Overview

overview

10

Static

static

a5aee25378...49.exe

windows7-x64

10

a5aee25378...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5aee25378a5cdf087557a93f55428c3f98354950f022430ec45dd10be581249.exe

  • Size

    338KB

  • MD5

    bae08358dc23e85f11f2e702de0f5046

  • SHA1

    b0c9381d8fe5dd98daf744bce4a3d0e0448a7ab4

  • SHA256

    a5aee25378a5cdf087557a93f55428c3f98354950f022430ec45dd10be581249

  • SHA512

    257176e3e51f2323cef3b9a7665ab636360f54e3192605a80b959614c192fc60ceebfcd05e417bfe200a477cec5a79c022e2199fbd8c18968763707e6840600d

  • SSDEEP

    6144:zFw8wzBhaEUJ45mnk75go5PnHt6Q+hTnO3pBboetnL1hCBDOmi986M:zFszBhqS5m+v6phi3N1hCBTN6M

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 6 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5aee25378a5cdf087557a93f55428c3f98354950f022430ec45dd10be581249.exe
    "C:\Users\Admin\AppData\Local\Temp\a5aee25378a5cdf087557a93f55428c3f98354950f022430ec45dd10be581249.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\xlmin.exe
      "C:\xlmin.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:844
  • C:\ProgramData\360\xlmin.exe
    C:\ProgramData\360\xlmin.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 1740
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\360\dl_peer_id.db
    Filesize

    120KB

    MD5

    af0d334876449c795e7eb23b8c546977

    SHA1

    abd97e9ddfa857f5dfbb51c382b207533f9390cb

    SHA256

    d9a7cbc41249a23bf5ef05a0188db79af241d21645dedde082726553185130eb

    SHA512

    ea3f57adee88f4989604321bca93f43c13f9c32bd618815f4ded6aa09d79df941d0764d0cfd1953b7c968de9096a5c14adf4e3838faaa455d71bfb6ba270b0eb

    Download Submit
  • C:\ProgramData\360\dl_peer_id.dll
    Filesize

    40KB

    MD5

    b3c4f33da415eb7648d71a89312df114

    SHA1

    8cac341abda25120b89da085dadee72f17b7b356

    SHA256

    b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

    SHA512

    03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

    Download Submit
  • C:\ProgramData\360\xlmin.exe
    Filesize

    173KB

    MD5

    e76ee3dd4b09116ccb947a2c063cfe0e

    SHA1

    6369bb55c284bd373c4be35cdcde36026d8a8a7d

    SHA256

    e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

    SHA512

    171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    456B

    MD5

    088104abab6a39763cfe2275988f5191

    SHA1

    b81a234a506f1fd136884a124a8511d5bfa53965

    SHA256

    71518ebdc1f16d85d960c19c3264c20d9f3928f0b39c2daa103d1fec9698d634

    SHA512

    89bda09dc2db93f0b029daa2c66989440c6bbd5d8abf78edd7e1a9239f1c1b6e7c1d0d40fd885421599e5bfef784d2ed37544f2b34b2a21b989580369a908942

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    b092a76e89cd30ff8090d765218d4c9f

    SHA1

    f75e4c0e79acfefca41266c5f1619e2e183618d9

    SHA256

    c4fd39bb13b338b6e31dca4b6e952072fb912b26a3b6ee416ede8b3f382b9c9c

    SHA512

    a2fedf4dbbc97bf676846d1034f555b86fb49435a4f4ab4ebdfcd4852e71417179ba3ec7eb269b767eb44db169edb943c9b2677223a5ed4104cd04b9469e9e3c

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    479690eb11daa877458a2d566e668a58

    SHA1

    a5b8e575faa9d044bb75952455101347cfb28a5c

    SHA256

    17bfd240b96d8d66d85f7ed72f34efd3358262c29b1d6d99f2c2f31749b78a3a

    SHA512

    35c1b8607c1f2ef0b879fc205433b5cade81d9fc668dbc23e389fe58d275f2ad42d904c5f7863d7e32b95a566cbffb96e8f4e1e61721b6f4c4bf37c64223f69e

    Download Submit
  • C:\dl_peer_id.db
    Filesize

    120KB

    MD5

    af0d334876449c795e7eb23b8c546977

    SHA1

    abd97e9ddfa857f5dfbb51c382b207533f9390cb

    SHA256

    d9a7cbc41249a23bf5ef05a0188db79af241d21645dedde082726553185130eb

    SHA512

    ea3f57adee88f4989604321bca93f43c13f9c32bd618815f4ded6aa09d79df941d0764d0cfd1953b7c968de9096a5c14adf4e3838faaa455d71bfb6ba270b0eb

    Download Submit
  • C:\dl_peer_id.dll
    Filesize

    40KB

    MD5

    b3c4f33da415eb7648d71a89312df114

    SHA1

    8cac341abda25120b89da085dadee72f17b7b356

    SHA256

    b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

    SHA512

    03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

    Download Submit
  • C:\xlmin.exe
    Filesize

    173KB

    MD5

    e76ee3dd4b09116ccb947a2c063cfe0e

    SHA1

    6369bb55c284bd373c4be35cdcde36026d8a8a7d

    SHA256

    e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

    SHA512

    171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

    Download Submit
  • C:\xlmin.exe
    Filesize

    173KB

    MD5

    e76ee3dd4b09116ccb947a2c063cfe0e

    SHA1

    6369bb55c284bd373c4be35cdcde36026d8a8a7d

    SHA256

    e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

    SHA512

    171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

    Download Submit
  • \ProgramData\360\dl_peer_id.dll
    Filesize

    40KB

    MD5

    b3c4f33da415eb7648d71a89312df114

    SHA1

    8cac341abda25120b89da085dadee72f17b7b356

    SHA256

    b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

    SHA512

    03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

    Download Submit
  • memory/556-79-0x00000000002E0000-0x0000000000310000-memory.dmp
    Filesize

    192KB

    Download
  • memory/556-82-0x00000000002E0000-0x0000000000310000-memory.dmp
    Filesize

    192KB

    Download
  • memory/556-76-0x0000000000000000-mapping.dmp
    Download
  • memory/844-60-0x00000000009C0000-0x00000000009F0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/844-55-0x0000000000000000-mapping.dmp
    Download
  • memory/1348-54-0x00000000750A1000-0x00000000750A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1456-67-0x00000000023B0000-0x00000000023E0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1740-73-0x0000000000220000-0x0000000000250000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1740-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1740-68-0x00000000000A0000-0x00000000000BD000-memory.dmp
    Filesize

    116KB

    Download
  • memory/1740-81-0x0000000000220000-0x0000000000250000-memory.dmp
    Filesize

    192KB

    Download