Overview

overview

10

Static

static

Microsoft.exe

windows7-x64

10

Microsoft.exe

windows10-1703-x64

8

Microsoft.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2022 07:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Microsoft.exe

  • Size

    4.0MB

  • MD5

    083f54e1891baeb8783adc6ee775fc41

  • SHA1

    9f7b44476da46086e38f89f4eb2b9900629082a4

  • SHA256

    b55abbc07b02308c5315aa31de307ca62665d340806114a1992536584a5895d1

  • SHA512

    4c0ab2a86af49ed0fd129095962e11baa9fa9a9e0276473832be6c47bb8918c5c39a2f228a06e6f7d2aaa8d791c75645102ee5674ba44a9e3b9dc079c936d8ab

  • SSDEEP

    98304:Zwa9JkoXTaSRr+aV1uHIx5gjSTBvq+TYIMV3hMAo:Zr9UY5g0v0g

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 4 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 16 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 25 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Microsoft.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\Microsoft.msi AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Microsoft.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1661412085 "
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:892
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DC85F5CED7D927DCA50F330EDFB25400 C
      2⤵
      • Loads dropped DLL
      PID:952
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2946A776A851F3503218275E8C9958FC
      2⤵
      • Loads dropped DLL
      PID:1496
    • C:\Windows\Installer\MSI3E32.tmp
      "C:\Windows\Installer\MSI3E32.tmp" "C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1888
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1868
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E4" "0000000000000540"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1408
    • C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe
      "C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      PID:1220
    • C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe
      "C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe" 600 0
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:676
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe 601 0
        2⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1828
        • C:\Windows\SysWOW64\userinit.exe
          C:\Windows\system32\userinit.exe 609 1828
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1904

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\BitDefender\Handler\bdreinit.exe
      Filesize

      192KB

      MD5

      8a8db1e20dc508af5a81fc00b1929468

      SHA1

      32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

      SHA256

      386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

      SHA512

      9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

      Download Submit
    • C:\Program Files (x86)\BitDefender\Handler\log.dat
      Filesize

      199KB

      MD5

      4d46b087b62183d86c53bf05ce4e2c8d

      SHA1

      174bd3886bd598f621eb758f469f69e85532f5c0

      SHA256

      49686cbde9535055fa48a0742bbe765f9d6ec1104e7efa8f71d1894f2d7d7873

      SHA512

      cf87b40dd69306285adff88de6050c1d456c34b2056e8f98ca7cf046459b6839afe67f4b13e25e5162ab311f1033a004b7e1bdc2955a10e8490eaef0f882a117

      Download Submit
    • C:\Program Files (x86)\BitDefender\Handler\log.dll
      Filesize

      139KB

      MD5

      c55b6938f885c07d627c15165c21390a

      SHA1

      9d2e460fd11791e78eb7fbc1357c973493293572

      SHA256

      f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

      SHA512

      9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

      Download Submit
    • C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe
      Filesize

      192KB

      MD5

      8a8db1e20dc508af5a81fc00b1929468

      SHA1

      32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

      SHA256

      386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

      SHA512

      9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

      Download Submit
    • C:\Program Files (x86)\Microsoft Office\Microsoft\bdreinit.exe
      Filesize

      192KB

      MD5

      8a8db1e20dc508af5a81fc00b1929468

      SHA1

      32e1ebec9672ad7cc5dc36d8a1c87bbf47a4fa9f

      SHA256

      386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd

      SHA512

      9c5747fd7563b29ecf43b71b5480b260b083892d37054ff77cc6c613c3db380ce2bdf990fb466edc8705f784b051dc1be208b454696e67eb0c90c20470f4ea87

      Download Submit
    • C:\Program Files (x86)\Microsoft Office\Microsoft\log.dat
      Filesize

      199KB

      MD5

      4d46b087b62183d86c53bf05ce4e2c8d

      SHA1

      174bd3886bd598f621eb758f469f69e85532f5c0

      SHA256

      49686cbde9535055fa48a0742bbe765f9d6ec1104e7efa8f71d1894f2d7d7873

      SHA512

      cf87b40dd69306285adff88de6050c1d456c34b2056e8f98ca7cf046459b6839afe67f4b13e25e5162ab311f1033a004b7e1bdc2955a10e8490eaef0f882a117

      Download Submit
    • C:\Program Files (x86)\Microsoft Office\Microsoft\log.dll
      Filesize

      139KB

      MD5

      c55b6938f885c07d627c15165c21390a

      SHA1

      9d2e460fd11791e78eb7fbc1357c973493293572

      SHA256

      f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

      SHA512

      9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSI7D2C.tmp
      Filesize

      377KB

      MD5

      316ed83688978925aa47a0c4d5662d2c

      SHA1

      96aaa52977cbd62ba865b35f9730c7c2861e5c2b

      SHA256

      da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

      SHA512

      14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Microsoft.msi
      Filesize

      1.5MB

      MD5

      df26d42194e934122c73559987f3ab84

      SHA1

      c526f8e1f8f4b22c0b62f76af448c63a7e5f2073

      SHA256

      eec36f5b2d28bb8076648f96899def8e297347322dd7d13368234680eaaee01d

      SHA512

      e62bd5773649251dfaa4870b2e5f6ebff6e69dd18ac4ecdeb296d0826b02b4a76d878037ea183a2653044afe5b807cee15c9fd1d7032bb6e75e761609e8f30b1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Microsoft1.cab
      Filesize

      351KB

      MD5

      a66bc9849ba7d090a983e1aa64275e9a

      SHA1

      86f35c1a29cde722c2c822c46e4c4eac0b360f4a

      SHA256

      1b1a6809886af74850a817d23854ada702af6e6f094ac477049faa46c317d9cc

      SHA512

      e1a5f7b65bbca6a6eba9bcfaa278882961e3d0ad3b03a18a6fdda91558372d9a902d6ebe2f203d5b1174145eb84b3b5ebfe9fc78bb1d081f34d72b9b03993f90

      Download Submit
    • C:\Windows\Installer\MSI2EBF.tmp
      Filesize

      377KB

      MD5

      316ed83688978925aa47a0c4d5662d2c

      SHA1

      96aaa52977cbd62ba865b35f9730c7c2861e5c2b

      SHA256

      da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

      SHA512

      14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

      Download Submit
    • C:\Windows\Installer\MSI365E.tmp
      Filesize

      377KB

      MD5

      316ed83688978925aa47a0c4d5662d2c

      SHA1

      96aaa52977cbd62ba865b35f9730c7c2861e5c2b

      SHA256

      da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

      SHA512

      14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

      Download Submit
    • C:\Windows\Installer\MSI3823.tmp
      Filesize

      377KB

      MD5

      316ed83688978925aa47a0c4d5662d2c

      SHA1

      96aaa52977cbd62ba865b35f9730c7c2861e5c2b

      SHA256

      da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

      SHA512

      14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

      Download Submit
    • C:\Windows\Installer\MSI3B03.tmp
      Filesize

      529KB

      MD5

      aab600da7532150b6fd984f3c6e6d781

      SHA1

      30c95ec5f80d8595221c9f37c0f172ea2ce7b917

      SHA256

      c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

      SHA512

      70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

      Download Submit
    • C:\Windows\Installer\MSI3BEF.tmp
      Filesize

      529KB

      MD5

      aab600da7532150b6fd984f3c6e6d781

      SHA1

      30c95ec5f80d8595221c9f37c0f172ea2ce7b917

      SHA256

      c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

      SHA512

      70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

      Download Submit
    • C:\Windows\Installer\MSI3E32.tmp
      Filesize

      401KB

      MD5

      8c7085c86a4b14296f6e76525f20c828

      SHA1

      6113087876f86c9247bc4080c08ce1ae578d9a99

      SHA256

      beeaa8bfc97d87c1739611a88d3f4fa9a561cecbc5379309543dd850cc3f956c

      SHA512

      97dcbe469ec14114b90c0c52c289af173c6078b8aad3f9bb78c212278f1980d2750ce8bfba6b1ac0aaf72aa956f4c0be0c471ffbc7e811d4affa5896d36367e0

      Download Submit
    • \Program Files (x86)\BitDefender\Handler\log.dll
      Filesize

      139KB

      MD5

      c55b6938f885c07d627c15165c21390a

      SHA1

      9d2e460fd11791e78eb7fbc1357c973493293572

      SHA256

      f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

      SHA512

      9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

      Download Submit
    • \Program Files (x86)\Microsoft Office\Microsoft\log.dll
      Filesize

      139KB

      MD5

      c55b6938f885c07d627c15165c21390a

      SHA1

      9d2e460fd11791e78eb7fbc1357c973493293572

      SHA256

      f534e7193ff51dcf12e4d1f09825a38e3f4992f88b071f288c6d628ec626582c

      SHA512

      9f225317c7f60621dfd43ccc9c4cfeef5cbaf8cf304702189283d8b74f179487d857a5ebeff87b40d008e71c369200b7a490babe39d4423fdbf55b8c39c1acd9

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MSI7D2C.tmp
      Filesize

      377KB

      MD5

      316ed83688978925aa47a0c4d5662d2c

      SHA1

      96aaa52977cbd62ba865b35f9730c7c2861e5c2b

      SHA256

      da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

      SHA512

      14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

      Download Submit
    • \Windows\Installer\MSI2EBF.tmp
      Filesize

      377KB

      MD5

      316ed83688978925aa47a0c4d5662d2c

      SHA1

      96aaa52977cbd62ba865b35f9730c7c2861e5c2b

      SHA256

      da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

      SHA512

      14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

      Download Submit
    • \Windows\Installer\MSI365E.tmp
      Filesize

      377KB

      MD5

      316ed83688978925aa47a0c4d5662d2c

      SHA1

      96aaa52977cbd62ba865b35f9730c7c2861e5c2b

      SHA256

      da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

      SHA512

      14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

      Download Submit
    • \Windows\Installer\MSI3823.tmp
      Filesize

      377KB

      MD5

      316ed83688978925aa47a0c4d5662d2c

      SHA1

      96aaa52977cbd62ba865b35f9730c7c2861e5c2b

      SHA256

      da354085bcbca5ed614e754eb78a5aa9b879b8d5375625b6d1e34f5ea63c097e

      SHA512

      14eba103ed9cf5780e9bb59feb903159f928a6abdc0fdcede29d9cb59ea7df2cc379dc92d74e0c527ce98ee73b83fcf5fcc677ab82dcddcab581f7a87e9399e9

      Download Submit
    • \Windows\Installer\MSI3B03.tmp
      Filesize

      529KB

      MD5

      aab600da7532150b6fd984f3c6e6d781

      SHA1

      30c95ec5f80d8595221c9f37c0f172ea2ce7b917

      SHA256

      c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

      SHA512

      70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

      Download Submit
    • \Windows\Installer\MSI3BEF.tmp
      Filesize

      529KB

      MD5

      aab600da7532150b6fd984f3c6e6d781

      SHA1

      30c95ec5f80d8595221c9f37c0f172ea2ce7b917

      SHA256

      c4241c23b49fcf5da34862aa43b801b9282d4613b2220effe2332150c13fb019

      SHA512

      70c41d7c5e76e169e1f41f96a8a68d1ca2a9206f87a46f08519b8301205cba40368ad1dd7a7266d2bed5a22d54dd1937f52eb18bc7d153608081bdc3e035ce06

      Download Submit
    • memory/676-93-0x0000000002130000-0x0000000003130000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/892-61-0x0000000000000000-mapping.dmp
      Download
    • memory/952-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1220-85-0x00000000020A0000-0x00000000030A0000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/1220-88-0x00000000003D0000-0x0000000000402000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1496-64-0x0000000000000000-mapping.dmp
      Download
    • memory/1780-56-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1828-96-0x0000000000000000-mapping.dmp
      Download
    • memory/1828-94-0x00000000000A0000-0x00000000000D0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1828-97-0x0000000000920000-0x0000000001920000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/1828-105-0x0000000000080000-0x0000000000082000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1888-77-0x0000000000000000-mapping.dmp
      Download
    • memory/1904-101-0x0000000000000000-mapping.dmp
      Download
    • memory/1904-103-0x0000000000080000-0x0000000000082000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1904-102-0x0000000002330000-0x0000000003330000-memory.dmp
      Filesize

      16.0MB

      Download
    • memory/2020-55-0x0000000073D01000-0x0000000073D03000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp
      Filesize

      8KB

      Download