Overview

overview

10

Static

static

6392e0701a...c3.exe

windows7-x64

10

6392e0701a...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 16:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe

  • Size

    2.0MB

  • MD5

    0f6b00b0c5a26a5aa8942ae356329945

  • SHA1

    1f412a62f50ff71f0b2b2f54aaa980962ebfd8a4

  • SHA256

    6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3

  • SHA512

    e8c6ff3952b6b1066d113ce8b1e76ed20ec8eb5511045f374706fa2a44cf7b6d096e56a01e2318b872de4a5530872132053f13836d8ff4ffa75396a1ee4b34d9

  • SSDEEP

    49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJq:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQs

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 5 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe
    "C:\Users\Admin\AppData\Local\Temp\6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
      C:\Users\Admin\AppData\Local\Temp\rudiment.exe
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:820
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\psychiatry.dat
    Filesize

    116KB

    MD5

    6fad1eb852a177ecf4d324938667bad3

    SHA1

    2c340ccb03f23f651248057cce45ed1f8e82538a

    SHA256

    0a47b39e71fd6ba4e452491b52338a1578a8604a9bd298e6fa65488ab3f4f4e2

    SHA512

    86ff8519b96f6203e2ae3db3b5756a76fc9d4d72d3e383971e2bebbc8bf8e891fb503b94071f9b0351edd2cde32998a6d1cd1fcb76a0b407e60d9f180e1af506

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
    Filesize

    47KB

    MD5

    b5bdaba69689e8be57ce78bb6845e4f0

    SHA1

    573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

    SHA256

    1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

    SHA512

    e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
    Filesize

    47KB

    MD5

    b5bdaba69689e8be57ce78bb6845e4f0

    SHA1

    573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

    SHA256

    1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

    SHA512

    e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vsodscpl.DLL
    Filesize

    112KB

    MD5

    cd03ef37cc82c578e7ef424e8199489a

    SHA1

    c059125dde026fb888357e7422fb1581611ada8f

    SHA256

    ec844e5fd297a3ff064e0be3c79885de21ba141d137f36b23677246623cdfc00

    SHA512

    a5a7832f44a9934d71044f9e1015590196f36a8bd660d85a1207415c43b1288e828bf14269468962868c425fb16ce797afc566a571e9b6b94726600d38d14b9e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vsodscpl.dll
    Filesize

    112KB

    MD5

    cd03ef37cc82c578e7ef424e8199489a

    SHA1

    c059125dde026fb888357e7422fb1581611ada8f

    SHA256

    ec844e5fd297a3ff064e0be3c79885de21ba141d137f36b23677246623cdfc00

    SHA512

    a5a7832f44a9934d71044f9e1015590196f36a8bd660d85a1207415c43b1288e828bf14269468962868c425fb16ce797afc566a571e9b6b94726600d38d14b9e

    Download Submit

  • memory/776-137-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-139-0x00007FFE5D230000-0x00007FFE5D240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-140-0x00007FFE5D230000-0x00007FFE5D240000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-138-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-136-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-135-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/776-134-0x00007FFE5F790000-0x00007FFE5F7A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/820-152-0x0000000000DD0000-0x0000000000DFE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/820-154-0x0000000000DD0000-0x0000000000DFE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2112-149-0x0000000003530000-0x000000000355E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2676-150-0x0000000001320000-0x000000000134E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2676-153-0x0000000001320000-0x000000000134E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4248-132-0x0000000000840000-0x0000000000A43000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4248-133-0x0000000000840000-0x0000000000A43000-memory.dmp

    Filesize

    2.0MB

    Download