Overview

overview

10

Static

static

291976ba47...23.exe

windows7-x64

10

291976ba47...23.exe

windows10-2004-x64

10

Resubmissions

30-11-2022 10:29

221130-mh85sscb27 10

29-11-2022 18:19

221129-wx7d7adc83 10

Analysis

  • max time kernel
    152s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 18:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    291976ba47cec4b3c0e31cbc50ab1923.exe

  • Size

    236KB

  • MD5

    291976ba47cec4b3c0e31cbc50ab1923

  • SHA1

    38273b08bd046fc29bd777c9dc4a177ae162b5f8

  • SHA256

    a78dbafaca4813307529cafbed554b53a622a639941f2e66520bbb92769ee960

  • SHA512

    0b44f02c9d37ba25b9988146bf9a516b65625ed7184c4188689eb4056945cd56e86180e21d7b157faff6acdf4991eec51b18c8d83f084652ef574b0d7ec4158b

  • SSDEEP

    3072:1H5VhrQrb6DvbqJMikwRz2Og2QTAxQ4Vt6r+CtbmMjxm8qyCz/xwDSpa:1ZkFkw1vgfCVt6r+l18qjp6Sp

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 8 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies data under HKEY_USERS 38 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\291976ba47cec4b3c0e31cbc50ab1923.exe
    "C:\Users\Admin\AppData\Local\Temp\291976ba47cec4b3c0e31cbc50ab1923.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:756
  • C:\ProgramData\SxS\NvSmart.exe
    "C:\ProgramData\SxS\NvSmart.exe" 100 756
    1⤵
    • Executes dropped EXE
    • Deletes itself
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:1204
  • C:\ProgramData\SxS\NvSmart.exe
    "C:\ProgramData\SxS\NvSmart.exe" 200 0
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 524
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SxS\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\ProgramData\SxS\NvSmart.exe
    Filesize

    46KB

    MD5

    09b8b54f78a10c435cd319070aa13c28

    SHA1

    6474d0369f97e72e01e4971128d1062f5c2b3656

    SHA256

    523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256

    SHA512

    c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

    Download Submit
  • C:\ProgramData\SxS\NvSmartMax.dll
    Filesize

    5KB

    MD5

    ff338690b8c399341981dcbcaf3af02c

    SHA1

    5162c70b2ae0b434cab7d9871dbd9a1dac14ec45

    SHA256

    5304d00250196a8cd5e9a81e053a886d1a291e4615484e49ff537bebecc13976

    SHA512

    4c4394b9675d0ab01d2fc8d4a765411fb83700ae58d86b4c71452563931cb50ff1ed60ac637099e89bf0d49f939b4c7eaa4e168c1c2baa1b04e8e80fff37e5a3

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    460B

    MD5

    ba3e2da162bb39b61506692758d96d2b

    SHA1

    7ae15fced78bf4c152b3e8fd5adeaf0697fe7bf7

    SHA256

    756097e9977f3ef67915b840681ece3afea979ad951156480e22c447078a17ad

    SHA512

    1d3a16ac94dcf1f547e111a081f55d54f511dc92322c4c3c358d6cf528bbb7c656f39c57f8234dd9796e089cb409c0f47a65668ea88c33cd38b8d056d7f368c1

    Download Submit
  • C:\ProgramData\SxS\xxx.xxx
    Filesize

    155KB

    MD5

    64dce06ff017f3613b3360f3fa2200b6

    SHA1

    df7b71bbc1e40a8a3ef52ba8a744f2572608eb9c

    SHA256

    3b3f5f30ec0ef0a061e322c55e3ab55f095b6bd346ebecf3ba6970180ccf2c93

    SHA512

    f1924ed6f8c430422939c6c37fc1349ecbc81bef4dded66d71facb2246da9dc12dab0a3738d05df4c4cee3bba141eaa0d02fcd17505b2c5eb0fa2e49aec63410

    Download Submit
  • \ProgramData\SxS\NvSmartMax.dll
    Filesize

    5KB

    MD5

    ff338690b8c399341981dcbcaf3af02c

    SHA1

    5162c70b2ae0b434cab7d9871dbd9a1dac14ec45

    SHA256

    5304d00250196a8cd5e9a81e053a886d1a291e4615484e49ff537bebecc13976

    SHA512

    4c4394b9675d0ab01d2fc8d4a765411fb83700ae58d86b4c71452563931cb50ff1ed60ac637099e89bf0d49f939b4c7eaa4e168c1c2baa1b04e8e80fff37e5a3

    Download Submit
  • \ProgramData\SxS\NvSmartMax.dll
    Filesize

    5KB

    MD5

    ff338690b8c399341981dcbcaf3af02c

    SHA1

    5162c70b2ae0b434cab7d9871dbd9a1dac14ec45

    SHA256

    5304d00250196a8cd5e9a81e053a886d1a291e4615484e49ff537bebecc13976

    SHA512

    4c4394b9675d0ab01d2fc8d4a765411fb83700ae58d86b4c71452563931cb50ff1ed60ac637099e89bf0d49f939b4c7eaa4e168c1c2baa1b04e8e80fff37e5a3

    Download Submit
  • memory/524-74-0x00000000001E0000-0x0000000000218000-memory.dmp
    Filesize

    224KB

    Download
  • memory/524-68-0x00000000000A0000-0x00000000000C6000-memory.dmp
    Filesize

    152KB

    Download
  • memory/524-81-0x00000000001E0000-0x0000000000218000-memory.dmp
    Filesize

    224KB

    Download
  • memory/524-70-0x0000000000000000-mapping.dmp
    Download
  • memory/756-55-0x0000000075831000-0x0000000075833000-memory.dmp
    Filesize

    8KB

    Download
  • memory/756-54-0x0000000000080000-0x00000000000A7000-memory.dmp
    Filesize

    156KB

    Download
  • memory/756-62-0x0000000000390000-0x00000000003C8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1124-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1124-80-0x00000000002F0000-0x0000000000328000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1124-82-0x00000000002F0000-0x0000000000328000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1204-60-0x0000000001BA0000-0x0000000001CA0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1204-63-0x0000000001CA0000-0x0000000001CD8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1204-75-0x0000000001CA0000-0x0000000001CD8000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1796-72-0x00000000002A0000-0x00000000002D8000-memory.dmp
    Filesize

    224KB

    Download