Overview

overview

10

Static

static

d8d59353d0...b3.exe

windows7_x64

10

d8d59353d0...b3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8d59353d0e19957cd4cce5102dff5b706ed9c412db6b8778b3ea4726b2429b3.exe

  • Size

    253KB

  • MD5

    1cc2207ffa2a3d081eee9ef034d57815

  • SHA1

    8700ac9cb88ec7c6ac983bf2cd8ce29e3a070beb

  • SHA256

    d8d59353d0e19957cd4cce5102dff5b706ed9c412db6b8778b3ea4726b2429b3

  • SHA512

    c9cadb94f14748581b78ae20f90191aefccf531505dd94aefa56b0d23a852fd49a0d8343a5054ff247697d9ebf2ce3f4c6857beea6db6e7a753895576c05af2a

Score
10/10
plugxsuricatatrojan

Malware Config

Signatures

  • Detects PlugX Payload 7 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • suricata: ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic

    suricata: ET MALWARE Trojan.Win32.DLOADR.TIOIBEPQ CnC Traffic

    suricata
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8d59353d0e19957cd4cce5102dff5b706ed9c412db6b8778b3ea4726b2429b3.exe
    "C:\Users\Admin\AppData\Local\Temp\d8d59353d0e19957cd4cce5102dff5b706ed9c412db6b8778b3ea4726b2429b3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4368
  • C:\Program Files (x86)\Common Files\Nv.exe
    "C:\Program Files (x86)\Common Files\Nv.exe" 100 4368
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2596
  • C:\Program Files (x86)\Common Files\Nv.exe
    "C:\Program Files (x86)\Common Files\Nv.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3640
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:648

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Program Files (x86)\Common Files\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Program Files (x86)\Common Files\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    48KB

    MD5

    d659d95d46f71f172cd4f2aca9532949

    SHA1

    13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

    SHA256

    9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

    SHA512

    ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    48KB

    MD5

    d659d95d46f71f172cd4f2aca9532949

    SHA1

    13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

    SHA256

    9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

    SHA512

    ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    48KB

    MD5

    d659d95d46f71f172cd4f2aca9532949

    SHA1

    13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

    SHA256

    9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

    SHA512

    ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmartMax.dll.URL
    Filesize

    110KB

    MD5

    83d378c6740d34bdb4aac01c7a7ce394

    SHA1

    f38aa5d350c7fb95eb1dfb6b386c65932263e921

    SHA256

    a8dd82ba668db8cbdc5309e70ae7023e961ccb231eeae60cb19eb953812cee5b

    SHA512

    8ac09ebce1e4ef6fbf27a95b18d4b994339ec855e7548a35ecd3465d3cc2f50f8b2361df1851af36d7962c3c30915bb660a4cca6e525252cec0aab47d6de5195

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    48KB

    MD5

    d659d95d46f71f172cd4f2aca9532949

    SHA1

    13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

    SHA256

    9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

    SHA512

    ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    48KB

    MD5

    d659d95d46f71f172cd4f2aca9532949

    SHA1

    13a4a93c5a76ad1ea95cc6e9c7e2282f1981c85d

    SHA256

    9e4800663e62415d01f844195d8bae0be71a1bd14b9d4103c6dedb9266957837

    SHA512

    ad423ef32635358f8c47854a95c9e18dde7fe1e31c450aee7fd16f5a4043a8fd135ad5eac7491909acdf5afd6d013f8fd9b1f07809d8ff88458dbad31dddaba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL
    Filesize

    110KB

    MD5

    83d378c6740d34bdb4aac01c7a7ce394

    SHA1

    f38aa5d350c7fb95eb1dfb6b386c65932263e921

    SHA256

    a8dd82ba668db8cbdc5309e70ae7023e961ccb231eeae60cb19eb953812cee5b

    SHA512

    8ac09ebce1e4ef6fbf27a95b18d4b994339ec855e7548a35ecd3465d3cc2f50f8b2361df1851af36d7962c3c30915bb660a4cca6e525252cec0aab47d6de5195

    Download Submit

  • memory/648-152-0x00000000023C0000-0x00000000023EC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/648-154-0x00000000023C0000-0x00000000023EC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2596-149-0x0000000002150000-0x000000000217C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3536-148-0x0000000000E50000-0x0000000000E7C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3640-150-0x0000000000E90000-0x0000000000EBC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3640-153-0x0000000000E90000-0x0000000000EBC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4368-137-0x00000000021A0000-0x00000000021CC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/4368-136-0x0000000002070000-0x0000000002170000-memory.dmp

    Filesize

    1024KB

    Download