

    SHA512

    2d6ec27db4323a7c15b9263b9c021afa11c8340f0f005748e1978a03e1021977647afcb085dfcf41c06277d7faf0078e8211acf0f4f3a1c08901039f666774b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PipSEC
    Filesize

    212KB

    MD5

    ee9d96f6a545fe8dee85ec568bca55d9

    SHA1

    95b3e29697d04d6c005be0327b2fd99161aaaf82

    SHA256

    f50a36f032f7ecd6426a3463d8b1070ee3ada96f6ff52dd053aeb605ecb1da22

    SHA512

    a5b077483b2664b7ff95b2712bed3e55cdc84119fe53ffc2280891a020f630009724160b02702f4f7db6a349e1293fcbb1a0202024567e3e12cc67eb9cff11a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
    Filesize

    33KB

    MD5

    9388e298ac0ba3b6a0784a9be3919515

    SHA1

    195a2621131d526b582ad8bb34bfa70eb499ba70

    SHA256

    d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

    SHA512

    9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ssonsvr.exe
    Filesize

    33KB

    MD5

    9388e298ac0ba3b6a0784a9be3919515

    SHA1

    195a2621131d526b582ad8bb34bfa70eb499ba70

    SHA256

    d0d9604cbff27ddb233d13b7c84265638c3be1d45a7302428134c5e20c222a05

    SHA512

    9fd369c35447e7a308cb7422b883276c41197048c28a19b78e84fd90eff70849ed479a898a7d6a35f0362c267994ad5d4acf784e685a209a627e0893adc4730b

    Download Submit

  • C:\Windows\TEMP\AOFVPMJXVT.exe
    Filesize

    11KB

    MD5

    6622918d92a44e67175f7aeb3fcb5a05

    SHA1

    0b226563fa229783bea7aa27e28f908967c729e6

    SHA256

    b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

    SHA512

    65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

    Download Submit

  • C:\Windows\Temp\AOFVPMJXVT.exe
    Filesize

    11KB

    MD5

    6622918d92a44e67175f7aeb3fcb5a05

    SHA1

    0b226563fa229783bea7aa27e28f908967c729e6

    SHA256

    b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

    SHA512

    65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

    Download Submit

  • memory/2172-151-0x0000000001990000-0x00000000019E1000-memory.dmp

    Filesize

    324KB

    Download

  • memory/2172-148-0x0000000001990000-0x00000000019E1000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4020-150-0x0000000002BF0000-0x0000000002C41000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4020-152-0x0000000002BF0000-0x0000000002C41000-memory.dmp

    Filesize

    324KB

    Download

  • memory/4116-136-0x00000000020C0000-0x00000000020F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4116-143-0x0000000002190000-0x00000000021E1000-memory.dmp

    Filesize

    324KB

    Download

  • memory/5108-144-0x0000000000E30000-0x0000000000E81000-memory.dmp

    Filesize

    324KB

    Download