Overview

overview

10

Static

static

a5aee25378...49.exe

windows7-x64

10

a5aee25378...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5aee25378a5cdf087557a93f55428c3f98354950f022430ec45dd10be581249.exe

  • Size

    338KB

  • MD5

    bae08358dc23e85f11f2e702de0f5046

  • SHA1

    b0c9381d8fe5dd98daf744bce4a3d0e0448a7ab4

  • SHA256

    a5aee25378a5cdf087557a93f55428c3f98354950f022430ec45dd10be581249

  • SHA512

    257176e3e51f2323cef3b9a7665ab636360f54e3192605a80b959614c192fc60ceebfcd05e417bfe200a477cec5a79c022e2199fbd8c18968763707e6840600d

  • SSDEEP

    6144:zFw8wzBhaEUJ45mnk75go5PnHt6Q+hTnO3pBboetnL1hCBDOmi986M:zFszBhqS5m+v6phi3N1hCBTN6M

Score
10/10
plugxtrojan

Malware Config

Signatures

  • Detects PlugX payload 6 IoCs
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 25 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5aee25378a5cdf087557a93f55428c3f98354950f022430ec45dd10be581249.exe
    "C:\Users\Admin\AppData\Local\Temp\a5aee25378a5cdf087557a93f55428c3f98354950f022430ec45dd10be581249.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\xlmin.exe
      "C:\xlmin.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3456
  • C:\ProgramData\360\xlmin.exe
    C:\ProgramData\360\xlmin.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe 201 0
      2⤵
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\system32\msiexec.exe 209 3988
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\360\dl_peer_id.db
    Filesize

    120KB

    MD5

    af0d334876449c795e7eb23b8c546977

    SHA1

    abd97e9ddfa857f5dfbb51c382b207533f9390cb

    SHA256

    d9a7cbc41249a23bf5ef05a0188db79af241d21645dedde082726553185130eb

    SHA512

    ea3f57adee88f4989604321bca93f43c13f9c32bd618815f4ded6aa09d79df941d0764d0cfd1953b7c968de9096a5c14adf4e3838faaa455d71bfb6ba270b0eb

    Download Submit
  • C:\ProgramData\360\dl_peer_id.dll
    Filesize

    40KB

    MD5

    b3c4f33da415eb7648d71a89312df114

    SHA1

    8cac341abda25120b89da085dadee72f17b7b356

    SHA256

    b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

    SHA512

    03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

    Download Submit
  • C:\ProgramData\360\dl_peer_id.dll
    Filesize

    40KB

    MD5

    b3c4f33da415eb7648d71a89312df114

    SHA1

    8cac341abda25120b89da085dadee72f17b7b356

    SHA256

    b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

    SHA512

    03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

    Download Submit
  • C:\ProgramData\360\xlmin.exe
    Filesize

    173KB

    MD5

    e76ee3dd4b09116ccb947a2c063cfe0e

    SHA1

    6369bb55c284bd373c4be35cdcde36026d8a8a7d

    SHA256

    e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

    SHA512

    171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

    Download Submit
  • C:\ProgramData\360\xlmin.exe
    Filesize

    173KB

    MD5

    e76ee3dd4b09116ccb947a2c063cfe0e

    SHA1

    6369bb55c284bd373c4be35cdcde36026d8a8a7d

    SHA256

    e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

    SHA512

    171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    456B

    MD5

    8aff13fc6fd86b33861b5a25d1e6f587

    SHA1

    ea078260a9e58f9160d46d6f4f8d2c6e83ebb4b2

    SHA256

    f594b4332125ee5cbcba4cc68a838cff9a17dbc8ea4afb24434d553d1a92aadf

    SHA512

    3e860a49289bd9055b0543f16ef12714e3359f3c4884de9a51eaa2cc7b742ea736acbd13f0eb82e8034b22b2ef909228be6e641b6d45137f4870e9ec17988824

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    618B

    MD5

    6fcee7b9a6e9f41ad86608563f53bb37

    SHA1

    96dc61b0b86d9af1b1eb791686a8e7caea3fd224

    SHA256

    39a163658801c92c0f7502c05a90b2c3fbe5e02daa7446b7297714fe8769f0d8

    SHA512

    0230b4fb799dffdf6ca0aa86c9fbc07a2b4a1cc3c06aeffee185927967b8705ee9cd14634bdfbb0d6481fb1e105a3f9e42cd27dd39ce6988f40661dafe9d7e11

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    491a5b074112b76b24a7be6ce1b12d5b

    SHA1

    7ddd597862e5f3f114dd5608ef8b6819e656ba12

    SHA256

    33f026c1289258fd5f261855c973287508b1155a0e4c946c1328755c1c8b03d7

    SHA512

    dfd86bf41721d7923c2f372e387de06fd23e840e1ef4b843a4bae45878c7e3ee91512efeb244e58717562c90cf66408ef73dd2ed81461e1accfef169d0e81620

    Download Submit
  • C:\ProgramData\SxS\bug.log
    Filesize

    1KB

    MD5

    9b57860c8a5f7c3a1ca4a2d3f82dbb23

    SHA1

    f683ca7ed9e0a1704bdbca766beebe59056ff553

    SHA256

    8a95128658be3700c1734d51c122687b9b154b1505c206e646a019ec00c26cde

    SHA512

    798913d78901953e4ce1ca7a7a7c22214c2486d7126e754fb08c61ade75fb50d2465826e86b25cf5c60c7e3313e860ada68f9ff2fe7269f0d7ed1ec049ab69b6

    Download Submit
  • C:\dl_peer_id.db
    Filesize

    120KB

    MD5

    af0d334876449c795e7eb23b8c546977

    SHA1

    abd97e9ddfa857f5dfbb51c382b207533f9390cb

    SHA256

    d9a7cbc41249a23bf5ef05a0188db79af241d21645dedde082726553185130eb

    SHA512

    ea3f57adee88f4989604321bca93f43c13f9c32bd618815f4ded6aa09d79df941d0764d0cfd1953b7c968de9096a5c14adf4e3838faaa455d71bfb6ba270b0eb

    Download Submit
  • C:\dl_peer_id.dll
    Filesize

    40KB

    MD5

    b3c4f33da415eb7648d71a89312df114

    SHA1

    8cac341abda25120b89da085dadee72f17b7b356

    SHA256

    b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

    SHA512

    03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

    Download Submit
  • C:\dl_peer_id.dll
    Filesize

    40KB

    MD5

    b3c4f33da415eb7648d71a89312df114

    SHA1

    8cac341abda25120b89da085dadee72f17b7b356

    SHA256

    b388009ca8311e82e37b4009054ac21350157299d1240a8070b66a177ffdd3f9

    SHA512

    03ea98d2ad918593277c5cede06061ef2446f10e74b3c6bcf512094bff9ead911802fb5d24efba4d95b4579ef5c12dcbe3338b556c0c35d249b2703f82367183

    Download Submit
  • C:\xlmin.exe
    Filesize

    173KB

    MD5

    e76ee3dd4b09116ccb947a2c063cfe0e

    SHA1

    6369bb55c284bd373c4be35cdcde36026d8a8a7d

    SHA256

    e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

    SHA512

    171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

    Download Submit
  • C:\xlmin.exe
    Filesize

    173KB

    MD5

    e76ee3dd4b09116ccb947a2c063cfe0e

    SHA1

    6369bb55c284bd373c4be35cdcde36026d8a8a7d

    SHA256

    e8cbf2de0dcd938d74ae3d8f4c17142b5debca17808f7801d55ecc95feadfb3c

    SHA512

    171868e5b33885459504bb9c0c82dbf2b54c2ec656050ab1686328dfa69e2a62b15d1d7278f2682902356fd88a6c13001f7cadbd6f9b7afbc37b2613bf8ce2da

    Download Submit
  • memory/1660-151-0x0000000001FE0000-0x0000000002010000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1660-149-0x0000000000000000-mapping.dmp
    Download
  • memory/1660-153-0x0000000001FE0000-0x0000000002010000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3352-145-0x00000000012F0000-0x0000000001320000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3456-132-0x0000000000000000-mapping.dmp
    Download
  • memory/3456-138-0x0000000002BB0000-0x0000000002BE0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3988-148-0x0000000001300000-0x0000000001330000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3988-152-0x0000000001300000-0x0000000001330000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3988-144-0x0000000000000000-mapping.dmp
    Download