Overview

overview

10

Static

static

8

fd149c94ed...1f.exe

windows7_x64

10

fd149c94ed...1f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    13-07-2022 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe

  • Size

    254KB

  • MD5

    4485d8844b083564cf510271d90d7399

  • SHA1

    769d564f9b895c8d07fee07733782c548e30267a

  • SHA256

    fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f

  • SHA512

    0f0e1eb3249e1a73ab51b08462dfd8871c9fe5db7b87090635a8b6930c830440a2a225c4e1ed5e8f596cea1672f65fcb1a383a47ea9e4133bde8cc9ed793efeb

Score
10/10
plugxsuricatatrojanupx

Malware Config

Signatures

  • Detects PlugX payload 8 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • suricata: ET MALWARE PlugX CnC Beacon

    suricata: ET MALWARE PlugX CnC Beacon

    suricata
  • suricata: ET MALWARE PlugX/Destory HTTP traffic

    suricata: ET MALWARE PlugX/Destory HTTP traffic

    suricata
  • suricata: ET MALWARE Possible PlugX Common Header Struct

    suricata: ET MALWARE Possible PlugX Common Header Struct

    suricata
  • suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2

    suricata: ET MALWARE UPDATE Protocol Trojan Communication detected on http ports 2

    suricata
  • Blocklisted process makes network request 13 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 3 IoCs
  • Unexpected DNS network traffic destination 7 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Drops file in System32 directory 4 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 22 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe
    "C:\Users\Admin\AppData\Local\Temp\fd149c94edb66bd0951a544cb646c582c8d3f1edb01945579af7d1122a595b1f.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
      C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
  • C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
    "C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 100 2928
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2916
  • C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
    "C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Windows\SysWOW64\dllhost.exe
      C:\Windows\system32\dllhost.exe 201 0
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 5032
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4560

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\RoboForm.DLL
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
    Filesize

    96KB

    MD5

    0ba73a0db3913ba14be521f82c1b2c6c

    SHA1

    15920f9b5c190b70f927d18fa9d03793cb1f6332

    SHA256

    212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

    SHA512

    51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

    Download Submit

  • C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\ktmhelp.exe
    Filesize

    96KB

    MD5

    0ba73a0db3913ba14be521f82c1b2c6c

    SHA1

    15920f9b5c190b70f927d18fa9d03793cb1f6332

    SHA256

    212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

    SHA512

    51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

    Download Submit

  • C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\roboform.dll
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\roboform.dll
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\update.log
    Filesize

    116KB

    MD5

    8c49d603e67e5933ff07216c80b0ed4b

    SHA1

    a31aaff7adccb8563a2f798816f9b211b774bf08

    SHA256

    6e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c

    SHA512

    48397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\RoboForm.DLL
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
    Filesize

    96KB

    MD5

    0ba73a0db3913ba14be521f82c1b2c6c

    SHA1

    15920f9b5c190b70f927d18fa9d03793cb1f6332

    SHA256

    212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

    SHA512

    51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\ktmhelp.exe
    Filesize

    96KB

    MD5

    0ba73a0db3913ba14be521f82c1b2c6c

    SHA1

    15920f9b5c190b70f927d18fa9d03793cb1f6332

    SHA256

    212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f

    SHA512

    51472b924efea3d86607b17431829b3719ed7e1d153e09eb227b70f811d1db45880d0f195324afe3a418b62029a44c234011f3ad5e656c48e2920481a8fcc37a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\roboform.dll
    Filesize

    74KB

    MD5

    ee1887696c8445caaaad13bdb39d5dba

    SHA1

    bc09e8530d2497befaeacbf4d50022181ffc59cc

    SHA256

    2e1c2572e5e584ecfb00afcaa677c97b6c477c376da4f0169a72f8be7f9b426b

    SHA512

    94ce672d12e1de85deebd1362b7195a2365785689f00f63ba5240a3f81ba62409c973691713751468716fe8a502ca6dc8d7114da38d8b522d16f4ad027e013db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OUT\update.log
    Filesize

    116KB

    MD5

    8c49d603e67e5933ff07216c80b0ed4b

    SHA1

    a31aaff7adccb8563a2f798816f9b211b774bf08

    SHA256

    6e9f83f1c98551bf184a008b44511ffebc5aa415d4620cbd158bb9be13eee20c

    SHA512

    48397e74b3c6b5fe9f4235acae7087404cb2e9e605d39caa315fcb5e17a873324d375fd7a141f383e8546e4f8ccf5d9102bf83eb7b21a49680b3538c8dbc6ce4

    Download Submit

  • memory/1904-141-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1904-130-0x0000000000400000-0x000000000047F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/1904-131-0x0000000010000000-0x000000001005D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2724-154-0x0000000001A20000-0x0000000001A4E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2916-153-0x0000000002B90000-0x0000000002BBE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2916-156-0x0000000002B90000-0x0000000002BBE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-140-0x0000000002C50000-0x0000000002D50000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2928-142-0x0000000002D80000-0x0000000002DAE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4560-158-0x0000000002A10000-0x0000000002A3E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4560-160-0x0000000002A10000-0x0000000002A3E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5032-159-0x0000000000870000-0x000000000089E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5032-155-0x0000000000870000-0x000000000089E000-memory.dmp

    Filesize

    184KB

    Download