Overview

overview

10

Static

static

fcccc61173...b0.exe

windows7-x64

10

fcccc61173...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0.exe

  • Size

    2.0MB

  • MD5

    01468a69ca8676b51a357676e0856c88

  • SHA1

    4413a7f864255767a6d84c3e8362b9873a7e224b

  • SHA256

    fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0

  • SHA512

    d0d516c96c14e4ec5dded82e80f82a3ff6b2f8c2aae63b8f0e8667aea6e07e52e8dcf2ee7939304ef2303b07a4b8ca6e6c64f985a508d57aad79440d479d68b8

  • SSDEEP

    49152:Na175O/mZxrkaH1EN5/yxnxEil7F8vSZBWwj186KQGwi38KQrF+FO7p1FzohbJqE:uO/mZxbHW7yxnxECF8vSZBW+Pbi38KQU

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 5 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0.exe
    "C:\Users\Admin\AppData\Local\Temp\fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
      C:\Users\Admin\AppData\Local\Temp\rudiment.exe
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\msiexec.exe
          C:\Windows\SysWOW64\msiexec.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2620
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4944

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\psychiatry.dat
    Filesize

    116KB

    MD5

    90ef80a48d17d9a4930389fdf2f836dc

    SHA1

    48dfb3dabde972b6989eba4f37ec45baee72d12a

    SHA256

    e8f264c16e5cd4d759e4951ebf57d132e8d9109a5fc3c9d811d7bdf65128e3d8

    SHA512

    82204ea9e1d9dfbb6cad1d8e8613a05c18aa3ec917408dfd14fc47972c24819f47d6c5b0621db89cfad1ff20d7bd703d70a24566337e85a7c519f9ef4c3b3dc7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
    Filesize

    47KB

    MD5

    b5bdaba69689e8be57ce78bb6845e4f0

    SHA1

    573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

    SHA256

    1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

    SHA512

    e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rudiment.exe
    Filesize

    47KB

    MD5

    b5bdaba69689e8be57ce78bb6845e4f0

    SHA1

    573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a

    SHA256

    1e712adae2a543bf2fbf41691416b350c3a90561ab5f6590e520f833a9a587ad

    SHA512

    e79aaa4ac9b79ce7008155fddafc1bee58aae67d4ab6a0308702a9d47c29e83583c6786f2fa0c3812e50ef6eea1de981f5108ca752837b5edb8041236ff3c6c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vsodscpl.DLL
    Filesize

    112KB

    MD5

    a461c190ea6ad293db576691a50ddd7e

    SHA1

    52f21d0f8af5d94059432808ecd856f5dcf4cec1

    SHA256

    9e9e347f21050f6fa9d913c53fa7cf38ca28878c3129294ce3ce484590bea983

    SHA512

    16636c08f31c4c9fcf10ef1658593c6fffc96c24396af783d5c183d94f98f2cbac224332fd36cc655baaa382b432ae9f71043fd22e278633a9df85c05cdbb9e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vsodscpl.dll
    Filesize

    112KB

    MD5

    a461c190ea6ad293db576691a50ddd7e

    SHA1

    52f21d0f8af5d94059432808ecd856f5dcf4cec1

    SHA256

    9e9e347f21050f6fa9d913c53fa7cf38ca28878c3129294ce3ce484590bea983

    SHA512

    16636c08f31c4c9fcf10ef1658593c6fffc96c24396af783d5c183d94f98f2cbac224332fd36cc655baaa382b432ae9f71043fd22e278633a9df85c05cdbb9e6

    Download Submit

  • memory/2620-154-0x0000000001320000-0x000000000134E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2620-152-0x0000000001320000-0x000000000134E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2668-153-0x0000000000950000-0x000000000097E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2668-150-0x0000000000950000-0x000000000097E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3364-133-0x0000000000A80000-0x0000000000C83000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3364-132-0x0000000000A80000-0x0000000000C83000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4944-136-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-134-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-135-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-138-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-137-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-140-0x00007FFA7F4B0000-0x00007FFA7F4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-139-0x00007FFA7F4B0000-0x00007FFA7F4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-156-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-157-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-158-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4944-159-0x00007FFA81510000-0x00007FFA81520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5008-149-0x0000000002A40000-0x0000000002A6E000-memory.dmp

    Filesize

    184KB

    Download