Overview

overview

10

Static

static

03cbf99ae3...70.exe

windows7-x64

10

03cbf99ae3...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    183s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-10-2022 23:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03cbf99ae34bd4e53613ec36805e5f9ea7c2ce84011d99fc0dd37a5dcc3e8170.exe

  • Size

    239KB

  • MD5

    69b7c08a2e149ceb4f6ff9bd61f14290

  • SHA1

    0c81051d61536ec14fe193e64bda356a885b63cd

  • SHA256

    03cbf99ae34bd4e53613ec36805e5f9ea7c2ce84011d99fc0dd37a5dcc3e8170

  • SHA512

    ee6076e993a0db2b408077ecbfdcaa69e63e965699bfe8ff0e29005bc081e220ac600b6daf6af1a8a81cc722f990b69cad7483596fc5ffde87b4799a6d7b73e1

  • SSDEEP

    6144:/27gCbTehEqclWYacI5Jg6A0xPl4aX5D8owFSunNQLW3:/27/bTehEqclrt2X44JUSunOLA

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 8 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03cbf99ae34bd4e53613ec36805e5f9ea7c2ce84011d99fc0dd37a5dcc3e8170.exe
    "C:\Users\Admin\AppData\Local\Temp\03cbf99ae34bd4e53613ec36805e5f9ea7c2ce84011d99fc0dd37a5dcc3e8170.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4452
  • C:\Program Files (x86)\Common Files\NvSmart.exe
    "C:\Program Files (x86)\Common Files\NvSmart.exe" 100 4452
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:4220
  • C:\Program Files (x86)\Common Files\NvSmart.exe
    "C:\Program Files (x86)\Common Files\NvSmart.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 4368
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Common Files\NvSmart.dat
    Filesize

    120KB

    MD5

    92821c7ab934963e9b04f917d272cefc

    SHA1

    e8c092d9f0858dda6378962f20e44ffc39245f73

    SHA256

    0ebcbb904423910f81d8813852a0b4d73edbcc4d4216d58b723bc130eccbc2d0

    SHA512

    3cccbd7955a5baf3056140bfdef68e7e3e9cd193ae13a9e79074b7913360cb791dc95e9b5cff75227449ed9743dacc6711b12186b20193523915adf79d24c142

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmart.exe
    Filesize

    43KB

    MD5

    4d0c8f09a4e3bd5c063c2c4f100ed8d6

    SHA1

    7f9193357d84761336184851ac06464efd41a09b

    SHA256

    35ca38b9b7292b8c9da598ce5f2baafb76b90b66ddac366a43c77cbdf984801d

    SHA512

    4fa141785dba9aabb01ce563f1e2d4b1e96b75a8eefd44814160520de0c3da9c084e65e494fe3566db9c1094aad46efe8b4b546236432b582c4724542f210b21

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmart.exe
    Filesize

    43KB

    MD5

    4d0c8f09a4e3bd5c063c2c4f100ed8d6

    SHA1

    7f9193357d84761336184851ac06464efd41a09b

    SHA256

    35ca38b9b7292b8c9da598ce5f2baafb76b90b66ddac366a43c77cbdf984801d

    SHA512

    4fa141785dba9aabb01ce563f1e2d4b1e96b75a8eefd44814160520de0c3da9c084e65e494fe3566db9c1094aad46efe8b4b546236432b582c4724542f210b21

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmart.exe
    Filesize

    43KB

    MD5

    4d0c8f09a4e3bd5c063c2c4f100ed8d6

    SHA1

    7f9193357d84761336184851ac06464efd41a09b

    SHA256

    35ca38b9b7292b8c9da598ce5f2baafb76b90b66ddac366a43c77cbdf984801d

    SHA512

    4fa141785dba9aabb01ce563f1e2d4b1e96b75a8eefd44814160520de0c3da9c084e65e494fe3566db9c1094aad46efe8b4b546236432b582c4724542f210b21

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    11KB

    MD5

    1fab1cd41b73e9a485c4237307c72d24

    SHA1

    f48a4e1cafbf00c33221c605dc2f843dba74f903

    SHA256

    c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

    SHA512

    70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    11KB

    MD5

    1fab1cd41b73e9a485c4237307c72d24

    SHA1

    f48a4e1cafbf00c33221c605dc2f843dba74f903

    SHA256

    c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

    SHA512

    70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

    Download Submit

  • C:\Program Files (x86)\Common Files\NvSmartMax.dll
    Filesize

    11KB

    MD5

    1fab1cd41b73e9a485c4237307c72d24

    SHA1

    f48a4e1cafbf00c33221c605dc2f843dba74f903

    SHA256

    c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

    SHA512

    70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

    Download Submit

  • C:\ProgramData\SxS\bug.log
    Filesize

    622B

    MD5

    25ec741c4d8175b431543fdc0fc41206

    SHA1

    511d2c4cdb77c67cd26f2a8d58ede37d9f8b114c

    SHA256

    f68ca5f7eb5815eb731290d1d8baf8f33c3bd83c812649e43b1c6347b58a7f2b

    SHA512

    a1f1b660979943de1831da3ba74013654bcf3be314a88c6719859348ebf1a6f81468c259a50a57599b131e806c87a0f034f34aee03a1e4cfd6f13b6f9bee864c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.dat
    Filesize

    120KB

    MD5

    92821c7ab934963e9b04f917d272cefc

    SHA1

    e8c092d9f0858dda6378962f20e44ffc39245f73

    SHA256

    0ebcbb904423910f81d8813852a0b4d73edbcc4d4216d58b723bc130eccbc2d0

    SHA512

    3cccbd7955a5baf3056140bfdef68e7e3e9cd193ae13a9e79074b7913360cb791dc95e9b5cff75227449ed9743dacc6711b12186b20193523915adf79d24c142

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.exe
    Filesize

    43KB

    MD5

    4d0c8f09a4e3bd5c063c2c4f100ed8d6

    SHA1

    7f9193357d84761336184851ac06464efd41a09b

    SHA256

    35ca38b9b7292b8c9da598ce5f2baafb76b90b66ddac366a43c77cbdf984801d

    SHA512

    4fa141785dba9aabb01ce563f1e2d4b1e96b75a8eefd44814160520de0c3da9c084e65e494fe3566db9c1094aad46efe8b4b546236432b582c4724542f210b21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmart.exe
    Filesize

    43KB

    MD5

    4d0c8f09a4e3bd5c063c2c4f100ed8d6

    SHA1

    7f9193357d84761336184851ac06464efd41a09b

    SHA256

    35ca38b9b7292b8c9da598ce5f2baafb76b90b66ddac366a43c77cbdf984801d

    SHA512

    4fa141785dba9aabb01ce563f1e2d4b1e96b75a8eefd44814160520de0c3da9c084e65e494fe3566db9c1094aad46efe8b4b546236432b582c4724542f210b21

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    11KB

    MD5

    1fab1cd41b73e9a485c4237307c72d24

    SHA1

    f48a4e1cafbf00c33221c605dc2f843dba74f903

    SHA256

    c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

    SHA512

    70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll
    Filesize

    11KB

    MD5

    1fab1cd41b73e9a485c4237307c72d24

    SHA1

    f48a4e1cafbf00c33221c605dc2f843dba74f903

    SHA256

    c164b75b738f3d85c27016b4cc9515d8dd5d12f16175e31fac2b13c5c2737fef

    SHA512

    70dd3d214dd2871364253775a404c35ae91db388108e8577d49de368a93f15ce542aa1c5408e1b4640371999d09e186741a911ed39f044320fd7ee04b7eeab85

    Download Submit

  • memory/1968-150-0x0000000000E30000-0x0000000000E60000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4220-149-0x00000000005C0000-0x00000000005F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4220-154-0x00000000005C0000-0x00000000005F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4328-156-0x0000000001610000-0x0000000001640000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4328-158-0x0000000001610000-0x0000000001640000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4368-153-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4368-157-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4452-138-0x00000000020B0000-0x00000000021B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4452-139-0x00000000006C0000-0x00000000006F0000-memory.dmp

    Filesize

    192KB

    Download